import java-1.8.0-openjdk-1.8.0.352.b08-2.el8_7

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz
 SOURCES/tapsets-icedtea-3.15.0.tar.xz

.java-1.8.0-openjdk.metadata

@@ -1,2 +1,2 @@
-c54dd40b6deb5defa8d4d7132d650080d0e300f4 SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
+11e3bf44f3c54d25e2018fc7df16c231daf041c5 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz
 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

SOURCES/NEWS

@@ -3,6 +3,369 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 8u352 (2022-10-18):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u352
+  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt
+
+* Security fixes
+  - JDK-8282252: Improve BigInteger/Decimal validation
+  - JDK-8285662: Better permission resolution
+  - JDK-8286511: Improve macro allocation
+  - JDK-8286519: Better memory handling
+  - JDK-8286526, CVE-2022-21619: Improve NTLM support
+  - JDK-8286533, CVE-2022-21626: Key X509 usages
+  - JDK-8286910, CVE-2022-21624: Improve JNDI lookups
+  - JDK-8286918, CVE-2022-21628: Better HttpServer service
+  - JDK-8288508: Enhance ECDSA usage
+* Other changes
+  - JDK-7131823: bug in GIFImageReader
+  - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate
+  - JDK-8028265: Add legacy tz tests to OpenJDK
+  - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000]
+  - JDK-8049228: Improve multithreaded scalability of InetAddress cache
+  - JDK-8071507: (ref) Clear phantom reference as soft and weak references do
+  - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation
+  - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9
+  - JDK-8136354: [TEST_BUG] Test  java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script
+  - JDK-8139668: Generate README-build.html from markdown
+  - JDK-8143847: Remove REF_CLEANER reference category
+  - JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl
+  - JDK-8150669: C1 intrinsic for Class.isPrimitive
+  - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows
+  - JDK-8173339: AArch64: Fix minimum stack size computations
+  - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load
+  - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
+  - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored
+  - JDK-8183107: PKCS11 regression regarding checkKeySize
+  - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property
+  - JDK-8194873: right ALT key hotkeys no longer work in Swing components
+  - JDK-8201793: (ref) Reference object should not support cloning
+  - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount()
+  - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
+  - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit
+  - JDK-8235218: Minimal VM is broken after JDK-8173361
+  - JDK-8235385: Crash on aarch64 JDK due to long offset
+  - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles
+  - JDK-8254178: Remove .hgignore
+  - JDK-8254318: Remove .hgtags
+  - JDK-8256722: handle VC++:1927 VS2019 in  abstract_vm_version
+  - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
+  - JDK-8280963: Incorrect PrintFlags formatting on Windows
+  - JDK-8282538: PKCS11 tests fail on CentOS Stream 9
+  - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
+  - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3
+  - JDK-8285497: Add system property for Java SE specification maintenance version
+  - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE
+  - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11
+  - JDK-8287521: Bump update version of OpenJDK: 8u352
+  - JDK-8288763: Pack200 extraction failure with invalid size
+  - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses
+  - JDK-8290000: Bump macOS GitHub actions to macOS 11
+  - JDK-8292579: (tz) Update Timezone Data to 2022c
+  - JDK-8292688: Support Security properties in security.testlibrary.Proc
+
+Notes on individual issues:
+===========================
+
+core-libs/java.lang:
+
+JDK-8201793: (ref) Reference object should not support cloning
+==============================================================
+`java.lang.ref.Reference::clone` method always throws
+`CloneNotSupportedException`. `Reference` objects cannot be
+meaningfully cloned. To create a new Reference object, call the
+constructor to create a `Reference` object with the same referent and
+reference queue instead.
+
+JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
+===============================================================================================
+`java.lang.ref.Reference.enqueue` method clears the reference object
+before it is added to the registered queue. When the `enqueue` method
+is called, the reference object is cleared and `get()` method will
+return null in OpenJDK 8u352.
+
+Typically when a reference object is enqueued, it is expected that the
+reference object is cleared explicitly via the `clear` method to avoid
+memory leak because its referent is no longer referenced. In other
+words the `get` method is expected not to be called in common cases
+once the `enqueue`method is called. In the case when the `get` method
+from an enqueued reference object and existing code attempts to access
+members of the referent, `NullPointerException` may be thrown. Such
+code will need to be updated.
+
+JDK-8071507: (ref) Clear phantom reference as soft and weak references do
+=========================================================================
+This enhancement changes phantom references to be automatically
+cleared by the garbage collector as soft and weak references.
+
+An object becomes phantom reachable after it has been finalized. This
+change may cause the phantom reachable objects to be GC'ed earlier -
+previously the referent is kept alive until PhantomReference objects
+are GC'ed or cleared by the application. This potential behavioral
+change might only impact existing code that would depend on
+PhantomReference being enqueued rather than when the referent be freed
+from the heap.
+
+security-libs/javax.net.ssl:
+
+JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
+================================================================
+The TLSv1.3 implementation is now enabled by default for client roles
+in 8u352. It has been enabled by default for server roles since 8u272.
+
+Note that TLS 1.3 is not directly compatible with previous
+versions. Enabling it on the client may introduce compatibility issues
+on either the server or the client side. Here are some more details on
+potential compatibility issues that you should be aware of:
+
+* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions
+  use a duplex-close policy. For applications that depend on the
+  duplex-close policy, there may be compatibility issues when
+  upgrading to TLS 1.3.
+
+* The signature_algorithms_cert extension requires that pre-defined
+  signature algorithms are used for certificate authentication. In
+  practice, however, an application may use non-supported signature
+  algorithms.
+
+* The DSA signature algorithm is not supported in TLS 1.3. If a server
+  is configured to only use DSA certificates, it cannot upgrade to TLS
+  1.3.
+
+* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2
+  and prior versions. If an application hard-codes cipher suites which
+  are no longer supported, it may not be able to use TLS 1.3 without
+  modifying the application code.
+
+* The TLS 1.3 session resumption and key update behaviors are
+  different from TLS 1.2 and prior versions. The compatibility should
+  be minimal, but it could be a risk if an application depends on the
+  handshake details of the TLS protocols.
+
+The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols
+system property:
+
+java -Djdk.tls.client.protocols="TLSv1.2" ...
+
+Alternatively, an application can explicitly set the enabled protocols
+with the javax.net.ssl APIs e.g.
+
+sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"});
+
+or:
+
+SSLParameters params = sslSocket.getSSLParameters();
+params.setProtocols(new String[] {"TLSv1.2"});
+slsSocket.setSSLParameters(params);
+
+New in release OpenJDK 8u345 (2022-08-01):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u345
+  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u345.txt
+
+* Other changes
+  - JDK-8290832: It is no longer possible to change "user.dir" in the JDK8
+  - JDK-8291568: Bump update version of OpenJDK: 8u345
+
+Notes on individual issues:
+===========================
+
+core-libs/java.io:
+
+JDK-8290832: It is no longer possible to change "user.dir" in the JDK8
+======================================================================
+A change, JDK-8194154, was introduced in the 8u342 release of OpenJDK
+causing the JDK to ignore attempts to set the `user.dir` property.
+While this change is suitable for a major release (it was originally
+introduced in the initial release of OpenJDK 11), changing the
+behaviour of such a property in an update release creates
+compatibility issues in software that relies on the behaviour in prior
+versions of OpenJDK 8.  As a result, we have reverted this change in
+8u345.
+
+New in release OpenJDK 8u342 (2022-07-19):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bitly.com/openjdk8u342
+  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u342.txt
+
+* Security fixes
+  - JDK-8272243: Improve DER parsing
+  - JDK-8272249: Better properties of loaded Properties
+  - JDK-8277608: Address IP Addressing
+  - JDK-8281859, CVE-2022-21540: Improve class compilation
+  - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+  - JDK-8283190: Improve MIDI processing
+  - JDK-8284370: Improve zlib usage
+  - JDK-8285407, CVE-2022-34169: Improve Xalan supports
+* Other changes
+  - JDK-8031567: Better model for storing source revision information
+  - JDK-8076190: Customizing the generation of a PKCS12 keystore
+  - JDK-8129572: Cleanup usage of getResourceAsStream in jaxp
+  - JDK-8132256: jaxp: Investigate removal of com/sun/org/apache/bcel/internal/util/ClassPath.java
+  - JDK-8168926: C2: Bytecode escape analyzer crashes due to stack overflow
+  - JDK-8170385: JDK-8031567 broke source bundles
+  - JDK-8170392: JDK-8031567 broke builds from source bundles
+  - JDK-8170530: bash configure output contains a typo in a suggested library name
+  - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
+  - JDK-8194154: System property user.dir should not be changed
+  - JDK-8202142: jfr/event/io/TestInstrumentation is unstable
+  - JDK-8209771: jdk.test.lib.Utils::runAndCheckException error
+  - JDK-8221988: add possibility to build with Visual Studio 2019
+  - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp
+  - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target
+  - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file
+  - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty"
+  - JDK-8248876: LoadObject with bad base address created for exec file on linux
+  - JDK-8253424: Add support for running pre-submit testing using GitHub Actions
+  - JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably
+  - JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command
+  - JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow
+  - JDK-8254175: Build no-pch configuration in debug mode for submit checks
+  - JDK-8254282: Add Linux x86_32 builds to submit workflow
+  - JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale
+  - JDK-8255305: Add Linux x86_32 tier1 to submit workflow
+  - JDK-8255352: Archive important test outputs in submit workflow
+  - JDK-8255373: Submit workflow artifact name is always "test-results_.zip"
+  - JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch
+  - JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow
+  - JDK-8256277: Github Action build on macOS should define OS and Xcode versions
+  - JDK-8256354: Github Action build on Windows should define OS and MSVC versions
+  - JDK-8256393: Github Actions build on Linux should define OS and GCC versions
+  - JDK-8256414: add optimized build to submit workflow
+  - JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing
+  - JDK-8257056: Submit workflow should apt-get update to avoid package installation errors
+  - JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386"
+  - JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386"
+  - JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream)
+  - JDK-8263667: Avoid running GitHub actions on branches named pr/*
+  - JDK-8266187: Memory leak in appendBootClassPath()
+  - JDK-8274658: ISO 4217 Amendment 170 Update
+  - JDK-8274751: Drag And Drop hangs on Windows
+  - JDK-8278138: OpenJDK8 fails to start on Windows 8.1 after upgrading compiler to VS2017
+  - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
+  - JDK-8281814: Debuginfo.diz contains redundant build path after backport JDK-8025936
+  - JDK-8282225: GHA: Allow one concurrent run per PR only
+  - JDK-8282458: Update .jcheck/conf file for 8u move to git
+  - JDK-8282552: Bump update version of OpenJDK: 8u342
+  - JDK-8283350: (tz) Update Timezone Data to 2022a
+  - JDK-8284620: CodeBuffer may leak _overflow_arena
+  - JDK-8284772: 8u GHA: Use GCC Major Version Dependencies Only
+  - JDK-8285445: cannot open file "NUL:"
+  - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+  - JDK-8285591: [11] add signum checks in DSA.java engineVerify
+  - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
+  - JDK-8286989: Build failure on macOS after 8281814
+  - JDK-8287537: 8u JDK-8284620 backport broke AArch64 build
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8215293: Customizing PKCS12 keystore Generation
+===================================================
+New system and security properties have been added to enable users to
+customize the generation of PKCS #12 keystores. This includes
+algorithms and parameters for key protection, certificate protection,
+and MacData. The detailed explanation and possible values for these
+properties can be found in the "PKCS12 KeyStore properties" section of
+the `java.security` file.
+
+Also, support for the following SHA-2 based HmacPBE algorithms has
+been added to the SunJCE provider:
+
+* HmacPBESHA224
+* HmacPBESHA256
+* HmacPBESHA384
+* HmacPBESHA512
+* HmacPBESHA512/224
+* HmacPBESHA512/256
+
+core-libs/java.io:
+
+JDK-8285660: Enable Windows Alternate Data Streams by default
+=============================================================
+The Windows implementation of `java.io.File` has been changed so that
+strict validity checks are **not** performed by default on file
+paths. This includes allowing colons (':') in the path other than only
+immediately after a single drive letter. It also allows paths that
+represent NTFS Alternate Data Streams (ADS), such as
+"filename:streamname". This restores the default behavior of
+`java.io.File` to what it was prior to the April 2022 CPU in which
+strict validity checks were not performed by default on file paths on
+Windows. To re-enable strict path checking in `java.io.File`, the
+system property `jdk.io.File.enableADS` should be set to `false` (case
+ignored). This might be preferable, for example, if Windows special
+device paths such as `NUL:` are *not* used.
+
+New in release OpenJDK 8u332 (2022-04-22):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u332
+  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt
+
+* Security fixes
+  - JDK-8269938: Enhance XML processing passes redux
+  - JDK-8270504, CVE-2022-21426: Better XPath expression handling
+  - JDK-8272255: Completely handle MIDI files
+  - JDK-8272261: Improve JFR recording file processing
+  - JDK-8272594: Better record of recordings
+  - JDK-8274221: More definite BER encodings
+  - JDK-8275151, CVE-2022-21443: Improved Object Identification
+  - JDK-8277227: Better identification of OIDs
+  - JDK-8277672, CVE-2022-21434: Better invocation handler handling
+  - JDK-8278008, CVE-2022-21476: Improve Santuario processing
+  - JDK-8278356: Improve file creation
+  - JDK-8278449: Improve keychain support
+  - JDK-8278805: Enhance BMP image loading
+  - JDK-8278972, CVE-2022-21496: Improve URL supports
+  - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
+* Other changes
+  - JDK-8033980: Xerces Update: datatype XMLGregorianCalendarImpl and DurationImpl
+  - JDK-8035437: Xerces Update: xml/serialize/DOMSerializerImpl
+  - JDK-8035577: Xerces Update: impl/xpath/regex/RangeToken.java
+  - JDK-8037259: xerces update: xpointer update
+  - JDK-8041523: Xerces Update: Serializer improvements from Xalan
+  - JDK-8141508: java.lang.invoke.LambdaConversionException: Invalid receiver type
+  - JDK-8162572: Update License Header for all JAXP sources
+  - JDK-8167014: jdeps: Missing message: warn.skipped.entry
+  - JDK-8198411: [TEST_BUG] Two java2d tests are unstable in mach5
+  - JDK-8202822: Add .git to .hgignore
+  - JDK-8205540: test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 <cont> commands
+  - JDK-8209178: Proxied HttpsURLConnection doesn't send BODY when retrying POST request
+  - JDK-8210283: Support git as an SCM alternative in the build
+  - JDK-8218682: [TEST_BUG] DashOffset fails in mach5
+  - JDK-8225690: Multiple AttachListener threads can be created
+  - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134"
+  - JDK-8227815: Minimal VM: set_state is not a member of AttachListener
+  - JDK-8240633: Memory leaks in the implementations of FileChooserUI
+  - JDK-8241768: git needs .gitattributes
+  - JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn
+  - JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens
+  - JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node
+  - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems
+  - JDK-8270290: NTLM authentication fails if HEAD request is used
+  - JDK-8273229: Update OS detection code to recognize Windows Server 2022
+  - JDK-8273341: Update Siphash to version 1.0
+  - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
+  - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
+  - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
+  - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
+  - JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler
+  - JDK-8280060: The sun/rmi/server/Activation.java class use Thread.dumpStack()
+  - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
+  - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
+  - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
+  - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
+  - JDK-8284936: Fix Java 7 bootstrap breakage due to use of Arrays.stream
+* Shenandoah
+  - JDK-8260632: Build failures after JDK-8253353
+  - JDK-8282458: Update .jcheck/conf file for sh-jdk8u move to git
+
 New in release OpenJDK 8u322 (2022-01-18):
 ===========================================
 Live versions of these release notes can be found at:

SOURCES/TestSecurityProperties.java

@@ -1,3 +1,20 @@
+/* TestSecurityProperties -- Ensure system security properties can be used to
+                             enable the crypto policies.
+   Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
 import java.io.File;
 import java.io.FileInputStream;
 import java.security.Security;
@@ -9,35 +26,59 @@ public class TestSecurityProperties {
     // JDK 8
     private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
 
+    private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
+
+    private static final String MSG_PREFIX = "DEBUG: ";
+
     public static void main(String[] args) {
+        if (args.length == 0) {
+            System.err.println("TestSecurityProperties <true|false>");
+            System.err.println("Invoke with 'true' if system security properties should be enabled.");
+            System.err.println("Invoke with 'false' if system security properties should be disabled.");
+            System.exit(1);
+        }
+        boolean enabled = Boolean.valueOf(args[0]);
+        System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
         Properties jdkProps = new Properties();
         loadProperties(jdkProps);
+        if (enabled) {
+            loadPolicy(jdkProps);
+        }
         for (Object key: jdkProps.keySet()) {
             String sKey = (String)key;
             String securityVal = Security.getProperty(sKey);
             String jdkSecVal = jdkProps.getProperty(sKey);
             if (!securityVal.equals(jdkSecVal)) {
-                String msg = "Expected value '" + jdkSecVal + "' for key '" + 
+                String msg = "Expected value '" + jdkSecVal + "' for key '" +
                              sKey + "'" + " but got value '" + securityVal + "'";
                 throw new RuntimeException("Test failed! " + msg);
             } else {
-                System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+                System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
             }
         }
         System.out.println("TestSecurityProperties PASSED!");
     }
-    
+
     private static void loadProperties(Properties props) {
         String javaVersion = System.getProperty("java.version");
-        System.out.println("Debug: Java version is " + javaVersion);
+        System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
         String propsFile = JDK_PROPS_FILE_JDK_11;
         if (javaVersion.startsWith("1.8.0")) {
             propsFile = JDK_PROPS_FILE_JDK_8;
         }
-        try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+        try (FileInputStream fin = new FileInputStream(propsFile)) {
             props.load(fin);
         } catch (Exception e) {
             throw new RuntimeException("Test failed!", e);
         }
     }
+
+    private static void loadPolicy(Properties props) {
+        try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
+            props.load(fin);
+        } catch (Exception e) {
+            throw new RuntimeException("Test failed!", e);
+        }
+    }
+
 }

SOURCES/TestTranslations.java

@@ -0,0 +1,140 @@
+/* TestTranslations -- Ensure translations are available for new timezones
+   Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import java.text.DateFormatSymbols;
+
+import java.time.ZoneId;
+import java.time.format.TextStyle;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.TimeZone;
+
+public class TestTranslations {
+
+    private static Map<Locale,String[]> KYIV;
+
+    static {
+        Map<Locale,String[]> map = new HashMap<Locale,String[]>();
+        map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET",
+                                          "Eastern European Summer Time", "GMT+03:00", "EEST",
+                                          "Eastern European Time", "GMT+02:00", "EET"});
+        map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET",
+                                              "Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST",
+                                              "Heure d'Europe de l'Est", "UTC+02:00", "EET"});
+        map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ",
+                                               "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
+                                               "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
+        KYIV = Collections.unmodifiableMap(map);
+    }
+
+
+    public static void main(String[] args) {
+        if (args.length < 1) {
+            System.err.println("Test must be started with the name of the locale provider.");
+            System.exit(1);
+        }
+
+        String localeProvider = args[0];
+        System.out.println("Checking sanity of full zone string set...");
+        boolean invalid = Arrays.stream(Locale.getAvailableLocales())
+            .peek(l -> System.out.println("Locale: " + l))
+            .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
+            .flatMap(zs -> Arrays.stream(zs))
+            .flatMap(names -> Arrays.stream(names))
+            .filter(name -> Objects.isNull(name) || name.isEmpty())
+            .findAny()
+            .isPresent();
+        if (invalid) {
+            System.err.println("Zone string for a locale returned null or empty string");
+            System.exit(2);
+        }
+
+        for (Locale l : KYIV.keySet()) {
+            String[] expected = KYIV.get(l);
+            for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) {
+                String expectedShortStd = null;
+                String expectedShortDST = null;
+                String expectedShortGen = null;
+
+                System.out.printf("Checking locale %s for %s...\n", l, id);
+
+                if ("JRE".equals(localeProvider)) {
+                    expectedShortStd = expected[2];
+                    expectedShortDST = expected[5];
+                    expectedShortGen = expected[8];
+                } else if ("CLDR".equals(localeProvider)) {
+                    expectedShortStd = expected[1];
+                    expectedShortDST = expected[4];
+                    expectedShortGen = expected[7];
+                } else {
+                    System.err.printf("Invalid locale provider %s\n", localeProvider);
+                    System.exit(3);
+                }
+                System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
+                                  localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
+
+                String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
+                String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
+                String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
+                String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
+                String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
+                String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
+
+                if (!expected[0].equals(longStd)) {
+                    System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
+                                      id, l, longStd, expected[0]);
+                    System.exit(4);
+                }
+
+                if (!expectedShortStd.equals(shortStd)) {
+                    System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
+                                      id, l, shortStd, expectedShortStd);
+                    System.exit(5);
+                }
+
+                if (!expected[3].equals(longDST)) {
+                    System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
+                                      id, l, longDST, expected[3]);
+                    System.exit(6);
+                }
+
+                if (!expectedShortDST.equals(shortDST)) {
+                    System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
+                                      id, l, shortDST, expectedShortDST);
+                    System.exit(7);
+                }
+
+                if (!expected[6].equals(longGen)) {
+                    System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
+                                      id, l, longGen, expected[6]);
+                    System.exit(8);
+                }
+
+                if (!expectedShortGen.equals(shortGen)) {
+                    System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
+                                      id, l, shortGen, expectedShortGen);
+                    System.exit(9);
+                }
+            }
+        }
+    }
+}

SOURCES/jdk8279077-missing_crash_protector_ppc.patch

@@ -1,23 +0,0 @@
-# HG changeset patch
-# User zgu
-# Date 1641313782 0
-#      Tue Jan 04 16:29:42 2022 +0000
-# Node ID b694a28adaa2a602fedbc4aeba69b9c2350e7409
-# Parent  3177fc2314df6deb4d4771148f27934a597dd1d7
-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler
-Reviewed-by: phh
-
-diff --git openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
---- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
-+++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
-@@ -176,6 +176,10 @@
- 
-   Thread* t = ThreadLocalStorage::get_thread_slow();
- 
-+  // Must do this before SignalHandlerMark, if crash protection installed we will longjmp away
-+  // (no destructors can be run)
-+  os::ThreadCrashProtection::check_crash_protection(sig, t);
-+
-   SignalHandlerMark shm(t);
- 
-   // Note: it's not uncommon that JNI code uses signal/sigset to install

SOURCES/jdk8294357-tzdata2022d.patch

@@ -0,0 +1,506 @@
+commit 8589b1229cffb9a0ab00baf62ce2d4376d31b055
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Fri Oct 14 22:55:39 2022 +0100
+
+    Backport f67b4de8a07b8158be1dfb5b09cdb4cc5b7ac93b
+
+diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION
+index decb8716b22..889d0e6dad7 100644
+--- a/jdk/make/data/tzdata/VERSION
++++ b/jdk/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022c
++tzdata2022d
+diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia
+index 6cb6d2c57cf..1dc7d34f88e 100644
+--- a/jdk/make/data/tzdata/asia
++++ b/jdk/make/data/tzdata/asia
+@@ -3398,10 +3398,6 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
+ # The winter time in 2015 started on October 23 at 01:00.
+ # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
+ # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
+-#
+-# From Paul Eggert (2019-04-10):
+-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
+-# preceding March's last Sunday (i.e., Sat>=24).
+ 
+ # From P Chan (2021-10-18):
+ # http://wafa.ps/Pages/Details/34701
+@@ -3418,6 +3414,18 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
+ # From Heba Hamad (2022-03-10):
+ # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+ 
++# From Heba Hamad (2022-08-30):
++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
++# 60 minutes backwards.  Also the state of Palestine adopted the summer
++# and winter time for the years: 2023,2024,2025,2026 ...
++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
++# (2022-08-31): ... the Saturday before the last Sunday in March and October
++# at 2:00 AM ,for the years from 2023 to 2026.
++# (2022-09-05): https://mtit.pna.ps/Site/New/1453
++#
++# From Paul Eggert (2022-08-31):
++# For now, assume that this rule will also be used after 2026.
++
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
+ Rule EgyptAsia	1957	1958	-	Oct	 1	0:00	0	-
+@@ -3448,14 +3456,16 @@ Rule Palestine	2013	only	-	Sep	27	0:00	0	-
+ Rule Palestine	2014	only	-	Oct	24	0:00	0	-
+ Rule Palestine	2015	only	-	Mar	28	0:00	1:00	S
+ Rule Palestine	2015	only	-	Oct	23	1:00	0	-
+-Rule Palestine	2016	2018	-	Mar	Sat>=24	1:00	1:00	S
+-Rule Palestine	2016	2018	-	Oct	Sat>=24	1:00	0	-
++Rule Palestine	2016	2018	-	Mar	Sat<=30	1:00	1:00	S
++Rule Palestine	2016	2018	-	Oct	Sat<=30	1:00	0	-
+ Rule Palestine	2019	only	-	Mar	29	0:00	1:00	S
+-Rule Palestine	2019	only	-	Oct	Sat>=24	0:00	0	-
+-Rule Palestine	2020	2021	-	Mar	Sat>=24	0:00	1:00	S
++Rule Palestine	2019	only	-	Oct	Sat<=30	0:00	0	-
++Rule Palestine	2020	2021	-	Mar	Sat<=30	0:00	1:00	S
+ Rule Palestine	2020	only	-	Oct	24	1:00	0	-
+-Rule Palestine	2021	max	-	Oct	Fri>=23	1:00	0	-
+-Rule Palestine	2022	max	-	Mar	Sun>=25	0:00	1:00	S
++Rule Palestine	2021	only	-	Oct	29	1:00	0	-
++Rule Palestine	2022	only	-	Mar	27	0:00	1:00	S
++Rule Palestine	2022	max	-	Oct	Sat<=30	2:00	0	-
++Rule Palestine	2023	max	-	Mar	Sat<=30	2:00	1:00	S
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Gaza	2:17:52	-	LMT	1900 Oct
+diff --git a/jdk/make/data/tzdata/backward b/jdk/make/data/tzdata/backward
+index d4a29e8cf29..7765d99aedf 100644
+--- a/jdk/make/data/tzdata/backward
++++ b/jdk/make/data/tzdata/backward
+@@ -113,6 +113,8 @@ Link	Etc/UTC			Etc/UCT
+ Link	Europe/London		Europe/Belfast
+ Link	Europe/Kyiv		Europe/Kiev
+ Link	Europe/Chisinau		Europe/Tiraspol
++Link	Europe/Kyiv		Europe/Uzhgorod
++Link	Europe/Kyiv		Europe/Zaporozhye
+ Link	Europe/London		GB
+ Link	Europe/London		GB-Eire
+ Link	Etc/GMT			GMT+0
+diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe
+index f7eb7a387aa..9e0a538f86d 100644
+--- a/jdk/make/data/tzdata/europe
++++ b/jdk/make/data/tzdata/europe
+@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol	 2:16:24 -	LMT	1880
+ # From Alexander Krivenyshev (2014-03-17):
+ # time change at 2:00 (2am) on March 30, 2014
+ # https://vz.ru/news/2014/3/17/677464.html
+-# From Paul Eggert (2014-03-30):
+-# Simferopol and Sevastopol reportedly changed their central town clocks
+-# late the previous day, but this appears to have been ceremonial
+-# and the discrepancies are small enough to not worry about.
++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
++# The clocks at the railway station in Simferopol were put forward from 22:00
++# to 24:00 the previous day in a "symbolic ceremony"; however, per
++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
++# time switch at 2am" on Sunday.
++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
++# https://www.bbc.com/news/av/world-europe-26806583
+ 			 2:00	EU	EE%sT	2014 Mar 30  2:00
+ 			 4:00	-	MSK	2014 Oct 26  2:00s
+ 			 3:00	-	MSK
+@@ -3774,8 +3778,8 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
+ # US colleague David Cochrane) are still trying to get more
+ # information upon these local deviations from Kiev rules.
+ #
+-# From Paul Eggert (2022-02-08):
+-# For now, assume that Ukraine's other three zones followed the same rules,
++# From Paul Eggert (2022-08-27):
++# For now, assume that Ukraine's zones all followed the same rules,
+ # except that Crimea switched to Moscow time in 1994 as described elsewhere.
+ 
+ # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
+@@ -3845,21 +3849,7 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
+ # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
+ # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
+ 
+-# From Paul Eggert (2022-04-12):
+-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
+-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
+-# English for Ukraine's capital.  Although tzdb's former name was Europe/Kiev,
+-# "Kyiv" is now more common due to widespread reporting of the current conflict.
+-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
+-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
+-# certainly wrong as a transliteration of the Czech "Praha".
+-# English-language spelling of Ukrainian names is in flux, and
+-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
+-# common in English; in the meantime, do not change these
+-# English spellings as that means less disruption for our users.
+-
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-# This represents most of Ukraine.  See above for the spelling of "Kyiv".
+ Zone Europe/Kyiv	2:02:04 -	LMT	1880
+ 			2:02:04	-	KMT	1924 May  2 # Kyiv Mean Time
+ 			2:00	-	EET	1930 Jun 21
+@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv	2:02:04 -	LMT	1880
+ 			2:00	1:00	EEST	1991 Sep 29  3:00
+ 			2:00	C-Eur	EE%sT	1996 May 13
+ 			2:00	EU	EE%sT
+-# Transcarpathia used CET 1990/1991.
+-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
+-# "Uzhgorod" is more common in English.
+-Zone Europe/Uzhgorod	1:29:12 -	LMT	1890 Oct
+-			1:00	-	CET	1940
+-			1:00	C-Eur	CE%sT	1944 Oct
+-			1:00	1:00	CEST	1944 Oct 26
+-			1:00	-	CET	1945 Jun 29
+-			3:00	Russia	MSK/MSD	1990
+-			3:00	-	MSK	1990 Jul  1  2:00
+-			1:00	-	CET	1991 Mar 31  3:00
+-			2:00	-	EET	1992 Mar 20
+-			2:00	C-Eur	EE%sT	1996 May 13
+-			2:00	EU	EE%sT
+-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
+-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
+-# "Zaporozh'ye" is more common in English.  Use the common English
+-# spelling, except omit the apostrophe as it is not allowed in
+-# portable Posix file names.
+-Zone Europe/Zaporozhye	2:20:40 -	LMT	1880
+-			2:20	-	+0220	1924 May  2
+-			2:00	-	EET	1930 Jun 21
+-			3:00	-	MSK	1941 Aug 25
+-			1:00	C-Eur	CE%sT	1943 Oct 25
+-			3:00	Russia	MSK/MSD	1991 Mar 31  2:00
+-			2:00	E-Eur	EE%sT	1992 Mar 20
+-			2:00	C-Eur	EE%sT	1996 May 13
+-			2:00	EU	EE%sT
+ 
+ # Vatican City
+ # See Europe/Rome.
+diff --git a/jdk/make/data/tzdata/southamerica b/jdk/make/data/tzdata/southamerica
+index 13ec081c7e0..3c0e0e2061c 100644
+--- a/jdk/make/data/tzdata/southamerica
++++ b/jdk/make/data/tzdata/southamerica
+@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco	-4:31:12 -	LMT	1914
+ # for America/Santiago will start on midnight of September 11th;
+ # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
+ # will keep UTC -3 "indefinitely"...  This is because on September 4th
+-# we will have a voting whether to approve a new Constitution....
+-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
++# we will have a voting whether to approve a new Constitution.
++#
++# From Eduardo Romero Urra (2022-08-17):
++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
++#
++# From Paul Eggert (2022-08-17):
++# Although the presidential decree stops at fall 2026, assume that
++# similar DST rules will continue thereafter.
+ 
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule	Chile	1927	1931	-	Sep	 1	0:00	1:00	-
+diff --git a/jdk/make/data/tzdata/zone.tab b/jdk/make/data/tzdata/zone.tab
+index 51b65fa273c..ee025196e50 100644
+--- a/jdk/make/data/tzdata/zone.tab
++++ b/jdk/make/data/tzdata/zone.tab
+@@ -424,8 +424,6 @@ TV	-0831+17913	Pacific/Funafuti
+ TW	+2503+12130	Asia/Taipei
+ TZ	-0648+03917	Africa/Dar_es_Salaam
+ UA	+5026+03031	Europe/Kyiv	Ukraine (most areas)
+-UA	+4837+02218	Europe/Uzhgorod	Transcarpathia
+-UA	+4750+03510	Europe/Zaporozhye	Zaporozhye and east Lugansk
+ UG	+0019+03225	Africa/Kampala
+ UM	+2813-17722	Pacific/Midway	Midway Islands
+ UM	+1917+16637	Pacific/Wake	Wake Island
+diff --git a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
+index 43bddd5859a..4b84cda3067 100644
+--- a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
++++ b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
+@@ -573,12 +573,8 @@ public final class ZoneInfoFile {
+                     // we can then pass in the dom = -1, dow > 0 into ZoneInfo
+                     //
+                     // hacking, assume the >=24 is the result of ZRB optimization for
+-                    // "last", it works for now. From tzdata2020d this hacking
+-                    // will not work for Asia/Gaza and Asia/Hebron which follow
+-                    // Palestine DST rules.
+-                    if (dom < 0 || dom >= 24 &&
+-                                   !(zoneId.equals("Asia/Gaza") ||
+-                                     zoneId.equals("Asia/Hebron"))) {
++                    // "last", it works for now.
++                    if (dom < 0 || dom >= 24) {
+                         params[1] = -1;
+                         params[2] = toCalendarDOW[dow];
+                     } else {
+@@ -600,7 +596,6 @@ public final class ZoneInfoFile {
+                     params[7] = 0;
+                 } else {
+                     // hacking: see comment above
+-                    // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e
+                     if (dom < 0 || dom >= 24) {
+                         params[6] = -1;
+                         params[7] = toCalendarDOW[dow];
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+index c32bee39fba..71470168456 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022c
++tzdata2022d
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
+index a5e6428a3f5..e3ce742f887 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
+@@ -183,6 +183,8 @@ Link	Etc/UTC			Etc/UCT
+ Link	Europe/London		Europe/Belfast
+ Link	Europe/Kyiv		Europe/Kiev
+ Link	Europe/Chisinau		Europe/Tiraspol
++Link	Europe/Kyiv		Europe/Uzhgorod
++Link	Europe/Kyiv		Europe/Zaporozhye
+ Link	Europe/London		GB
+ Link	Europe/London		GB-Eire
+ Link	Etc/GMT			GMT+0
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+index fc148537f1f..b3823958ae4 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -163,11 +163,9 @@ Europe/Simferopol MSK
+ Europe/Sofia EET EEST
+ Europe/Tallinn EET EEST
+ Europe/Tirane CET CEST
+-Europe/Uzhgorod EET EEST
+ Europe/Vienna CET CEST
+ Europe/Vilnius EET EEST
+ Europe/Warsaw CET CEST
+-Europe/Zaporozhye EET EEST
+ Europe/Zurich CET CEST
+ HST HST
+ MET MET MEST
+diff --git a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
+index 3aad69f8118..c682531d4bd 100644
+--- a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
++++ b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
+@@ -173,10 +173,19 @@ public class TestZoneInfo310 {
+              * Temporary ignoring the failing TimeZones which are having zone
+              * rules defined till year 2037 and/or above and have negative DST
+              * save time in IANA tzdata. This bug is tracked via JDK-8223388.
++             *
++             * Tehran/Iran rule has rules beyond 2037, in which javazic assumes
++             * to be the last year. Thus javazic's rule is based on year 2037
++             * (Mar 20th/Sep 20th are the cutover dates), while the real rule
++             * has year 2087 where Mar 21st/Sep 21st are the cutover dates.
+              */
+-            if (zid.equals("Africa/Casablanca") || zid.equals("Africa/El_Aaiun")
+-                || zid.equals("Asia/Tehran") || zid.equals("Iran")) {
+-                continue;
++            if (zid.equals("Africa/Casablanca") || // uses "Morocco" rule
++                zid.equals("Africa/El_Aaiun") || // uses "Morocco" rule
++                zid.equals("Asia/Tehran") || // last rule mismatch
++                zid.equals("Asia/Gaza") || // uses "Palestine" rule
++                zid.equals("Asia/Hebron") || // uses "Palestine" rule
++                zid.equals("Iran")) { // last rule mismatch
++                    continue;
+             }
+             if (! zi.equalsTo(ziOLD)) {
+                 System.out.println(zi.diffsTo(ziOLD));
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+index decb8716b22..889d0e6dad7 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION
++++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022c
++tzdata2022d
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia
+index 6cb6d2c57cf..1dc7d34f88e 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/asia
++++ b/jdk/test/sun/util/calendar/zi/tzdata/asia
+@@ -3398,10 +3398,6 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
+ # The winter time in 2015 started on October 23 at 01:00.
+ # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
+ # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
+-#
+-# From Paul Eggert (2019-04-10):
+-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
+-# preceding March's last Sunday (i.e., Sat>=24).
+ 
+ # From P Chan (2021-10-18):
+ # http://wafa.ps/Pages/Details/34701
+@@ -3418,6 +3414,18 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
+ # From Heba Hamad (2022-03-10):
+ # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+ 
++# From Heba Hamad (2022-08-30):
++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
++# 60 minutes backwards.  Also the state of Palestine adopted the summer
++# and winter time for the years: 2023,2024,2025,2026 ...
++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
++# (2022-08-31): ... the Saturday before the last Sunday in March and October
++# at 2:00 AM ,for the years from 2023 to 2026.
++# (2022-09-05): https://mtit.pna.ps/Site/New/1453
++#
++# From Paul Eggert (2022-08-31):
++# For now, assume that this rule will also be used after 2026.
++
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
+ Rule EgyptAsia	1957	1958	-	Oct	 1	0:00	0	-
+@@ -3448,14 +3456,16 @@ Rule Palestine	2013	only	-	Sep	27	0:00	0	-
+ Rule Palestine	2014	only	-	Oct	24	0:00	0	-
+ Rule Palestine	2015	only	-	Mar	28	0:00	1:00	S
+ Rule Palestine	2015	only	-	Oct	23	1:00	0	-
+-Rule Palestine	2016	2018	-	Mar	Sat>=24	1:00	1:00	S
+-Rule Palestine	2016	2018	-	Oct	Sat>=24	1:00	0	-
++Rule Palestine	2016	2018	-	Mar	Sat<=30	1:00	1:00	S
++Rule Palestine	2016	2018	-	Oct	Sat<=30	1:00	0	-
+ Rule Palestine	2019	only	-	Mar	29	0:00	1:00	S
+-Rule Palestine	2019	only	-	Oct	Sat>=24	0:00	0	-
+-Rule Palestine	2020	2021	-	Mar	Sat>=24	0:00	1:00	S
++Rule Palestine	2019	only	-	Oct	Sat<=30	0:00	0	-
++Rule Palestine	2020	2021	-	Mar	Sat<=30	0:00	1:00	S
+ Rule Palestine	2020	only	-	Oct	24	1:00	0	-
+-Rule Palestine	2021	max	-	Oct	Fri>=23	1:00	0	-
+-Rule Palestine	2022	max	-	Mar	Sun>=25	0:00	1:00	S
++Rule Palestine	2021	only	-	Oct	29	1:00	0	-
++Rule Palestine	2022	only	-	Mar	27	0:00	1:00	S
++Rule Palestine	2022	max	-	Oct	Sat<=30	2:00	0	-
++Rule Palestine	2023	max	-	Mar	Sat<=30	2:00	1:00	S
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Gaza	2:17:52	-	LMT	1900 Oct
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/backward b/jdk/test/sun/util/calendar/zi/tzdata/backward
+index d4a29e8cf29..7765d99aedf 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/backward
++++ b/jdk/test/sun/util/calendar/zi/tzdata/backward
+@@ -113,6 +113,8 @@ Link	Etc/UTC			Etc/UCT
+ Link	Europe/London		Europe/Belfast
+ Link	Europe/Kyiv		Europe/Kiev
+ Link	Europe/Chisinau		Europe/Tiraspol
++Link	Europe/Kyiv		Europe/Uzhgorod
++Link	Europe/Kyiv		Europe/Zaporozhye
+ Link	Europe/London		GB
+ Link	Europe/London		GB-Eire
+ Link	Etc/GMT			GMT+0
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe
+index f7eb7a387aa..9e0a538f86d 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/europe
++++ b/jdk/test/sun/util/calendar/zi/tzdata/europe
+@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol	 2:16:24 -	LMT	1880
+ # From Alexander Krivenyshev (2014-03-17):
+ # time change at 2:00 (2am) on March 30, 2014
+ # https://vz.ru/news/2014/3/17/677464.html
+-# From Paul Eggert (2014-03-30):
+-# Simferopol and Sevastopol reportedly changed their central town clocks
+-# late the previous day, but this appears to have been ceremonial
+-# and the discrepancies are small enough to not worry about.
++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
++# The clocks at the railway station in Simferopol were put forward from 22:00
++# to 24:00 the previous day in a "symbolic ceremony"; however, per
++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
++# time switch at 2am" on Sunday.
++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
++# https://www.bbc.com/news/av/world-europe-26806583
+ 			 2:00	EU	EE%sT	2014 Mar 30  2:00
+ 			 4:00	-	MSK	2014 Oct 26  2:00s
+ 			 3:00	-	MSK
+@@ -3774,8 +3778,8 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
+ # US colleague David Cochrane) are still trying to get more
+ # information upon these local deviations from Kiev rules.
+ #
+-# From Paul Eggert (2022-02-08):
+-# For now, assume that Ukraine's other three zones followed the same rules,
++# From Paul Eggert (2022-08-27):
++# For now, assume that Ukraine's zones all followed the same rules,
+ # except that Crimea switched to Moscow time in 1994 as described elsewhere.
+ 
+ # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
+@@ -3845,21 +3849,7 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
+ # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
+ # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
+ 
+-# From Paul Eggert (2022-04-12):
+-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
+-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
+-# English for Ukraine's capital.  Although tzdb's former name was Europe/Kiev,
+-# "Kyiv" is now more common due to widespread reporting of the current conflict.
+-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
+-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
+-# certainly wrong as a transliteration of the Czech "Praha".
+-# English-language spelling of Ukrainian names is in flux, and
+-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
+-# common in English; in the meantime, do not change these
+-# English spellings as that means less disruption for our users.
+-
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-# This represents most of Ukraine.  See above for the spelling of "Kyiv".
+ Zone Europe/Kyiv	2:02:04 -	LMT	1880
+ 			2:02:04	-	KMT	1924 May  2 # Kyiv Mean Time
+ 			2:00	-	EET	1930 Jun 21
+@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv	2:02:04 -	LMT	1880
+ 			2:00	1:00	EEST	1991 Sep 29  3:00
+ 			2:00	C-Eur	EE%sT	1996 May 13
+ 			2:00	EU	EE%sT
+-# Transcarpathia used CET 1990/1991.
+-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
+-# "Uzhgorod" is more common in English.
+-Zone Europe/Uzhgorod	1:29:12 -	LMT	1890 Oct
+-			1:00	-	CET	1940
+-			1:00	C-Eur	CE%sT	1944 Oct
+-			1:00	1:00	CEST	1944 Oct 26
+-			1:00	-	CET	1945 Jun 29
+-			3:00	Russia	MSK/MSD	1990
+-			3:00	-	MSK	1990 Jul  1  2:00
+-			1:00	-	CET	1991 Mar 31  3:00
+-			2:00	-	EET	1992 Mar 20
+-			2:00	C-Eur	EE%sT	1996 May 13
+-			2:00	EU	EE%sT
+-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
+-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
+-# "Zaporozh'ye" is more common in English.  Use the common English
+-# spelling, except omit the apostrophe as it is not allowed in
+-# portable Posix file names.
+-Zone Europe/Zaporozhye	2:20:40 -	LMT	1880
+-			2:20	-	+0220	1924 May  2
+-			2:00	-	EET	1930 Jun 21
+-			3:00	-	MSK	1941 Aug 25
+-			1:00	C-Eur	CE%sT	1943 Oct 25
+-			3:00	Russia	MSK/MSD	1991 Mar 31  2:00
+-			2:00	E-Eur	EE%sT	1992 Mar 20
+-			2:00	C-Eur	EE%sT	1996 May 13
+-			2:00	EU	EE%sT
+ 
+ # Vatican City
+ # See Europe/Rome.
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/southamerica b/jdk/test/sun/util/calendar/zi/tzdata/southamerica
+index 13ec081c7e0..3c0e0e2061c 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/southamerica
++++ b/jdk/test/sun/util/calendar/zi/tzdata/southamerica
+@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco	-4:31:12 -	LMT	1914
+ # for America/Santiago will start on midnight of September 11th;
+ # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
+ # will keep UTC -3 "indefinitely"...  This is because on September 4th
+-# we will have a voting whether to approve a new Constitution....
+-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
++# we will have a voting whether to approve a new Constitution.
++#
++# From Eduardo Romero Urra (2022-08-17):
++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
++#
++# From Paul Eggert (2022-08-17):
++# Although the presidential decree stops at fall 2026, assume that
++# similar DST rules will continue thereafter.
+ 
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule	Chile	1927	1931	-	Sep	 1	0:00	1:00	-
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
+index 51b65fa273c..ee025196e50 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
++++ b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
+@@ -424,8 +424,6 @@ TV	-0831+17913	Pacific/Funafuti
+ TW	+2503+12130	Asia/Taipei
+ TZ	-0648+03917	Africa/Dar_es_Salaam
+ UA	+5026+03031	Europe/Kyiv	Ukraine (most areas)
+-UA	+4837+02218	Europe/Uzhgorod	Transcarpathia
+-UA	+4750+03510	Europe/Zaporozhye	Zaporozhye and east Lugansk
+ UG	+0019+03225	Africa/Kampala
+ UM	+2813-17722	Pacific/Midway	Midway Islands
+ UM	+1917+16637	Pacific/Wake	Wake Island

SOURCES/jdk8295173-tzdata2022e.patch

@@ -0,0 +1,813 @@
+commit 44ea8322b2f62e3d8139a78923e3bf017e535989
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Sun Oct 16 03:02:37 2022 +0100
+
+    Backport 21407dec0156301871a83328615e4d975c4287c4
+
+diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION
+index 889d0e6dad7..b8cb36e69f4 100644
+--- a/jdk/make/data/tzdata/VERSION
++++ b/jdk/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022d
++tzdata2022e
+diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia
+index 1dc7d34f88e..f1771e42a71 100644
+--- a/jdk/make/data/tzdata/asia
++++ b/jdk/make/data/tzdata/asia
+@@ -2254,6 +2254,17 @@ Zone	Asia/Tokyo	9:18:59	-	LMT	1887 Dec 31 15:00u
+ # From the Arabic version, it seems to say it would be at midnight
+ # (assume 24:00) on the last Thursday in February, starting from 2022.
+ 
++# From Issam Al-Zuwairi (2022-10-05):
++# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
++# that daylight saving time (DST) will be throughout the year....
++#
++# From Brian Inglis (2022-10-06):
++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
++#
++# From Paul Eggert (2022-10-05):
++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
++
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule	Jordan	1973	only	-	Jun	6	0:00	1:00	S
+ Rule	Jordan	1973	1975	-	Oct	1	0:00	0	-
+@@ -2285,11 +2296,12 @@ Rule	Jordan	2005	only	-	Sep	lastFri	0:00s	0	-
+ Rule	Jordan	2006	2011	-	Oct	lastFri	0:00s	0	-
+ Rule	Jordan	2013	only	-	Dec	20	0:00	0	-
+ Rule	Jordan	2014	2021	-	Mar	lastThu	24:00	1:00	S
+-Rule	Jordan	2014	max	-	Oct	lastFri	0:00s	0	-
+-Rule	Jordan	2022	max	-	Feb	lastThu	24:00	1:00	S
++Rule	Jordan	2014	2022	-	Oct	lastFri	0:00s	0	-
++Rule	Jordan	2022	only	-	Feb	lastThu	24:00	1:00	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Amman	2:23:44 -	LMT	1931
+-			2:00	Jordan	EE%sT
++			2:00	Jordan	EE%sT	2022 Oct 28 0:00s
++			3:00	-	+03
+ 
+ 
+ # Kazakhstan
+@@ -3838,19 +3850,27 @@ Rule	Syria	2007	only	-	Nov	 Fri>=1	0:00	0	-
+ # Our brief summary:
+ # https://www.timeanddate.com/news/time/syria-dst-2012.html
+ 
+-# From Arthur David Olson (2012-03-27):
+-# Assume last Friday in March going forward XXX.
++# From Steffen Thorsen (2022-10-05):
++# Syria is adopting year-round DST, starting this autumn....
++# From https://www.enabbaladi.net/archives/607812
++# "This [the decision] came after the weekly government meeting today,
++# Tuesday 4 October ..."
++#
++# From Paul Eggert (2022-10-05):
++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
+ 
+ Rule	Syria	2008	only	-	Apr	Fri>=1	0:00	1:00	S
+ Rule	Syria	2008	only	-	Nov	1	0:00	0	-
+ Rule	Syria	2009	only	-	Mar	lastFri	0:00	1:00	S
+ Rule	Syria	2010	2011	-	Apr	Fri>=1	0:00	1:00	S
+-Rule	Syria	2012	max	-	Mar	lastFri	0:00	1:00	S
+-Rule	Syria	2009	max	-	Oct	lastFri	0:00	0	-
++Rule	Syria	2012	2022	-	Mar	lastFri	0:00	1:00	S
++Rule	Syria	2009	2022	-	Oct	lastFri	0:00	0	-
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Damascus	2:25:12 -	LMT	1920 # Dimashq
+-			2:00	Syria	EE%sT
++			2:00	Syria	EE%sT	2022 Oct 28 0:00
++			3:00	-	+03
+ 
+ # Tajikistan
+ # From Shanks & Pottenger.
+diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe
+index 9e0a538f86d..930cede4cf4 100644
+--- a/jdk/make/data/tzdata/europe
++++ b/jdk/make/data/tzdata/europe
+@@ -3417,7 +3417,7 @@ Zone	Europe/Madrid	-0:14:44 -	LMT	1901 Jan  1  0:00u
+ 			 0:00	Spain	WE%sT	1940 Mar 16 23:00
+ 			 1:00	Spain	CE%sT	1979
+ 			 1:00	EU	CE%sT
+-Zone	Africa/Ceuta	-0:21:16 -	LMT	1900 Dec 31 23:38:44
++Zone	Africa/Ceuta	-0:21:16 -	LMT	1901 Jan  1  0:00u
+ 			 0:00	-	WET	1918 May  6 23:00
+ 			 0:00	1:00	WEST	1918 Oct  7 23:00
+ 			 0:00	-	WET	1924
+diff --git a/jdk/make/data/tzdata/northamerica b/jdk/make/data/tzdata/northamerica
+index 114cef14cce..ce4ee74582c 100644
+--- a/jdk/make/data/tzdata/northamerica
++++ b/jdk/make/data/tzdata/northamerica
+@@ -462,7 +462,7 @@ Rule	Chicago	1922	1966	-	Apr	lastSun	2:00	1:00	D
+ Rule	Chicago	1922	1954	-	Sep	lastSun	2:00	0	S
+ Rule	Chicago	1955	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 12:09:24
++Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1920
+ 			-6:00	Chicago	C%sT	1936 Mar  1  2:00
+ 			-5:00	-	EST	1936 Nov 15  2:00
+@@ -471,7 +471,7 @@ Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 12:09:24
+ 			-6:00	Chicago	C%sT	1967
+ 			-6:00	US	C%sT
+ # Oliver County, ND switched from mountain to central time on 1992-10-25.
+-Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 12:14:48
++Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1992 Oct 25  2:00
+ 			-6:00	US	C%sT
+ # Morton County, ND, switched from mountain to central time on
+@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 12:14:48
+ # Jones, Mellette, and Todd Counties in South Dakota;
+ # but in practice these other counties were already observing central time.
+ # See <http://www.epa.gov/fedrgstr/EPA-IMPACT/2003/October/Day-28/i27056.htm>.
+-Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	2003 Oct 26  2:00
+ 			-6:00	US	C%sT
+ 
+@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
+ # largest city in Mercer County).  Google Maps places Beulah's city hall
+ # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
+ 
+-Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 12:12:53
++Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	2010 Nov  7  2:00
+ 			-6:00	US	C%sT
+ 
+@@ -530,7 +530,7 @@ Rule	Denver	1921	only	-	May	22	2:00	0	S
+ Rule	Denver	1965	1966	-	Apr	lastSun	2:00	1:00	D
+ Rule	Denver	1965	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 12:00:04
++Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1920
+ 			-7:00	Denver	M%sT	1942
+ 			-7:00	US	M%sT	1946
+@@ -583,7 +583,7 @@ Rule	CA	1950	1966	-	Apr	lastSun	1:00	1:00	D
+ Rule	CA	1950	1961	-	Sep	lastSun	2:00	0	S
+ Rule	CA	1962	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 12:07:02
++Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 20:00u
+ 			-8:00	US	P%sT	1946
+ 			-8:00	CA	P%sT	1967
+ 			-8:00	US	P%sT
+@@ -845,7 +845,7 @@ Zone Pacific/Honolulu	-10:31:26 -	LMT	1896 Jan 13 12:00
+ # Go with the Arizona State Library instead.
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Phoenix	-7:28:18 -	LMT	1883 Nov 18 11:31:42
++Zone America/Phoenix	-7:28:18 -	LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1944 Jan  1  0:01
+ 			-7:00	-	MST	1944 Apr  1  0:01
+ 			-7:00	US	M%sT	1944 Oct  1  0:01
+@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
+ # switched four weeks late in 1974.
+ #
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 12:15:11
++Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 20:00u
+ 			-8:00	US	P%sT	1923 May 13  2:00
+ 			-7:00	US	M%sT	1974
+ 			-7:00	-	MST	1974 Feb  3  2:00
+@@ -945,7 +945,7 @@ Rule Indianapolis 1941	only	-	Jun	22	2:00	1:00	D
+ Rule Indianapolis 1941	1954	-	Sep	lastSun	2:00	0	S
+ Rule Indianapolis 1946	1954	-	Apr	lastSun	2:00	1:00	D
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Indianapolis -5:44:38 - LMT	1883 Nov 18 12:15:22
++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1920
+ 			-6:00 Indianapolis C%sT	1942
+ 			-6:00	US	C%sT	1946
+@@ -965,7 +965,7 @@ Rule	Marengo	1951	only	-	Sep	lastSun	2:00	0	S
+ Rule	Marengo	1954	1960	-	Apr	lastSun	2:00	1:00	D
+ Rule	Marengo	1954	1960	-	Sep	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Marengo -5:45:23 -	LMT	1883 Nov 18 12:14:37
++Zone America/Indiana/Marengo -5:45:23 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1951
+ 			-6:00	Marengo	C%sT	1961 Apr 30  2:00
+ 			-5:00	-	EST	1969
+@@ -989,7 +989,7 @@ Rule Vincennes	1960	only	-	Oct	lastSun	2:00	0	S
+ Rule Vincennes	1961	only	-	Sep	lastSun	2:00	0	S
+ Rule Vincennes	1962	1963	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Vincennes -5:50:07 - LMT	1883 Nov 18 12:09:53
++Zone America/Indiana/Vincennes -5:50:07 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00 Vincennes	C%sT	1964 Apr 26  2:00
+ 			-5:00	-	EST	1969
+@@ -1009,7 +1009,7 @@ Rule Perry	1955	1960	-	Sep	lastSun	2:00	0	S
+ Rule Perry	1956	1963	-	Apr	lastSun	2:00	1:00	D
+ Rule Perry	1961	1963	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Tell_City -5:47:03 - LMT	1883 Nov 18 12:12:57
++Zone America/Indiana/Tell_City -5:47:03 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00 Perry	C%sT	1964 Apr 26  2:00
+ 			-5:00	-	EST	1967 Oct 29  2:00
+@@ -1026,7 +1026,7 @@ Rule	Pike	1955	1960	-	Sep	lastSun	2:00	0	S
+ Rule	Pike	1956	1964	-	Apr	lastSun	2:00	1:00	D
+ Rule	Pike	1961	1964	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Petersburg -5:49:07 - LMT	1883 Nov 18 12:10:53
++Zone America/Indiana/Petersburg -5:49:07 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1955
+ 			-6:00	Pike	C%sT	1965 Apr 25  2:00
+ 			-5:00	-	EST	1966 Oct 30  2:00
+@@ -1048,7 +1048,7 @@ Rule	Starke	1955	1956	-	Oct	lastSun	2:00	0	S
+ Rule	Starke	1957	1958	-	Sep	lastSun	2:00	0	S
+ Rule	Starke	1959	1961	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Knox -5:46:30 -	LMT	1883 Nov 18 12:13:30
++Zone America/Indiana/Knox -5:46:30 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1947
+ 			-6:00	Starke	C%sT	1962 Apr 29  2:00
+ 			-5:00	-	EST	1963 Oct 27  2:00
+@@ -1064,7 +1064,7 @@ Rule	Pulaski	1946	1954	-	Sep	lastSun	2:00	0	S
+ Rule	Pulaski	1955	1956	-	Oct	lastSun	2:00	0	S
+ Rule	Pulaski	1957	1960	-	Sep	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 12:13:35
++Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00	Pulaski	C%sT	1961 Apr 30  2:00
+ 			-5:00	-	EST	1969
+@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 12:13:35
+ #
+ # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Vevay -5:40:16 -	LMT	1883 Nov 18 12:19:44
++Zone America/Indiana/Vevay -5:40:16 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1954 Apr 25  2:00
+ 			-5:00	-	EST	1969
+ 			-5:00	US	E%sT	1973
+@@ -1111,7 +1111,7 @@ Rule Louisville	1950	1961	-	Apr	lastSun	2:00	1:00	D
+ Rule Louisville	1950	1955	-	Sep	lastSun	2:00	0	S
+ Rule Louisville	1956	1961	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
++Zone America/Kentucky/Louisville -5:43:02 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1921
+ 			-6:00 Louisville C%sT	1942
+ 			-6:00	US	C%sT	1946
+@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
+ # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
+ # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
+ #
+-Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
++Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00	-	CST	1968
+ 			-6:00	US	C%sT	2000 Oct 29  2:00
+@@ -2640,6 +2640,8 @@ Zone America/Dawson	-9:17:40 -	LMT	1900 Aug 20
+ #    longitude they are located at.
+ 
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
++Rule	Mexico	1931	only	-	May	1	23:00	1:00	D
++Rule	Mexico	1931	only	-	Oct	1	0:00	0	S
+ Rule	Mexico	1939	only	-	Feb	5	0:00	1:00	D
+ Rule	Mexico	1939	only	-	Jun	25	0:00	0	S
+ Rule	Mexico	1940	only	-	Dec	9	0:00	1:00	D
+@@ -2656,13 +2658,13 @@ Rule	Mexico	2002	max	-	Apr	Sun>=1	2:00	1:00	D
+ Rule	Mexico	2002	max	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ # Quintana Roo; represented by Cancún
+-Zone America/Cancun	-5:47:04 -	LMT	1922 Jan  1  0:12:56
++Zone America/Cancun	-5:47:04 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1981 Dec 23
+ 			-5:00	Mexico	E%sT	1998 Aug  2  2:00
+ 			-6:00	Mexico	C%sT	2015 Feb  1  2:00
+ 			-5:00	-	EST
+ # Campeche, Yucatán; represented by Mérida
+-Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  0:01:32
++Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1981 Dec 23
+ 			-5:00	-	EST	1982 Dec  2
+ 			-6:00	Mexico	C%sT
+@@ -2676,23 +2678,21 @@ Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  0:01:32
+ # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
+ # 2016-03-12
+ # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
+-Zone America/Matamoros	-6:40:00 -	LMT	1921 Dec 31 23:20:00
++Zone America/Matamoros	-6:30:00 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1988
+ 			-6:00	US	C%sT	1989
+ 			-6:00	Mexico	C%sT	2010
+ 			-6:00	US	C%sT
+ # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
+-Zone America/Monterrey	-6:41:16 -	LMT	1921 Dec 31 23:18:44
++Zone America/Monterrey	-6:41:16 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1988
+ 			-6:00	US	C%sT	1989
+ 			-6:00	Mexico	C%sT
+ # Central Mexico
+-Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  0:23:24
++Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	Mexico	C%sT	2001 Sep 30  2:00
+ 			-6:00	-	CST	2002 Feb 20
+ 			-6:00	Mexico	C%sT
+@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  0:23:24
+ # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
+ # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
+ # (See the 2016-03-12 El Universal source mentioned above.)
+-Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  0:02:20
++Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1996
+ 			-6:00	Mexico	C%sT	1998
+ 			-6:00	-	CST	1998 Apr Sun>=1  3:00
+ 			-7:00	Mexico	M%sT	2010
+ 			-7:00	US	M%sT
+ # Chihuahua (away from US border)
+-Zone America/Chihuahua	-7:04:20 -	LMT	1921 Dec 31 23:55:40
++Zone America/Chihuahua	-7:04:20 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1996
+ 			-6:00	Mexico	C%sT	1998
+ 			-6:00	-	CST	1998 Apr Sun>=1  3:00
+ 			-7:00	Mexico	M%sT
+ # Sonora
+-Zone America/Hermosillo	-7:23:52 -	LMT	1921 Dec 31 23:36:08
++Zone America/Hermosillo	-7:23:52 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+@@ -2763,24 +2757,20 @@ Zone America/Hermosillo	-7:23:52 -	LMT	1921 Dec 31 23:36:08
+ # Use "Bahia_Banderas" to keep the name to fourteen characters.
+ 
+ # Mazatlán
+-Zone America/Mazatlan	-7:05:40 -	LMT	1921 Dec 31 23:54:20
++Zone America/Mazatlan	-7:05:40 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+ 			-7:00	Mexico	M%sT
+ 
+ # Bahía de Banderas
+-Zone America/Bahia_Banderas	-7:01:00 -	LMT	1921 Dec 31 23:59:00
++Zone America/Bahia_Banderas -7:01:00 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas	-7:01:00 -	LMT	1921 Dec 31 23:59:00
+ 			-6:00	Mexico	C%sT
+ 
+ # Baja California
+-Zone America/Tijuana	-7:48:04 -	LMT	1922 Jan  1  0:11:56
++Zone America/Tijuana	-7:48:04 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1924
+ 			-8:00	-	PST	1927 Jun 10 23:00
+ 			-7:00	-	MST	1930 Nov 15
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+index 71470168456..0cad939008f 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022d
++tzdata2022e
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+index b3823958ae4..2f2786f1c69 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -97,9 +97,7 @@ America/Winnipeg CST CDT
+ America/Yakutat AKST AKDT
+ America/Yellowknife MST MDT
+ Antarctica/Macquarie AEST AEDT
+-Asia/Amman EET EEST
+ Asia/Beirut EET EEST
+-Asia/Damascus EET EEST
+ Asia/Famagusta EET EEST
+ Asia/Gaza EET EEST
+ Asia/Hebron EET EEST
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+index 889d0e6dad7..b8cb36e69f4 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION
++++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022d
++tzdata2022e
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia
+index 1dc7d34f88e..f1771e42a71 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/asia
++++ b/jdk/test/sun/util/calendar/zi/tzdata/asia
+@@ -2254,6 +2254,17 @@ Zone	Asia/Tokyo	9:18:59	-	LMT	1887 Dec 31 15:00u
+ # From the Arabic version, it seems to say it would be at midnight
+ # (assume 24:00) on the last Thursday in February, starting from 2022.
+ 
++# From Issam Al-Zuwairi (2022-10-05):
++# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
++# that daylight saving time (DST) will be throughout the year....
++#
++# From Brian Inglis (2022-10-06):
++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
++#
++# From Paul Eggert (2022-10-05):
++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
++
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule	Jordan	1973	only	-	Jun	6	0:00	1:00	S
+ Rule	Jordan	1973	1975	-	Oct	1	0:00	0	-
+@@ -2285,11 +2296,12 @@ Rule	Jordan	2005	only	-	Sep	lastFri	0:00s	0	-
+ Rule	Jordan	2006	2011	-	Oct	lastFri	0:00s	0	-
+ Rule	Jordan	2013	only	-	Dec	20	0:00	0	-
+ Rule	Jordan	2014	2021	-	Mar	lastThu	24:00	1:00	S
+-Rule	Jordan	2014	max	-	Oct	lastFri	0:00s	0	-
+-Rule	Jordan	2022	max	-	Feb	lastThu	24:00	1:00	S
++Rule	Jordan	2014	2022	-	Oct	lastFri	0:00s	0	-
++Rule	Jordan	2022	only	-	Feb	lastThu	24:00	1:00	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Amman	2:23:44 -	LMT	1931
+-			2:00	Jordan	EE%sT
++			2:00	Jordan	EE%sT	2022 Oct 28 0:00s
++			3:00	-	+03
+ 
+ 
+ # Kazakhstan
+@@ -3838,19 +3850,27 @@ Rule	Syria	2007	only	-	Nov	 Fri>=1	0:00	0	-
+ # Our brief summary:
+ # https://www.timeanddate.com/news/time/syria-dst-2012.html
+ 
+-# From Arthur David Olson (2012-03-27):
+-# Assume last Friday in March going forward XXX.
++# From Steffen Thorsen (2022-10-05):
++# Syria is adopting year-round DST, starting this autumn....
++# From https://www.enabbaladi.net/archives/607812
++# "This [the decision] came after the weekly government meeting today,
++# Tuesday 4 October ..."
++#
++# From Paul Eggert (2022-10-05):
++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
+ 
+ Rule	Syria	2008	only	-	Apr	Fri>=1	0:00	1:00	S
+ Rule	Syria	2008	only	-	Nov	1	0:00	0	-
+ Rule	Syria	2009	only	-	Mar	lastFri	0:00	1:00	S
+ Rule	Syria	2010	2011	-	Apr	Fri>=1	0:00	1:00	S
+-Rule	Syria	2012	max	-	Mar	lastFri	0:00	1:00	S
+-Rule	Syria	2009	max	-	Oct	lastFri	0:00	0	-
++Rule	Syria	2012	2022	-	Mar	lastFri	0:00	1:00	S
++Rule	Syria	2009	2022	-	Oct	lastFri	0:00	0	-
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Damascus	2:25:12 -	LMT	1920 # Dimashq
+-			2:00	Syria	EE%sT
++			2:00	Syria	EE%sT	2022 Oct 28 0:00
++			3:00	-	+03
+ 
+ # Tajikistan
+ # From Shanks & Pottenger.
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe
+index 9e0a538f86d..930cede4cf4 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/europe
++++ b/jdk/test/sun/util/calendar/zi/tzdata/europe
+@@ -3417,7 +3417,7 @@ Zone	Europe/Madrid	-0:14:44 -	LMT	1901 Jan  1  0:00u
+ 			 0:00	Spain	WE%sT	1940 Mar 16 23:00
+ 			 1:00	Spain	CE%sT	1979
+ 			 1:00	EU	CE%sT
+-Zone	Africa/Ceuta	-0:21:16 -	LMT	1900 Dec 31 23:38:44
++Zone	Africa/Ceuta	-0:21:16 -	LMT	1901 Jan  1  0:00u
+ 			 0:00	-	WET	1918 May  6 23:00
+ 			 0:00	1:00	WEST	1918 Oct  7 23:00
+ 			 0:00	-	WET	1924
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/northamerica b/jdk/test/sun/util/calendar/zi/tzdata/northamerica
+index 114cef14cce..ce4ee74582c 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/northamerica
++++ b/jdk/test/sun/util/calendar/zi/tzdata/northamerica
+@@ -462,7 +462,7 @@ Rule	Chicago	1922	1966	-	Apr	lastSun	2:00	1:00	D
+ Rule	Chicago	1922	1954	-	Sep	lastSun	2:00	0	S
+ Rule	Chicago	1955	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 12:09:24
++Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1920
+ 			-6:00	Chicago	C%sT	1936 Mar  1  2:00
+ 			-5:00	-	EST	1936 Nov 15  2:00
+@@ -471,7 +471,7 @@ Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 12:09:24
+ 			-6:00	Chicago	C%sT	1967
+ 			-6:00	US	C%sT
+ # Oliver County, ND switched from mountain to central time on 1992-10-25.
+-Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 12:14:48
++Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1992 Oct 25  2:00
+ 			-6:00	US	C%sT
+ # Morton County, ND, switched from mountain to central time on
+@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 12:14:48
+ # Jones, Mellette, and Todd Counties in South Dakota;
+ # but in practice these other counties were already observing central time.
+ # See <http://www.epa.gov/fedrgstr/EPA-IMPACT/2003/October/Day-28/i27056.htm>.
+-Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	2003 Oct 26  2:00
+ 			-6:00	US	C%sT
+ 
+@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
+ # largest city in Mercer County).  Google Maps places Beulah's city hall
+ # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
+ 
+-Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 12:12:53
++Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	2010 Nov  7  2:00
+ 			-6:00	US	C%sT
+ 
+@@ -530,7 +530,7 @@ Rule	Denver	1921	only	-	May	22	2:00	0	S
+ Rule	Denver	1965	1966	-	Apr	lastSun	2:00	1:00	D
+ Rule	Denver	1965	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 12:00:04
++Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1920
+ 			-7:00	Denver	M%sT	1942
+ 			-7:00	US	M%sT	1946
+@@ -583,7 +583,7 @@ Rule	CA	1950	1966	-	Apr	lastSun	1:00	1:00	D
+ Rule	CA	1950	1961	-	Sep	lastSun	2:00	0	S
+ Rule	CA	1962	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 12:07:02
++Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 20:00u
+ 			-8:00	US	P%sT	1946
+ 			-8:00	CA	P%sT	1967
+ 			-8:00	US	P%sT
+@@ -845,7 +845,7 @@ Zone Pacific/Honolulu	-10:31:26 -	LMT	1896 Jan 13 12:00
+ # Go with the Arizona State Library instead.
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Phoenix	-7:28:18 -	LMT	1883 Nov 18 11:31:42
++Zone America/Phoenix	-7:28:18 -	LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1944 Jan  1  0:01
+ 			-7:00	-	MST	1944 Apr  1  0:01
+ 			-7:00	US	M%sT	1944 Oct  1  0:01
+@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
+ # switched four weeks late in 1974.
+ #
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 12:15:11
++Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 20:00u
+ 			-8:00	US	P%sT	1923 May 13  2:00
+ 			-7:00	US	M%sT	1974
+ 			-7:00	-	MST	1974 Feb  3  2:00
+@@ -945,7 +945,7 @@ Rule Indianapolis 1941	only	-	Jun	22	2:00	1:00	D
+ Rule Indianapolis 1941	1954	-	Sep	lastSun	2:00	0	S
+ Rule Indianapolis 1946	1954	-	Apr	lastSun	2:00	1:00	D
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Indianapolis -5:44:38 - LMT	1883 Nov 18 12:15:22
++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1920
+ 			-6:00 Indianapolis C%sT	1942
+ 			-6:00	US	C%sT	1946
+@@ -965,7 +965,7 @@ Rule	Marengo	1951	only	-	Sep	lastSun	2:00	0	S
+ Rule	Marengo	1954	1960	-	Apr	lastSun	2:00	1:00	D
+ Rule	Marengo	1954	1960	-	Sep	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Marengo -5:45:23 -	LMT	1883 Nov 18 12:14:37
++Zone America/Indiana/Marengo -5:45:23 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1951
+ 			-6:00	Marengo	C%sT	1961 Apr 30  2:00
+ 			-5:00	-	EST	1969
+@@ -989,7 +989,7 @@ Rule Vincennes	1960	only	-	Oct	lastSun	2:00	0	S
+ Rule Vincennes	1961	only	-	Sep	lastSun	2:00	0	S
+ Rule Vincennes	1962	1963	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Vincennes -5:50:07 - LMT	1883 Nov 18 12:09:53
++Zone America/Indiana/Vincennes -5:50:07 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00 Vincennes	C%sT	1964 Apr 26  2:00
+ 			-5:00	-	EST	1969
+@@ -1009,7 +1009,7 @@ Rule Perry	1955	1960	-	Sep	lastSun	2:00	0	S
+ Rule Perry	1956	1963	-	Apr	lastSun	2:00	1:00	D
+ Rule Perry	1961	1963	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Tell_City -5:47:03 - LMT	1883 Nov 18 12:12:57
++Zone America/Indiana/Tell_City -5:47:03 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00 Perry	C%sT	1964 Apr 26  2:00
+ 			-5:00	-	EST	1967 Oct 29  2:00
+@@ -1026,7 +1026,7 @@ Rule	Pike	1955	1960	-	Sep	lastSun	2:00	0	S
+ Rule	Pike	1956	1964	-	Apr	lastSun	2:00	1:00	D
+ Rule	Pike	1961	1964	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Petersburg -5:49:07 - LMT	1883 Nov 18 12:10:53
++Zone America/Indiana/Petersburg -5:49:07 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1955
+ 			-6:00	Pike	C%sT	1965 Apr 25  2:00
+ 			-5:00	-	EST	1966 Oct 30  2:00
+@@ -1048,7 +1048,7 @@ Rule	Starke	1955	1956	-	Oct	lastSun	2:00	0	S
+ Rule	Starke	1957	1958	-	Sep	lastSun	2:00	0	S
+ Rule	Starke	1959	1961	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Knox -5:46:30 -	LMT	1883 Nov 18 12:13:30
++Zone America/Indiana/Knox -5:46:30 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1947
+ 			-6:00	Starke	C%sT	1962 Apr 29  2:00
+ 			-5:00	-	EST	1963 Oct 27  2:00
+@@ -1064,7 +1064,7 @@ Rule	Pulaski	1946	1954	-	Sep	lastSun	2:00	0	S
+ Rule	Pulaski	1955	1956	-	Oct	lastSun	2:00	0	S
+ Rule	Pulaski	1957	1960	-	Sep	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 12:13:35
++Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00	Pulaski	C%sT	1961 Apr 30  2:00
+ 			-5:00	-	EST	1969
+@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 12:13:35
+ #
+ # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Vevay -5:40:16 -	LMT	1883 Nov 18 12:19:44
++Zone America/Indiana/Vevay -5:40:16 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1954 Apr 25  2:00
+ 			-5:00	-	EST	1969
+ 			-5:00	US	E%sT	1973
+@@ -1111,7 +1111,7 @@ Rule Louisville	1950	1961	-	Apr	lastSun	2:00	1:00	D
+ Rule Louisville	1950	1955	-	Sep	lastSun	2:00	0	S
+ Rule Louisville	1956	1961	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
++Zone America/Kentucky/Louisville -5:43:02 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1921
+ 			-6:00 Louisville C%sT	1942
+ 			-6:00	US	C%sT	1946
+@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
+ # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
+ # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
+ #
+-Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
++Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00	-	CST	1968
+ 			-6:00	US	C%sT	2000 Oct 29  2:00
+@@ -2640,6 +2640,8 @@ Zone America/Dawson	-9:17:40 -	LMT	1900 Aug 20
+ #    longitude they are located at.
+ 
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
++Rule	Mexico	1931	only	-	May	1	23:00	1:00	D
++Rule	Mexico	1931	only	-	Oct	1	0:00	0	S
+ Rule	Mexico	1939	only	-	Feb	5	0:00	1:00	D
+ Rule	Mexico	1939	only	-	Jun	25	0:00	0	S
+ Rule	Mexico	1940	only	-	Dec	9	0:00	1:00	D
+@@ -2656,13 +2658,13 @@ Rule	Mexico	2002	max	-	Apr	Sun>=1	2:00	1:00	D
+ Rule	Mexico	2002	max	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ # Quintana Roo; represented by Cancún
+-Zone America/Cancun	-5:47:04 -	LMT	1922 Jan  1  0:12:56
++Zone America/Cancun	-5:47:04 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1981 Dec 23
+ 			-5:00	Mexico	E%sT	1998 Aug  2  2:00
+ 			-6:00	Mexico	C%sT	2015 Feb  1  2:00
+ 			-5:00	-	EST
+ # Campeche, Yucatán; represented by Mérida
+-Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  0:01:32
++Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1981 Dec 23
+ 			-5:00	-	EST	1982 Dec  2
+ 			-6:00	Mexico	C%sT
+@@ -2676,23 +2678,21 @@ Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  0:01:32
+ # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
+ # 2016-03-12
+ # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
+-Zone America/Matamoros	-6:40:00 -	LMT	1921 Dec 31 23:20:00
++Zone America/Matamoros	-6:30:00 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1988
+ 			-6:00	US	C%sT	1989
+ 			-6:00	Mexico	C%sT	2010
+ 			-6:00	US	C%sT
+ # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
+-Zone America/Monterrey	-6:41:16 -	LMT	1921 Dec 31 23:18:44
++Zone America/Monterrey	-6:41:16 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1988
+ 			-6:00	US	C%sT	1989
+ 			-6:00	Mexico	C%sT
+ # Central Mexico
+-Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  0:23:24
++Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	Mexico	C%sT	2001 Sep 30  2:00
+ 			-6:00	-	CST	2002 Feb 20
+ 			-6:00	Mexico	C%sT
+@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  0:23:24
+ # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
+ # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
+ # (See the 2016-03-12 El Universal source mentioned above.)
+-Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  0:02:20
++Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1996
+ 			-6:00	Mexico	C%sT	1998
+ 			-6:00	-	CST	1998 Apr Sun>=1  3:00
+ 			-7:00	Mexico	M%sT	2010
+ 			-7:00	US	M%sT
+ # Chihuahua (away from US border)
+-Zone America/Chihuahua	-7:04:20 -	LMT	1921 Dec 31 23:55:40
++Zone America/Chihuahua	-7:04:20 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1996
+ 			-6:00	Mexico	C%sT	1998
+ 			-6:00	-	CST	1998 Apr Sun>=1  3:00
+ 			-7:00	Mexico	M%sT
+ # Sonora
+-Zone America/Hermosillo	-7:23:52 -	LMT	1921 Dec 31 23:36:08
++Zone America/Hermosillo	-7:23:52 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+@@ -2763,24 +2757,20 @@ Zone America/Hermosillo	-7:23:52 -	LMT	1921 Dec 31 23:36:08
+ # Use "Bahia_Banderas" to keep the name to fourteen characters.
+ 
+ # Mazatlán
+-Zone America/Mazatlan	-7:05:40 -	LMT	1921 Dec 31 23:54:20
++Zone America/Mazatlan	-7:05:40 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+ 			-7:00	Mexico	M%sT
+ 
+ # Bahía de Banderas
+-Zone America/Bahia_Banderas	-7:01:00 -	LMT	1921 Dec 31 23:59:00
++Zone America/Bahia_Banderas -7:01:00 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas	-7:01:00 -	LMT	1921 Dec 31 23:59:00
+ 			-6:00	Mexico	C%sT
+ 
+ # Baja California
+-Zone America/Tijuana	-7:48:04 -	LMT	1922 Jan  1  0:11:56
++Zone America/Tijuana	-7:48:04 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1924
+ 			-8:00	-	PST	1927 Jun 10 23:00
+ 			-7:00	-	MST	1930 Nov 15

SOURCES/nss.fips.cfg.in

@@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
 nssDbMode = readOnly
 nssModule = fips
 
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+

SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch

@@ -1,63 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1459487045 -3600
-#      Fri Apr 01 06:04:05 2016 +0100
-# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b
-# Parent  6b81fd2227d14226f2121f2d51b464536925686e
-PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
-PR3575: System cacerts database handling should not affect jssecacerts
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
-@@ -72,7 +72,7 @@
-      * The preference of the default trusted KeyStore is:
-      *    javax.net.ssl.trustStore
-      *    jssecacerts
--     *    cacerts
-+     *    cacerts (system and local)
-      */
-     private static final class TrustStoreDescriptor {
-         private static final String fileSep = File.separator;
-@@ -83,6 +83,10 @@
-                 defaultStorePath + fileSep + "cacerts";
-         private static final String jsseDefaultStore =
-                 defaultStorePath + fileSep + "jssecacerts";
-+        /* Check system cacerts DB: /etc/pki/java/cacerts */
-+        private static final String systemStore =
-+                fileSep + "etc" + fileSep + "pki" +
-+                fileSep + "java" + fileSep + "cacerts";
- 
-         // the trust store name
-         private final String storeName;
-@@ -146,7 +150,8 @@
-                     long temporaryTime = 0L;
-                     if (!"NONE".equals(storePropName)) {
-                         String[] fileNames =
--                                new String[] {storePropName, defaultStore};
-+                                new String[] {storePropName,
-+                                              systemStore, defaultStore};
-                         for (String fileName : fileNames) {
-                             File f = new File(fileName);
-                             if (f.isFile() && f.canRead()) {
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
---- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
-+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
-@@ -108,9 +108,14 @@
-         throws Exception
-     {
-         String sep = File.separator;
--        File file = new File(System.getProperty("java.home") + sep
--                             + "lib" + sep + "security" + sep
--                             + "cacerts");
-+        /* Check system cacerts DB first; /etc/pki/java/cacerts */
-+        File file = new File(sep + "etc" + sep + "pki" + sep
-+                             + "java" + sep + "cacerts");
-+        if (!file.exists()) {
-+            file = new File(System.getProperty("java.home") + sep
-+                            + "lib" + sep + "security" + sep
-+                            + "cacerts");
-+        }
-         if (!file.exists()) {
-             return null;
-         }

SOURCES/pr2888-rh2055274-support_system_cacerts.patch

@@ -0,0 +1,263 @@
+diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+index e7b4763db53..e8ec8467e6a 100644
+--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
++++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+@@ -31,6 +31,7 @@ import java.security.*;
+ import java.security.cert.*;
+ import java.util.*;
+ import sun.security.action.*;
++import sun.security.tools.KeyStoreUtil;
+ import sun.security.validator.TrustStoreUtil;
+ 
+ /**
+@@ -68,7 +69,7 @@ final class TrustStoreManager {
+      * The preference of the default trusted KeyStore is:
+      *    javax.net.ssl.trustStore
+      *    jssecacerts
+-     *    cacerts
++     *    cacerts (system and local)
+      */
+     private static final class TrustStoreDescriptor {
+         private static final String fileSep = File.separator;
+@@ -76,7 +77,7 @@ final class TrustStoreManager {
+                 GetPropertyAction.privilegedGetProperty("java.home") +
+                 fileSep + "lib" + fileSep + "security";
+         private static final String defaultStore =
+-                defaultStorePath + fileSep + "cacerts";
++            KeyStoreUtil.getCacertsKeyStoreFile().getPath();
+         private static final String jsseDefaultStore =
+                 defaultStorePath + fileSep + "jssecacerts";
+ 
+@@ -139,6 +140,10 @@ final class TrustStoreManager {
+                     String storePropPassword = System.getProperty(
+                             "javax.net.ssl.trustStorePassword", "");
+ 
++                    if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
++                        SSLLogger.fine("Default store: " + defaultStore);
++                    }
++
+                     String temporaryName = "";
+                     File temporaryFile = null;
+                     long temporaryTime = 0L;
+@@ -146,21 +151,22 @@ final class TrustStoreManager {
+                         String[] fileNames =
+                                 new String[] {storePropName, defaultStore};
+                         for (String fileName : fileNames) {
+-                            File f = new File(fileName);
+-                            if (f.isFile() && f.canRead()) {
+-                                temporaryName = fileName;;
+-                                temporaryFile = f;
+-                                temporaryTime = f.lastModified();
+-
+-                                break;
+-                            }
+-
+-                            // Not break, the file is inaccessible.
+-                            if (SSLLogger.isOn &&
++                            if (fileName != null && !"".equals(fileName)) {
++                                File f = new File(fileName);
++                                if (f.isFile() && f.canRead()) {
++                                    temporaryName = fileName;;
++                                    temporaryFile = f;
++                                    temporaryTime = f.lastModified();
++
++                                    break;
++                                }
++                                // Not break, the file is inaccessible.
++                                if (SSLLogger.isOn &&
+                                     SSLLogger.isOn("trustmanager")) {
+-                                SSLLogger.fine(
+-                                        "Inaccessible trust store: " +
+-                                        storePropName);
++                                    SSLLogger.fine(
++                                            "Inaccessible trust store: " +
++                                            fileName);
++                                }
+                             }
+                         }
+                     } else {
+diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+index fcc77786da1..f554f83a8b4 100644
+--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
++++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+@@ -33,7 +33,10 @@ import java.io.InputStreamReader;
+ 
+ import java.net.URL;
+ 
++import java.security.AccessController;
+ import java.security.KeyStore;
++import java.security.PrivilegedAction;
++import java.security.Security;
+ 
+ import java.security.cert.X509Certificate;
+ import java.text.Collator;
+@@ -54,6 +57,33 @@ public class KeyStoreUtil {
+ 
+     private static final String JKS = "jks";
+ 
++    private static final String PROP_NAME = "security.systemCACerts";
++
++    /**
++     * Returns the value of the security property propName, which can be overridden
++     * by a system property of the same name
++     *
++     * @param  propName the name of the system or security property
++     * @return the value of the system or security property
++     */
++    @SuppressWarnings("removal")
++    public static String privilegedGetOverridable(String propName) {
++        if (System.getSecurityManager() == null) {
++            return getOverridableProperty(propName);
++        } else {
++            return AccessController.doPrivileged((PrivilegedAction<String>) () -> getOverridableProperty(propName));
++        }
++    }
++
++    private static String getOverridableProperty(String propName) {
++        String val = System.getProperty(propName);
++        if (val == null) {
++            return Security.getProperty(propName);
++        } else {
++            return val;
++        }
++    }
++
+     /**
+      * Returns true if the certificate is self-signed, false otherwise.
+      */
+@@ -96,20 +126,38 @@ public class KeyStoreUtil {
+         }
+     }
+ 
++    /**
++     * Returns the path to the cacerts DB
++     */
++    public static File getCacertsKeyStoreFile()
++    {
++        String sep = File.separator;
++        File file = null;
++        /* Check system cacerts DB first, preferring system property over security property */
++        String systemDB = privilegedGetOverridable(PROP_NAME);
++        if (systemDB != null && !"".equals(systemDB)) {
++            file = new File(systemDB);
++        }
++        if (file == null || !file.exists()) {
++            file = new File(System.getProperty("java.home") + sep
++                            + "lib" + sep + "security" + sep
++                            + "cacerts");
++        }
++        if (file.exists()) {
++            return file;
++        }
++        return null;
++    }
++
+     /**
+      * Returns the keystore with the configured CA certificates.
+      */
+     public static KeyStore getCacertsKeyStore()
+         throws Exception
+     {
+-        String sep = File.separator;
+-        File file = new File(System.getProperty("java.home") + sep
+-                             + "lib" + sep + "security" + sep
+-                             + "cacerts");
+-        if (!file.exists()) {
+-            return null;
+-        }
+         KeyStore caks = null;
++        File file = getCacertsKeyStoreFile();
++        if (file == null) { return null; }
+         try (FileInputStream fis = new FileInputStream(file)) {
+             caks = KeyStore.getInstance(JKS);
+             caks.load(fis, null);
+diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
+index bfe0c593adb..093bc09bf95 100644
+--- a/jdk/src/share/lib/security/java.security-aix
++++ b/jdk/src/share/lib/security/java.security-aix
+@@ -294,6 +294,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+ 
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
+index 9d1c8fe8a8e..16c9281cc1f 100644
+--- a/jdk/src/share/lib/security/java.security-linux
++++ b/jdk/src/share/lib/security/java.security-linux
+@@ -307,6 +307,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+ 
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
+index 19047c61097..43e034cdeaf 100644
+--- a/jdk/src/share/lib/security/java.security-macosx
++++ b/jdk/src/share/lib/security/java.security-macosx
+@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+ 
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
+index 7eda556ae13..325937e97fb 100644
+--- a/jdk/src/share/lib/security/java.security-solaris
++++ b/jdk/src/share/lib/security/java.security-solaris
+@@ -295,6 +295,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+ 
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
+index dfa1a669aa9..92ef777e065 100644
+--- a/jdk/src/share/lib/security/java.security-windows
++++ b/jdk/src/share/lib/security/java.security-windows
+@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+ 
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.

SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch

@@ -1,158 +0,0 @@
-
-# HG changeset patch
-# User andrew
-# Date 1478057514 0
-# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
-# Parent  3d53f19b48384e5252f4ec8891f7a3a82d77af2a
-PR3183: Support Fedora/RHEL system crypto policy
-
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/classes/java/security/Security.java
---- openjdk/jdk/src/share/classes/java/security/Security.java	Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/classes/java/security/Security.java	Wed Nov 02 03:31:54 2016 +0000
-@@ -43,6 +43,9 @@
-  * implementation-specific location, which is typically the properties file
-  * {@code lib/security/java.security} in the Java installation directory.
-  *
-+ * <p>Additional default values of security properties are read from a
-+ * system-specific location, if available.</p>
-+ *
-  * @author Benjamin Renaud
-  */
- 
-@@ -52,6 +55,10 @@
-     private static final Debug sdebug =
-                         Debug.getInstance("properties");
- 
-+    /* System property file*/
-+    private static final String SYSTEM_PROPERTIES =
-+        "/etc/crypto-policies/back-ends/java.config";
-+
-     /* The java.security properties */
-     private static Properties props;
- 
-@@ -93,6 +100,7 @@
-                 if (sdebug != null) {
-                     sdebug.println("reading security properties file: " +
-                                 propFile);
-+                    sdebug.println(props.toString());
-                 }
-             } catch (IOException e) {
-                 if (sdebug != null) {
-@@ -114,6 +122,31 @@
-         }
- 
-         if ("true".equalsIgnoreCase(props.getProperty
-+                ("security.useSystemPropertiesFile"))) {
-+
-+            // now load the system file, if it exists, so its values
-+            // will win if they conflict with the earlier values
-+            try (BufferedInputStream bis =
-+                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+                props.load(bis);
-+                loadedProps = true;
-+
-+                if (sdebug != null) {
-+                    sdebug.println("reading system security properties file " +
-+                                   SYSTEM_PROPERTIES);
-+                    sdebug.println(props.toString());
-+                }
-+            } catch (IOException e) {
-+                if (sdebug != null) {
-+                    sdebug.println
-+                        ("unable to load security properties from " +
-+                         SYSTEM_PROPERTIES);
-+                    e.printStackTrace();
-+                }
-+            }
-+        }
-+
-+        if ("true".equalsIgnoreCase(props.getProperty
-                 ("security.overridePropertiesFile"))) {
- 
-             String extraPropFile = System.getProperty
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-aix
---- openjdk/jdk/src/share/lib/security/java.security-aix	Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-aix	Wed Nov 02 03:31:54 2016 +0000
-@@ -276,6 +276,13 @@
- security.overridePropertiesFile=true
- 
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-linux
---- openjdk/jdk/src/share/lib/security/java.security-linux	Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-linux	Wed Nov 02 03:31:54 2016 +0000
-@@ -276,6 +276,13 @@
- security.overridePropertiesFile=true
- 
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=true
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-macosx
---- openjdk/jdk/src/share/lib/security/java.security-macosx	Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-macosx	Wed Nov 02 03:31:54 2016 +0000
-@@ -279,6 +279,13 @@
- security.overridePropertiesFile=true
- 
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-solaris
---- openjdk/jdk/src/share/lib/security/java.security-solaris	Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-solaris	Wed Nov 02 03:31:54 2016 +0000
-@@ -278,6 +278,13 @@
- security.overridePropertiesFile=true
- 
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-windows
---- openjdk/jdk/src/share/lib/security/java.security-windows	Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-windows	Wed Nov 02 03:31:54 2016 +0000
-@@ -279,6 +279,13 @@
- security.overridePropertiesFile=true
- 
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-

SOURCES/pr3655-toggle_system_crypto_policy.patch

@@ -1,78 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1545198926 0
-#      Wed Dec 19 05:55:26 2018 +0000
-# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
-# Parent  81f07f6d1f8b7b51b136d3974c61bc8bb513770c
-PR3655: Allow use of system crypto policy to be disabled by the user
-Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
-
-diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -122,31 +122,6 @@
-         }
- 
-         if ("true".equalsIgnoreCase(props.getProperty
--                ("security.useSystemPropertiesFile"))) {
--
--            // now load the system file, if it exists, so its values
--            // will win if they conflict with the earlier values
--            try (BufferedInputStream bis =
--                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
--                props.load(bis);
--                loadedProps = true;
--
--                if (sdebug != null) {
--                    sdebug.println("reading system security properties file " +
--                                   SYSTEM_PROPERTIES);
--                    sdebug.println(props.toString());
--                }
--            } catch (IOException e) {
--                if (sdebug != null) {
--                    sdebug.println
--                        ("unable to load security properties from " +
--                         SYSTEM_PROPERTIES);
--                    e.printStackTrace();
--                }
--            }
--        }
--
--        if ("true".equalsIgnoreCase(props.getProperty
-                 ("security.overridePropertiesFile"))) {
- 
-             String extraPropFile = System.getProperty
-@@ -212,6 +187,33 @@
-             }
-         }
- 
-+        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-+        if (disableSystemProps == null &&
-+            "true".equalsIgnoreCase(props.getProperty
-+                ("security.useSystemPropertiesFile"))) {
-+
-+            // now load the system file, if it exists, so its values
-+            // will win if they conflict with the earlier values
-+            try (BufferedInputStream bis =
-+                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+                props.load(bis);
-+                loadedProps = true;
-+
-+                if (sdebug != null) {
-+                    sdebug.println("reading system security properties file " +
-+                                   SYSTEM_PROPERTIES);
-+                    sdebug.println(props.toString());
-+                }
-+            } catch (IOException e) {
-+                if (sdebug != null) {
-+                    sdebug.println
-+                        ("unable to load security properties from " +
-+                         SYSTEM_PROPERTIES);
-+                    e.printStackTrace();
-+                }
-+            }
-+        }
-+
-         if (!loadedProps) {
-             initializeStatic();
-             if (sdebug != null) {

SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch

@@ -1,11 +1,12 @@
-diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
---- openjdk/jdk/src/share/lib/security/java.security-linux	Tue May 16 13:29:05 2017 -0700
-+++ openjdk/jdk/src/share/lib/security/java.security-linux	Tue Jun 06 14:05:12 2017 +0200
-@@ -74,6 +74,7 @@
+diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
+index 9d1c8fe8a8e..a80a3c12abb 100644
+--- a/jdk/src/share/lib/security/java.security-linux
++++ b/jdk/src/share/lib/security/java.security-linux
+@@ -74,6 +74,7 @@ security.provider.6=sun.security.jgss.SunProvider
  security.provider.7=com.sun.security.sasl.Provider
  security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
  security.provider.9=sun.security.smartcardio.SunPCSC
 +#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
  
  #
- # Sun Provider SecureRandom seed source.
+ # Security providers used when FIPS mode support is active

SOURCES/rh1655466-global_crypto_and_fips.patch

@@ -1,208 +0,0 @@
-diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -191,27 +191,7 @@
-         if (disableSystemProps == null &&
-             "true".equalsIgnoreCase(props.getProperty
-                 ("security.useSystemPropertiesFile"))) {
--
--            // now load the system file, if it exists, so its values
--            // will win if they conflict with the earlier values
--            try (BufferedInputStream bis =
--                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
--                props.load(bis);
--                loadedProps = true;
--
--                if (sdebug != null) {
--                    sdebug.println("reading system security properties file " +
--                                   SYSTEM_PROPERTIES);
--                    sdebug.println(props.toString());
--                }
--            } catch (IOException e) {
--                if (sdebug != null) {
--                    sdebug.println
--                        ("unable to load security properties from " +
--                         SYSTEM_PROPERTIES);
--                    e.printStackTrace();
--                }
--            }
-+            loadedProps = loadedProps && SystemConfigurator.configure(props);
-         }
- 
-         if (!loadedProps) {
-diff --git a/src/share/classes/javopenjdk.orig/jdk/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,153 @@
-+/*
-+ * Copyright (c) 2019, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package java.security;
-+
-+import java.io.BufferedInputStream;
-+import java.io.FileInputStream;
-+import java.io.IOException;
-+
-+import java.nio.file.Files;
-+import java.nio.file.FileSystems;
-+import java.nio.file.Path;
-+
-+import java.util.Iterator;
-+import java.util.Map.Entry;
-+import java.util.Properties;
-+import java.util.function.Consumer;
-+import java.util.regex.Matcher;
-+import java.util.regex.Pattern;
-+
-+import sun.security.util.Debug;
-+
-+/**
-+ * Internal class to align OpenJDK with global crypto-policies.
-+ * Called from java.security.Security class initialization,
-+ * during startup.
-+ *
-+ */
-+
-+class SystemConfigurator {
-+
-+    private static final Debug sdebug =
-+            Debug.getInstance("properties");
-+
-+    private static final String CRYPTO_POLICIES_BASE_DIR =
-+            "/etc/crypto-policies";
-+
-+    private static final String CRYPTO_POLICIES_JAVA_CONFIG =
-+            CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-+
-+    private static final String CRYPTO_POLICIES_CONFIG =
-+            CRYPTO_POLICIES_BASE_DIR + "/config";
-+
-+    private static final class SecurityProviderInfo {
-+        int number;
-+        String key;
-+        String value;
-+        SecurityProviderInfo(int number, String key, String value) {
-+            this.number = number;
-+            this.key = key;
-+            this.value = value;
-+        }
-+    }
-+
-+    /*
-+     * Invoked when java.security.Security class is initialized, if
-+     * java.security.disableSystemPropertiesFile property is not set and
-+     * security.useSystemPropertiesFile is true.
-+     */
-+    static boolean configure(Properties props) {
-+        boolean loadedProps = false;
-+
-+        try (BufferedInputStream bis =
-+                new BufferedInputStream(
-+                        new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
-+            props.load(bis);
-+            loadedProps = true;
-+            if (sdebug != null) {
-+                sdebug.println("reading system security properties file " +
-+                        CRYPTO_POLICIES_JAVA_CONFIG);
-+                sdebug.println(props.toString());
-+            }
-+        } catch (IOException e) {
-+            if (sdebug != null) {
-+                sdebug.println("unable to load security properties from " +
-+                        CRYPTO_POLICIES_JAVA_CONFIG);
-+                e.printStackTrace();
-+            }
-+        }
-+
-+        try {
-+            if (enableFips()) {
-+                if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-+                loadedProps = false;
-+                // Remove all security providers
-+                Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
-+                while (i.hasNext()) {
-+                    Entry<Object, Object> e = i.next();
-+                    if (((String) e.getKey()).startsWith("security.provider")) {
-+                        if (sdebug != null) { sdebug.println("Removing provider: " + e); }
-+                        i.remove();
-+                    }
-+                }
-+                // Add FIPS security providers
-+                String fipsProviderValue = null;
-+                for (int n = 1;
-+                     (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
-+                    String fipsProviderKey = "security.provider." + n;
-+                    if (sdebug != null) {
-+                        sdebug.println("Adding provider " + n + ": " +
-+                                fipsProviderKey + "=" + fipsProviderValue);
-+                    }
-+                    props.put(fipsProviderKey, fipsProviderValue);
-+                }
-+                loadedProps = true;
-+            }
-+        } catch (Exception e) {
-+            if (sdebug != null) {
-+                sdebug.println("unable to load FIPS configuration");
-+                e.printStackTrace();
-+            }
-+        }
-+        return loadedProps;
-+    }
-+
-+    /*
-+     * FIPS is enabled only if crypto-policies are set to "FIPS"
-+     * and the com.redhat.fips property is true.
-+     */
-+    private static boolean enableFips() throws Exception {
-+	boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+	if (fipsEnabled) {
-+	    Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
-+	    String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
-+	    if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-+	    Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-+	    return pattern.matcher(cryptoPoliciesConfig).find();
-+	} else {
-+	    return false;
-+	}
-+    }
-+}
-diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
---- openjdk.orig/jdk/src/share/lib/security/java.security-linux
-+++ openjdk/jdk/src/share/lib/security/java.security-linux
-@@ -77,6 +77,14 @@
- #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
- 
- #
-+# Security providers used when global crypto-policies are set to FIPS.
-+#
-+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
-+fips.provider.2=sun.security.provider.Sun
-+fips.provider.3=sun.security.ec.SunEC
-+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
-+
-+#
- # Sun Provider SecureRandom seed source.
- #
- # Select the primary source of seed data for the "SHA1PRNG" and

SOURCES/rh1760838-fips_default_keystore_type.patch

@@ -1,52 +0,0 @@
-diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java	Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java	Mon Mar 02 19:20:17 2020 -0300
-@@ -123,6 +123,33 @@
-                     }
-                     props.put(fipsProviderKey, fipsProviderValue);
-                 }
-+                // Add other security properties
-+                String keystoreTypeValue = (String) props.get("fips.keystore.type");
-+                if (keystoreTypeValue != null) {
-+                    String nonFipsKeystoreType = props.getProperty("keystore.type");
-+                    props.put("keystore.type", keystoreTypeValue);
-+                    if (keystoreTypeValue.equals("PKCS11")) {
-+                    	// If keystore.type is PKCS11, javax.net.ssl.keyStore
-+                    	// must be "NONE". See JDK-8238264.
-+                    	System.setProperty("javax.net.ssl.keyStore", "NONE");
-+                    }
-+                    if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
-+                        // If no trustStoreType has been set, use the
-+                        // previous keystore.type under FIPS mode. In
-+                        // a default configuration, the Trust Store will
-+                        // be 'cacerts' (JKS type).
-+                        System.setProperty("javax.net.ssl.trustStoreType",
-+                                nonFipsKeystoreType);
-+                    }
-+                    if (sdebug != null) {
-+                        sdebug.println("FIPS mode default keystore.type = " +
-+                                keystoreTypeValue);
-+                        sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-+                        		System.getProperty("javax.net.ssl.keyStore", ""));
-+                        sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
-+                                System.getProperty("javax.net.ssl.trustStoreType", ""));
-+                    }
-+                }
-                 loadedProps = true;
-             }
-         } catch (Exception e) {
-diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
---- openjdk.orig/jdk/src/share/lib/security/java.security-linux	Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/jdk/src/share/lib/security/java.security-linux	Mon Mar 02 19:20:17 2020 -0300
-@@ -179,6 +179,11 @@
- keystore.type=jks
- 
- #
-+# Default keystore type used when global crypto-policies are set to FIPS.
-+#
-+fips.keystore.type=PKCS11
-+
-+#
- # Controls compatibility mode for the JKS keystore type.
- #
- # When set to 'true', the JKS keystore type supports loading

SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch

@@ -1,327 +0,0 @@
-diff -r bbc65dfa59d1 src/share/classes/java/security/SystemConfigurator.java
---- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java	Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java	Sat Aug 01 23:16:51 2020 -0300
-@@ -1,11 +1,13 @@
- /*
-- * Copyright (c) 2019, Red Hat, Inc.
-+ * Copyright (c) 2019, 2020, Red Hat, Inc.
-  *
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-  * under the terms of the GNU General Public License version 2 only, as
-- * published by the Free Software Foundation.
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-  *
-  * This code is distributed in the hope that it will be useful, but WITHOUT
-  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-@@ -34,10 +36,10 @@
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.function.Consumer;
--import java.util.regex.Matcher;
- import java.util.regex.Pattern;
- 
-+import sun.misc.SharedSecrets;
-+import sun.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
- 
- /**
-@@ -47,7 +49,7 @@
-  *
-  */
- 
--class SystemConfigurator {
-+final class SystemConfigurator {
- 
-     private static final Debug sdebug =
-             Debug.getInstance("properties");
-@@ -61,15 +63,16 @@
-     private static final String CRYPTO_POLICIES_CONFIG =
-             CRYPTO_POLICIES_BASE_DIR + "/config";
- 
--    private static final class SecurityProviderInfo {
--        int number;
--        String key;
--        String value;
--        SecurityProviderInfo(int number, String key, String value) {
--            this.number = number;
--            this.key = key;
--            this.value = value;
--        }
-+    private static boolean systemFipsEnabled = false;
-+
-+    static {
-+        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+            new JavaSecuritySystemConfiguratorAccess() {
-+                @Override
-+                public boolean isSystemFipsEnabled() {
-+                    return SystemConfigurator.isSystemFipsEnabled();
-+                }
-+            });
-     }
- 
-     /*
-@@ -128,9 +131,9 @@
-                     String nonFipsKeystoreType = props.getProperty("keystore.type");
-                     props.put("keystore.type", keystoreTypeValue);
-                     if (keystoreTypeValue.equals("PKCS11")) {
--                    	// If keystore.type is PKCS11, javax.net.ssl.keyStore
--                    	// must be "NONE". See JDK-8238264.
--                    	System.setProperty("javax.net.ssl.keyStore", "NONE");
-+                        // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+                        // must be "NONE". See JDK-8238264.
-+                        System.setProperty("javax.net.ssl.keyStore", "NONE");
-                     }
-                     if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
-                         // If no trustStoreType has been set, use the
-@@ -144,12 +147,13 @@
-                         sdebug.println("FIPS mode default keystore.type = " +
-                                 keystoreTypeValue);
-                         sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
--                        		System.getProperty("javax.net.ssl.keyStore", ""));
-+                                System.getProperty("javax.net.ssl.keyStore", ""));
-                         sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
-                                 System.getProperty("javax.net.ssl.trustStoreType", ""));
-                     }
-                 }
-                 loadedProps = true;
-+                systemFipsEnabled = true;
-             }
-         } catch (Exception e) {
-             if (sdebug != null) {
-@@ -165,20 +165,37 @@
-         return loadedProps;
-     }
- 
-+    /**
-+     * Returns whether or not global system FIPS alignment is enabled.
-+     *
-+     * Value is always 'false' before java.security.Security class is
-+     * initialized.
-+     *
-+     * Call from out of this package through SharedSecrets:
-+     *   SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+     *           .isSystemFipsEnabled();
-+     *
-+     * @return  a boolean value indicating whether or not global
-+     *          system FIPS alignment is enabled.
-+     */
-+    static boolean isSystemFipsEnabled() {
-+        return systemFipsEnabled;
-+    }
-+
-     /*
-      * FIPS is enabled only if crypto-policies are set to "FIPS"
-      * and the com.redhat.fips property is true.
-      */
-     private static boolean enableFips() throws Exception {
--	boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
--	if (fipsEnabled) {
--	    Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
--	    String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
--	    if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
--	    Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
--	    return pattern.matcher(cryptoPoliciesConfig).find();
--	} else {
--	    return false;
--	}
-+        boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+        if (shouldEnable) {
-+            Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
-+            String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
-+            if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-+            Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-+            return pattern.matcher(cryptoPoliciesConfig).find();
-+        } else {
-+            return false;
-+        }
-     }
- }
-diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -0,0 +1,30 @@
-+/*
-+ * Copyright (c) 2020, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.misc;
-+
-+public interface JavaSecuritySystemConfiguratorAccess {
-+    boolean isSystemFipsEnabled();
-+}
-diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
---- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
-+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
-@@ -63,6 +63,7 @@
-     private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
-     private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
-     private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
-+    private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
- 
-     public static JavaUtilJarAccess javaUtilJarAccess() {
-         if (javaUtilJarAccess == null) {
-@@ -248,4 +249,12 @@
-         }
-         return javaxCryptoSealedObjectAccess;
-     }
-+
-+    public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
-+        javaSecuritySystemConfiguratorAccess = jssca;
-+    }
-+
-+    public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+        return javaSecuritySystemConfiguratorAccess;
-+    }
- }
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-@@ -31,6 +31,7 @@
- import java.security.cert.*;
- import java.util.*;
- import javax.net.ssl.*;
-+import sun.misc.SharedSecrets;
- import sun.security.action.GetPropertyAction;
- import sun.security.provider.certpath.AlgorithmChecker;
- import sun.security.validator.Validator;
-@@ -539,20 +540,38 @@
- 
-         static {
-             if (SunJSSE.isFIPS()) {
--                supportedProtocols = Arrays.asList(
--                    ProtocolVersion.TLS13,
--                    ProtocolVersion.TLS12,
--                    ProtocolVersion.TLS11,
--                    ProtocolVersion.TLS10
--                );
-+                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+                        .isSystemFipsEnabled()) {
-+                    // RH1860986: TLSv1.3 key derivation not supported with
-+                    // the Security Providers available in system FIPS mode.
-+                    supportedProtocols = Arrays.asList(
-+                        ProtocolVersion.TLS12,
-+                        ProtocolVersion.TLS11,
-+                        ProtocolVersion.TLS10
-+                    );
- 
--                serverDefaultProtocols = getAvailableProtocols(
--                        new ProtocolVersion[] {
--                    ProtocolVersion.TLS13,
--                    ProtocolVersion.TLS12,
--                    ProtocolVersion.TLS11,
--                    ProtocolVersion.TLS10
--                });
-+                    serverDefaultProtocols = getAvailableProtocols(
-+                            new ProtocolVersion[] {
-+                        ProtocolVersion.TLS12,
-+                        ProtocolVersion.TLS11,
-+                        ProtocolVersion.TLS10
-+                    });
-+                } else {
-+                    supportedProtocols = Arrays.asList(
-+                        ProtocolVersion.TLS13,
-+                        ProtocolVersion.TLS12,
-+                        ProtocolVersion.TLS11,
-+                        ProtocolVersion.TLS10
-+                    );
-+
-+                    serverDefaultProtocols = getAvailableProtocols(
-+                            new ProtocolVersion[] {
-+                        ProtocolVersion.TLS13,
-+                        ProtocolVersion.TLS12,
-+                        ProtocolVersion.TLS11,
-+                        ProtocolVersion.TLS10
-+                    });
-+                }
-             } else {
-                 supportedProtocols = Arrays.asList(
-                     ProtocolVersion.TLS13,
-@@ -612,6 +631,16 @@
- 
-         static ProtocolVersion[] getSupportedProtocols() {
-             if (SunJSSE.isFIPS()) {
-+                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+                        .isSystemFipsEnabled()) {
-+                    // RH1860986: TLSv1.3 key derivation not supported with
-+                    // the Security Providers available in system FIPS mode.
-+                    return new ProtocolVersion[] {
-+                            ProtocolVersion.TLS12,
-+                            ProtocolVersion.TLS11,
-+                            ProtocolVersion.TLS10
-+                    };
-+                }
-                 return new ProtocolVersion[] {
-                         ProtocolVersion.TLS13,
-                         ProtocolVersion.TLS12,
-@@ -939,6 +968,16 @@
- 
-         static ProtocolVersion[] getProtocols() {
-             if (SunJSSE.isFIPS()) {
-+                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+                        .isSystemFipsEnabled()) {
-+                    // RH1860986: TLSv1.3 key derivation not supported with
-+                    // the Security Providers available in system FIPS mode.
-+                    return new ProtocolVersion[] {
-+                            ProtocolVersion.TLS12,
-+                            ProtocolVersion.TLS11,
-+                            ProtocolVersion.TLS10
-+                    };
-+                }
-                 return new ProtocolVersion[]{
-                         ProtocolVersion.TLS12,
-                         ProtocolVersion.TLS11,
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-@@ -30,6 +30,8 @@
- 
- import java.security.*;
- 
-+import sun.misc.SharedSecrets;
-+
- /**
-  * The JSSE provider.
-  *
-@@ -215,8 +217,13 @@
-             "sun.security.ssl.SSLContextImpl$TLS11Context");
-         put("SSLContext.TLSv1.2",
-             "sun.security.ssl.SSLContextImpl$TLS12Context");
--        put("SSLContext.TLSv1.3",
--            "sun.security.ssl.SSLContextImpl$TLS13Context");
-+        if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+                .isSystemFipsEnabled()) {
-+            // RH1860986: TLSv1.3 key derivation not supported with
-+            // the Security Providers available in system FIPS mode.
-+            put("SSLContext.TLSv1.3",
-+                "sun.security.ssl.SSLContextImpl$TLS13Context");
-+        }
-         put("SSLContext.TLS",
-             "sun.security.ssl.SSLContextImpl$TLSContext");
-         if (isfips == false) {

SOURCES/rh1906862-always_initialise_configurator_access.patch

@@ -1,65 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1608219816 0
-#      Thu Dec 17 15:43:36 2020 +0000
-# Node ID db5d1b28bfce04352b3a48960bf836f6eb20804b
-# Parent  a2cfa397150e99b813354226d536eb8509b5850b
-RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
-
-diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -30,6 +30,8 @@
- import java.util.concurrent.ConcurrentHashMap;
- import java.io.*;
- import java.net.URL;
-+import sun.misc.SharedSecrets;
-+import sun.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
- import sun.security.util.PropertyExpander;
- 
-@@ -69,6 +71,15 @@
-     }
- 
-     static {
-+        // Initialise here as used by code with system properties disabled
-+        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+            new JavaSecuritySystemConfiguratorAccess() {
-+                @Override
-+                public boolean isSystemFipsEnabled() {
-+                    return SystemConfigurator.isSystemFipsEnabled();
-+                }
-+            });
-+
-         // doPrivileged here because there are multiple
-         // things in initialize that might require privs.
-         // (the FileInputStream call and the File.exists call,
-diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -39,8 +39,6 @@
- import java.util.Properties;
- import java.util.regex.Pattern;
- 
--import sun.misc.SharedSecrets;
--import sun.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
- 
- /**
-@@ -66,16 +64,6 @@
- 
-     private static boolean systemFipsEnabled = false;
- 
--    static {
--        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
--            new JavaSecuritySystemConfiguratorAccess() {
--                @Override
--                public boolean isSystemFipsEnabled() {
--                    return SystemConfigurator.isSystemFipsEnabled();
--                }
--            });
--    }
--
-     /*
-      * Invoked when java.security.Security class is initialized, if
-      * java.security.disableSystemPropertiesFile property is not set and

SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch

@@ -1,344 +0,0 @@
-diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk
---- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk
-+++ openjdk/jdk/make/lib/SecurityLibraries.gmk
-@@ -289,3 +289,34 @@
- 
-   endif
- endif
-+
-+################################################################################
-+# Create the systemconf library
-+
-+LIBSYSTEMCONF_CFLAGS :=
-+LIBSYSTEMCONF_CXXFLAGS :=
-+
-+ifeq ($(USE_SYSCONF_NSS), true)
-+  LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+  LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+endif
-+
-+ifeq ($(OPENJDK_BUILD_OS), linux)
-+  $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
-+      LIBRARY := systemconf, \
-+      OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
-+      SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
-+      LANG := C, \
-+      OPTIMIZATION := LOW, \
-+      CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
-+      CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
-+      MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
-+      LDFLAGS := $(LDFLAGS_JDKLIB) \
-+          $(call SET_SHARED_LIBRARY_ORIGIN), \
-+      LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
-+      OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
-+      DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
-+
-+  BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
-+endif
-+
-diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
-@@ -0,0 +1,35 @@
-+#
-+# Copyright (c) 2021, Red Hat, Inc.
-+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+#
-+# This code is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License version 2 only, as
-+# published by the Free Software Foundation.  Oracle designates this
-+# particular file as subject to the "Classpath" exception as provided
-+# by Oracle in the LICENSE file that accompanied this code.
-+#
-+# This code is distributed in the hope that it will be useful, but WITHOUT
-+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+# version 2 for more details (a copy is included in the LICENSE file that
-+# accompanied this code).
-+#
-+# You should have received a copy of the GNU General Public License version
-+# 2 along with this work; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+# or visit www.oracle.com if you need additional information or have any
-+# questions.
-+#
-+
-+# Define public interface.
-+
-+SUNWprivate_1.1 {
-+	global:
-+		DEF_JNI_OnLoad;
-+		DEF_JNI_OnUnLoad;
-+		Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
-+	local:
-+		*;
-+};
-diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2019, 2020, Red Hat, Inc.
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
-  *
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-@@ -30,14 +30,9 @@
- import java.io.FileInputStream;
- import java.io.IOException;
- 
--import java.nio.file.Files;
--import java.nio.file.FileSystems;
--import java.nio.file.Path;
--
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.regex.Pattern;
- 
- import sun.security.util.Debug;
- 
-@@ -59,10 +54,21 @@
-     private static final String CRYPTO_POLICIES_JAVA_CONFIG =
-             CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
- 
--    private static final String CRYPTO_POLICIES_CONFIG =
--            CRYPTO_POLICIES_BASE_DIR + "/config";
-+    private static boolean systemFipsEnabled = false;
-+
-+    private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+    private static native boolean getSystemFIPSEnabled()
-+            throws IOException;
- 
--    private static boolean systemFipsEnabled = false;
-+    static {
-+        AccessController.doPrivileged(new PrivilegedAction<Void>() {
-+            public Void run() {
-+                System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+                return null;
-+            }
-+        });
-+    }
- 
-     /*
-      * Invoked when java.security.Security class is initialized, if
-@@ -171,17 +177,34 @@
-     }
- 
-     /*
--     * FIPS is enabled only if crypto-policies are set to "FIPS"
--     * and the com.redhat.fips property is true.
-+     * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
-+     * system property is true (default) and the system is in FIPS mode.
-+     *
-+     * There are 2 possible ways in which OpenJDK detects that the system
-+     * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+     * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+     * /proc/sys/crypto/fips_enabled file is read.
-      */
--    private static boolean enableFips() throws Exception {
-+    private static boolean enableFips() throws IOException {
-         boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-         if (shouldEnable) {
--            Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
--            String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
--            if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
--            Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
--            return pattern.matcher(cryptoPoliciesConfig).find();
-+            if (sdebug != null) {
-+                sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+            }
-+            try {
-+                shouldEnable = getSystemFIPSEnabled();
-+                if (sdebug != null) {
-+                    sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+                            + shouldEnable);
-+                }
-+                return shouldEnable;
-+            } catch (IOException e) {
-+                if (sdebug != null) {
-+                    sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+                    sdebug.println(e.getMessage());
-+                }
-+                throw e;
-+            }
-         } else {
-             return false;
-         }
-diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
-@@ -0,0 +1,168 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#include <dlfcn.h>
-+#include <jni.h>
-+#include <jni_util.h>
-+#include <stdio.h>
-+
-+#ifdef SYSCONF_NSS
-+#include <nss3/pk11pub.h>
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+#define MSG_MAX_SIZE 96
-+
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void throwIOException(JNIEnv *env, const char *msg);
-+static void dbgPrint(JNIEnv *env, const char* msg);
-+
-+/*
-+ * Class:     java_security_SystemConfigurator
-+ * Method:    JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+    JNIEnv *env;
-+    jclass sysConfCls, debugCls;
-+    jfieldID sdebugFld;
-+
-+    if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+        return JNI_EVERSION; /* JNI version not supported */
-+    }
-+
-+    sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+    if (sysConfCls == NULL) {
-+        printf("libsystemconf: SystemConfigurator class not found\n");
-+        return JNI_ERR;
-+    }
-+    sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+            "sdebug", "Lsun/security/util/Debug;");
-+    if (sdebugFld == NULL) {
-+        printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+        return JNI_ERR;
-+    }
-+    debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+    if (debugObj != NULL) {
-+        debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+        if (debugCls == NULL) {
-+            printf("libsystemconf: Debug class not found\n");
-+            return JNI_ERR;
-+        }
-+        debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+                "println", "(Ljava/lang/String;)V");
-+        if (debugPrintlnMethodID == NULL) {
-+            printf("libsystemconf: Debug::println(String) method not found\n");
-+            return JNI_ERR;
-+        }
-+        debugObj = (*env)->NewGlobalRef(env, debugObj);
-+    }
-+
-+    return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class:     java_security_SystemConfigurator
-+ * Method:    JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+    JNIEnv *env;
-+
-+    if (debugObj != NULL) {
-+        if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+            return; /* Should not happen */
-+        }
-+        (*env)->DeleteGlobalRef(env, debugObj);
-+    }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+  (JNIEnv *env, jclass cls)
-+{
-+    int fips_enabled;
-+    char msg[MSG_MAX_SIZE];
-+    int msg_bytes;
-+
-+#ifdef SYSCONF_NSS
-+
-+    dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+    fips_enabled = SECMOD_GetSystemFIPSEnabled();
-+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+            " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+        dbgPrint(env, msg);
-+    } else {
-+        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+                " SECMOD_GetSystemFIPSEnabled return value");
-+    }
-+    return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+
-+#else // SYSCONF_NSS
-+
-+    FILE *fe;
-+
-+    dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+    if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+        throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+    }
-+    fips_enabled = fgetc(fe);
-+    fclose(fe);
-+    if (fips_enabled == EOF) {
-+        throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+    }
-+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+            " read character is '%c'", fips_enabled);
-+    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+        dbgPrint(env, msg);
-+    } else {
-+        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+                " read character");
-+    }
-+    return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+
-+#endif // SYSCONF_NSS
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+    jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+    if (cls != 0)
-+        (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+    jstring jMsg;
-+    if (debugObj != NULL) {
-+        jMsg = (*env)->NewStringUTF(env, msg);
-+        CHECK_NULL(jMsg);
-+        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+    }
-+}

SOURCES/rh1929465-improve_system_FIPS_detection-root.patch

@@ -1,152 +0,0 @@
-diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac
---- openjdk.orig/common/autoconf/configure.ac
-+++ openjdk/common/autoconf/configure.ac
-@@ -212,6 +212,7 @@
- LIB_SETUP_ALSA
- LIB_SETUP_FONTCONFIG
- LIB_SETUP_MISC_LIBS
-+LIB_SETUP_SYSCONF_LIBS
- LIB_SETUP_STATIC_LINK_LIBSTDCPP
- LIB_SETUP_ON_WINDOWS
- 
-diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4
---- openjdk.orig/common/autoconf/libraries.m4
-+++ openjdk/common/autoconf/libraries.m4
-@@ -1067,3 +1067,63 @@
-     BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
-   fi
- ])
-+
-+################################################################################
-+# Setup system configuration libraries
-+################################################################################
-+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
-+[
-+  ###############################################################################
-+  #
-+  # Check for the NSS library
-+  #
-+
-+  AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
-+
-+  # default is not available
-+  DEFAULT_SYSCONF_NSS=no
-+
-+  AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
-+     [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
-+  [
-+    case "${enableval}" in
-+      yes)
-+        sysconf_nss=yes
-+        ;;
-+      *)
-+        sysconf_nss=no
-+        ;;
-+    esac
-+  ],
-+  [
-+    sysconf_nss=${DEFAULT_SYSCONF_NSS}
-+  ])
-+  AC_MSG_RESULT([$sysconf_nss])
-+
-+  USE_SYSCONF_NSS=false
-+  if test "x${sysconf_nss}" = "xyes"; then
-+      PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
-+      if test "x${NSS_FOUND}" = "xyes"; then
-+         AC_MSG_CHECKING([for system FIPS support in NSS])
-+         saved_libs="${LIBS}"
-+         saved_cflags="${CFLAGS}"
-+         CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
-+         LIBS="${LIBS} ${NSS_LIBS}"
-+         AC_LANG_PUSH([C])
-+         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
-+                                         [[SECMOD_GetSystemFIPSEnabled()]])],
-+                        [AC_MSG_RESULT([yes])],
-+                        [AC_MSG_RESULT([no])
-+                        AC_MSG_ERROR([System NSS FIPS detection unavailable])])
-+         AC_LANG_POP([C])
-+         CFLAGS="${saved_cflags}"
-+         LIBS="${saved_libs}"
-+         USE_SYSCONF_NSS=true
-+      else
-+         dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
-+         dnl in nss3/pk11pub.h.
-+         AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
-+      fi
-+  fi
-+  AC_SUBST(USE_SYSCONF_NSS)
-+])
-diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in
---- openjdk.orig/common/autoconf/spec.gmk.in
-+++ openjdk/common/autoconf/spec.gmk.in
-@@ -312,6 +312,10 @@
- ALSA_LIBS:=@ALSA_LIBS@
- ALSA_CFLAGS:=@ALSA_CFLAGS@
- 
-+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- PACKAGE_PATH=@PACKAGE_PATH@
- 
- # Source file for cacerts
-diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl
---- openjdk.orig/common/bin/compare_exceptions.sh.incl
-+++ openjdk/common/bin/compare_exceptions.sh.incl
-@@ -280,6 +280,7 @@
- ./jre/lib/i386/libsplashscreen.so
- ./jre/lib/i386/libsunec.so
- ./jre/lib/i386/libsunwjdga.so
-+./jre/lib/i386/libsystemconf.so
- ./jre/lib/i386/libt2k.so
- ./jre/lib/i386/libunpack.so
- ./jre/lib/i386/libverify.so
-@@ -433,6 +434,7 @@
- ./jre/lib/amd64/libsplashscreen.so
- ./jre/lib/amd64/libsunec.so
- ./jre/lib/amd64/libsunwjdga.so
-+//jre/lib/amd64/libsystemconf.so
- ./jre/lib/amd64/libt2k.so
- ./jre/lib/amd64/libunpack.so
- ./jre/lib/amd64/libverify.so
-@@ -587,6 +589,7 @@
- ./jre/lib/sparc/libsplashscreen.so
- ./jre/lib/sparc/libsunec.so
- ./jre/lib/sparc/libsunwjdga.so
-+./jre/lib/sparc/libsystemconf.so
- ./jre/lib/sparc/libt2k.so
- ./jre/lib/sparc/libunpack.so
- ./jre/lib/sparc/libverify.so
-@@ -741,6 +744,7 @@
- ./jre/lib/sparcv9/libsplashscreen.so
- ./jre/lib/sparcv9/libsunec.so
- ./jre/lib/sparcv9/libsunwjdga.so
-+./jre/lib/sparcv9/libsystemconf.so
- ./jre/lib/sparcv9/libt2k.so
- ./jre/lib/sparcv9/libunpack.so
- ./jre/lib/sparcv9/libverify.so
-diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml
---- openjdk.orig/common/nb_native/nbproject/configurations.xml
-+++ openjdk/common/nb_native/nbproject/configurations.xml
-@@ -53,6 +53,9 @@
-                   <in>jvmtiEnterTrace.cpp</in>
-                 </df>
-               </df>
-+              <df name="libsystemconf">
-+                <in>systemconf.c</in>
-+              </df>
-             </df>
-           </df>
-           <df name="jdk">
-@@ -12772,6 +12775,11 @@
-             tool="0"
-             flavor2="0">
-       </item>
-+      <item path="../../jdk/src/solaris/native/java/security/systemconf.c"
-+            ex="false"
-+            tool="0"
-+            flavor2="0">
-+      </item>
-       <item path="../../jdk/src/share/native/java/util/TimeZone.c"
-             ex="false"
-             tool="0"

SOURCES/rh1991003-enable_fips_keys_import.patch

@@ -1,583 +0,0 @@
-diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -78,6 +78,10 @@
-                 public boolean isSystemFipsEnabled() {
-                     return SystemConfigurator.isSystemFipsEnabled();
-                 }
-+                @Override
-+                public boolean isPlainKeySupportEnabled() {
-+                    return SystemConfigurator.isPlainKeySupportEnabled();
-+                }
-             });
- 
-         // doPrivileged here because there are multiple
-diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -55,6 +55,7 @@
-             CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
- 
-     private static boolean systemFipsEnabled = false;
-+    private static boolean plainKeySupportEnabled = false;
- 
-     private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
- 
-@@ -149,6 +150,16 @@
-                 }
-                 loadedProps = true;
-                 systemFipsEnabled = true;
-+                String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
-+                                                            "true");
-+                plainKeySupportEnabled = !"false".equals(plainKeySupport);
-+                if (sdebug != null) {
-+                    if (plainKeySupportEnabled) {
-+                        sdebug.println("FIPS support enabled with plain key support");
-+                    } else {
-+                        sdebug.println("FIPS support enabled without plain key support");
-+                    }
-+                }
-             }
-         } catch (Exception e) {
-             if (sdebug != null) {
-@@ -176,6 +187,19 @@
-         return systemFipsEnabled;
-     }
- 
-+    /**
-+     * Returns {@code true} if system FIPS alignment is enabled
-+     * and plain key support is allowed.  Plain key support is
-+     * enabled by default but can be disabled with
-+     * {@code -Dcom.redhat.fips.plainKeySupport=false}.
-+     *
-+     * @return a boolean indicating whether plain key support
-+     *         should be enabled.
-+     */
-+    static boolean isPlainKeySupportEnabled() {
-+        return plainKeySupportEnabled;
-+    }
-+
-     /*
-      * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
-      * system property is true (default) and the system is in FIPS mode.
-diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
---- openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -27,4 +27,5 @@
- 
- public interface JavaSecuritySystemConfiguratorAccess {
-     boolean isSystemFipsEnabled();
-+    boolean isPlainKeySupportEnabled();
- }
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,290 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11;
-+
-+import java.math.BigInteger;
-+import java.security.KeyFactory;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.util.HashMap;
-+import java.util.Map;
-+import java.util.concurrent.locks.ReentrantLock;
-+
-+import javax.crypto.Cipher;
-+import javax.crypto.spec.DHPrivateKeySpec;
-+import javax.crypto.spec.IvParameterSpec;
-+
-+import sun.security.jca.JCAUtil;
-+import sun.security.pkcs11.TemplateManager;
-+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
-+import sun.security.pkcs11.wrapper.CK_MECHANISM;
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+import sun.security.pkcs11.wrapper.PKCS11Exception;
-+import sun.security.rsa.RSAUtil.KeyType;
-+import sun.security.util.Debug;
-+import sun.security.util.ECUtil;
-+
-+final class FIPSKeyImporter {
-+
-+    private static final Debug debug =
-+            Debug.getInstance("sunpkcs11");
-+
-+    private static P11Key importerKey = null;
-+    private static final ReentrantLock importerKeyLock = new ReentrantLock();
-+    private static CK_MECHANISM importerKeyMechanism = null;
-+    private static Cipher importerCipher = null;
-+
-+    private static Provider sunECProvider = null;
-+    private static final ReentrantLock sunECProviderLock = new ReentrantLock();
-+
-+    private static KeyFactory DHKF = null;
-+    private static final ReentrantLock DHKFLock = new ReentrantLock();
-+
-+    static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
-+            throws PKCS11Exception {
-+        long keyID = -1;
-+        Token token = sunPKCS11.getToken();
-+        if (debug != null) {
-+            debug.println("Private or Secret key will be imported in" +
-+                    " system FIPS mode.");
-+        }
-+        if (importerKey == null) {
-+            importerKeyLock.lock();
-+            try {
-+                if (importerKey == null) {
-+                    if (importerKeyMechanism == null) {
-+                        // Importer Key creation has not been tried yet. Try it.
-+                        createImporterKey(token);
-+                    }
-+                    if (importerKey == null || importerCipher == null) {
-+                        if (debug != null) {
-+                            debug.println("Importer Key could not be" +
-+                                    " generated.");
-+                        }
-+                        throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+                    }
-+                    if (debug != null) {
-+                        debug.println("Importer Key successfully" +
-+                                " generated.");
-+                    }
-+                }
-+            } finally {
-+                importerKeyLock.unlock();
-+            }
-+        }
-+        long importerKeyID = importerKey.getKeyID();
-+        try {
-+            byte[] keyBytes = null;
-+            byte[] encKeyBytes = null;
-+            long keyClass = 0L;
-+            long keyType = 0L;
-+            Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
-+            for (CK_ATTRIBUTE attr : attributes) {
-+                if (attr.type == CKA_CLASS) {
-+                    keyClass = attr.getLong();
-+                } else if (attr.type == CKA_KEY_TYPE) {
-+                    keyType = attr.getLong();
-+                }
-+                attrsMap.put(attr.type, attr);
-+            }
-+            BigInteger v = null;
-+            if (keyClass == CKO_PRIVATE_KEY) {
-+                if (keyType == CKK_RSA) {
-+                    if (debug != null) {
-+                        debug.println("Importing an RSA private key...");
-+                    }
-+                    keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+                            KeyType.RSA,
-+                            null,
-+                            ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO
-+                            ).getEncoded();
-+                } else if (keyType == CKK_DSA) {
-+                    if (debug != null) {
-+                        debug.println("Importing a DSA private key...");
-+                    }
-+                    keyBytes = new sun.security.provider.DSAPrivateKey(
-+                            ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO
-+                            ).getEncoded();
-+                    if (token.config.getNssNetscapeDbWorkaround() &&
-+                            attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+                        attrsMap.put(CKA_NETSCAPE_DB,
-+                                new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+                    }
-+                } else if (keyType == CKK_EC) {
-+                    if (debug != null) {
-+                        debug.println("Importing an EC private key...");
-+                    }
-+                    if (sunECProvider == null) {
-+                        sunECProviderLock.lock();
-+                        try {
-+                            if (sunECProvider == null) {
-+                                sunECProvider = Security.getProvider("SunEC");
-+                            }
-+                        } finally {
-+                            sunECProviderLock.unlock();
-+                        }
-+                    }
-+                    keyBytes = P11ECUtil.generateECPrivateKey(
-+                            ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ECUtil.getECParameterSpec(sunECProvider,
-+                                    attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+                            .getEncoded();
-+                    if (token.config.getNssNetscapeDbWorkaround() &&
-+                            attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+                        attrsMap.put(CKA_NETSCAPE_DB,
-+                                new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+                    }
-+                } else if (keyType == CKK_DH) {
-+                    if (debug != null) {
-+                        debug.println("Importing a Diffie-Hellman private key...");
-+                    }
-+                    if (DHKF == null) {
-+                        DHKFLock.lock();
-+                        try {
-+                            if (DHKF == null) {
-+                                DHKF = KeyFactory.getInstance(
-+                                        "DH", P11Util.getSunJceProvider());
-+                            }
-+                        } finally {
-+                            DHKFLock.unlock();
-+                        }
-+                    }
-+                    DHPrivateKeySpec spec = new DHPrivateKeySpec
-+                            (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO,
-+                            ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+                                    ? v : BigInteger.ZERO);
-+                    keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+                    if (token.config.getNssNetscapeDbWorkaround() &&
-+                            attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+                        attrsMap.put(CKA_NETSCAPE_DB,
-+                                new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+                    }
-+                } else {
-+                    if (debug != null) {
-+                        debug.println("Unrecognized private key type.");
-+                    }
-+                    throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+                }
-+            } else if (keyClass == CKO_SECRET_KEY) {
-+                if (debug != null) {
-+                    debug.println("Importing a secret key...");
-+                }
-+                keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+            }
-+            if (keyBytes == null || keyBytes.length == 0) {
-+                if (debug != null) {
-+                    debug.println("Private or secret key plain bytes could" +
-+                            " not be obtained. Import failed.");
-+                }
-+                throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+            }
-+            importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+                    new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+                    null);
-+            attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+            attrsMap.values().toArray(attributes);
-+            encKeyBytes = importerCipher.doFinal(keyBytes);
-+            attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+                    keyClass, keyType, attributes);
-+            keyID = token.p11.C_UnwrapKey(hSession,
-+                    importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+            if (debug != null) {
-+                debug.println("Imported key ID: " + keyID);
-+            }
-+        } catch (Throwable t) {
-+            throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+        } finally {
-+            importerKey.releaseKeyID();
-+        }
-+        return Long.valueOf(keyID);
-+    }
-+
-+    private static void createImporterKey(Token token) {
-+        if (debug != null) {
-+            debug.println("Generating Importer Key...");
-+        }
-+        byte[] iv = new byte[16];
-+        JCAUtil.getSecureRandom().nextBytes(iv);
-+        importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+        try {
-+            CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+                            CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+                                    new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+                                    new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+            Session s = null;
-+            try {
-+                s = token.getObjSession();
-+                long keyID = token.p11.C_GenerateKey(
-+                        s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+                        attributes);
-+                if (debug != null) {
-+                    debug.println("Importer Key ID: " + keyID);
-+                }
-+                importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+                        256 >> 3, null);
-+            } catch (PKCS11Exception e) {
-+                // best effort
-+            } finally {
-+                token.releaseSession(s);
-+            }
-+            if (importerKey != null) {
-+                importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+            }
-+        } catch (Throwable t) {
-+            // best effort
-+            importerKey = null;
-+            importerCipher = null;
-+            // importerKeyMechanism value is kept initialized to indicate that
-+            // Importer Key creation has been tried and failed.
-+        }
-+    }
-+}
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
- 
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
- 
- import java.security.*;
-@@ -63,6 +66,26 @@
-     private static final boolean systemFipsEnabled = SharedSecrets
-             .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
- 
-+    private static final boolean plainKeySupportEnabled = SharedSecrets
-+            .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+    private static final MethodHandle fipsImportKey;
-+    static {
-+        MethodHandle fipsImportKeyTmp = null;
-+        if (plainKeySupportEnabled) {
-+            try {
-+                fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+                        FIPSKeyImporter.class, "importKey",
-+                        MethodType.methodType(Long.class, SunPKCS11.class,
-+                        long.class, CK_ATTRIBUTE[].class));
-+            } catch (Throwable t) {
-+                throw new SecurityException("FIPS key importer initialization" +
-+                        " failed", t);
-+            }
-+        }
-+        fipsImportKey = fipsImportKeyTmp;
-+    }
-+
-     private static final long serialVersionUID = -1354835039035306505L;
- 
-     static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -314,10 +337,15 @@
-             // request multithreaded access first
-             initArgs.flags = CKF_OS_LOCKING_OK;
-             PKCS11 tmpPKCS11;
-+            MethodHandle fipsKeyImporter = null;
-+            if (plainKeySupportEnabled) {
-+                fipsKeyImporter = MethodHandles.insertArguments(
-+                        fipsImportKey, 0, this);
-+            }
-             try {
-                 tmpPKCS11 = PKCS11.getInstance(
-                     library, functionList, initArgs,
--                    config.getOmitInitialize());
-+                    config.getOmitInitialize(), fipsKeyImporter);
-             } catch (PKCS11Exception e) {
-                 if (debug != null) {
-                     debug.println("Multi-threaded initialization failed: " + e);
-@@ -333,7 +361,7 @@
-                     initArgs.flags = 0;
-                 }
-                 tmpPKCS11 = PKCS11.getInstance(library,
--                    functionList, initArgs, config.getOmitInitialize());
-+                    functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
-             }
-             p11 = tmpPKCS11;
- 
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@
- 
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
- import java.util.*;
- 
- import java.security.AccessController;
-@@ -147,16 +148,28 @@
- 
-     public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
-             String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
--            boolean omitInitialize) throws IOException, PKCS11Exception {
-+            boolean omitInitialize, MethodHandle fipsKeyImporter)
-+                    throws IOException, PKCS11Exception {
-         // we may only call C_Initialize once per native .so/.dll
-         // so keep a cache using the (non-canonicalized!) path
-         PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
-         if (pkcs11 == null) {
-+            boolean nssFipsMode = fipsKeyImporter != null;
-             if ((pInitArgs != null)
-                     && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
--                pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+                if (nssFipsMode) {
-+                    pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+                            fipsKeyImporter);
-+                } else {
-+                    pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+                }
-             } else {
--                pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+                if (nssFipsMode) {
-+                    pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+                            functionList, fipsKeyImporter);
-+                } else {
-+                    pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+                }
-             }
-             if (omitInitialize == false) {
-                 try {
-@@ -1905,4 +1918,69 @@
-         super.C_GenerateRandom(hSession, randomData);
-     }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+    private MethodHandle fipsKeyImporter;
-+    FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+            MethodHandle fipsKeyImporter) throws IOException {
-+        super(pkcs11ModulePath, functionListName);
-+        this.fipsKeyImporter = fipsKeyImporter;
-+    }
-+
-+    public synchronized long C_CreateObject(long hSession,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        // Creating sensitive key objects from plain key material in a
-+        // FIPS-configured NSS Software Token is not allowed. We apply
-+        // a key-unwrapping scheme to achieve so.
-+        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+            try {
-+                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+                        .longValue();
-+            } catch (Throwable t) {
-+                throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+            }
-+        }
-+        return super.C_CreateObject(hSession, pTemplate);
-+    }
- }
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+    private MethodHandle fipsKeyImporter;
-+    SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+            MethodHandle fipsKeyImporter) throws IOException {
-+        super(pkcs11ModulePath, functionListName);
-+        this.fipsKeyImporter = fipsKeyImporter;
-+    }
-+
-+    public synchronized long C_CreateObject(long hSession,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        // See FIPSPKCS11::C_CreateObject.
-+        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+            try {
-+                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+                        .longValue();
-+            } catch (Throwable t) {
-+                throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+            }
-+        }
-+        return super.C_CreateObject(hSession, pTemplate);
-+    }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+    static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+        for (CK_ATTRIBUTE attr : pTemplate) {
-+            if (attr.type == CKA_CLASS &&
-+                    (attr.getLong() == CKO_PRIVATE_KEY ||
-+                    attr.getLong() == CKO_SECRET_KEY)) {
-+                return true;
-+            }
-+        }
-+        return false;
-+    }
-+}
-+}
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-@@ -33,8 +33,13 @@
- 
- import javax.net.ssl.*;
- 
-+import sun.misc.SharedSecrets;
-+
- abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- 
-+    private static final boolean plainKeySupportEnabled = SharedSecrets
-+            .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-     X509ExtendedKeyManager keyManager;
-     boolean isInitialized;
- 
-@@ -62,7 +67,8 @@
-                 KeyStoreException, NoSuchAlgorithmException,
-                 UnrecoverableKeyException {
-             if ((ks != null) && SunJSSE.isFIPS()) {
--                if (ks.getProvider() != SunJSSE.cryptoProvider) {
-+                if (ks.getProvider() != SunJSSE.cryptoProvider &&
-+                        !plainKeySupportEnabled) {
-                     throw new KeyStoreException("FIPS mode: KeyStore must be "
-                         + "from provider " + SunJSSE.cryptoProvider.getName());
-                 }
-@@ -91,8 +97,8 @@
-                 keyManager = new X509KeyManagerImpl(
-                         Collections.<Builder>emptyList());
-             } else {
--                if (SunJSSE.isFIPS() &&
--                        (ks.getProvider() != SunJSSE.cryptoProvider)) {
-+                if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
-+                        && !plainKeySupportEnabled) {
-                     throw new KeyStoreException(
-                         "FIPS mode: KeyStore must be " +
-                         "from provider " + SunJSSE.cryptoProvider.getName());

SOURCES/rh1996182-login_to_nss_software_token.patch

@@ -1,55 +0,0 @@
-# HG changeset patch
-# User mbalao
-# Date 1630103180 -3600
-#      Fri Aug 27 23:26:20 2021 +0100
-# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
-# Parent  c90394a76ee02a689f95199559d5724824b4b25e
-RH1996182: Login to the NSS Software Token in FIPS Mode
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -42,6 +42,8 @@
- import javax.security.auth.callback.PasswordCallback;
- import javax.security.auth.callback.TextOutputCallback;
- 
-+import sun.misc.SharedSecrets;
-+
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
- 
-@@ -58,6 +60,9 @@
-  */
- public final class SunPKCS11 extends AuthProvider {
- 
-+    private static final boolean systemFipsEnabled = SharedSecrets
-+            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
-     private static final long serialVersionUID = -1354835039035306505L;
- 
-     static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -368,6 +373,24 @@
-             if (nssModule != null) {
-                 nssModule.setProvider(this);
-             }
-+            if (systemFipsEnabled) {
-+                // The NSS Software Token in FIPS 140-2 mode requires a user
-+                // login for most operations. See sftk_fipsCheck. The NSS DB
-+                // (/etc/pki/nssdb) PIN is empty.
-+                Session session = null;
-+                try {
-+                    session = token.getOpSession();
-+                    p11.C_Login(session.id(), CKU_USER, new char[] {});
-+                } catch (PKCS11Exception p11e) {
-+                    if (debug != null) {
-+                        debug.println("Error during token login: " +
-+                                p11e.getMessage());
-+                    }
-+                    throw p11e;
-+                } finally {
-+                    token.releaseSession(session);
-+                }
-+            }
-         } catch (Exception e) {
-             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
-                 throw new UnsupportedOperationException

SOURCES/rh2021263-fips_ensure_security_initialised.patch

@@ -1,28 +0,0 @@
-commit 06c2decab204fcce5aca2d285953fcac1820b1ae
-Author: Andrew John Hughes <andrew@openjdk.org>
-Date:   Mon Jan 24 01:23:28 2022 +0000
-
-    RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
-index 40ca609e02..0dafe6f59c 100644
---- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
-+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
-@@ -31,6 +31,7 @@ import java.io.Console;
- import java.io.FileDescriptor;
- import java.io.ObjectInputStream;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
- 
- import java.security.AccessController;
-@@ -255,6 +256,9 @@ public class SharedSecrets {
-     }
- 
-     public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+        if (javaSecuritySystemConfiguratorAccess == null) {
-+            unsafe.ensureClassInitialized(Security.class);
-+        }
-         return javaSecuritySystemConfiguratorAccess;
-     }
- }

SOURCES/rh2021263-fips_missing_native_returns.patch

@@ -1,24 +0,0 @@
-commit 7f58a05104138ebdfd3b7b968ed67ea4c8573073
-Author: Fridrich Strba <fstrba@suse.com>
-Date:   Mon Jan 24 01:10:57 2022 +0000
-
-    RH2021263: Return in C code after having generated Java exception
-
-diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
-index 6f4656bfcb..34d0ff0ce9 100644
---- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
-+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
-@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
-     dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-     if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+        return JNI_FALSE;
-     }
-     fips_enabled = fgetc(fe);
-     fclose(fe);
-     if (fips_enabled == EOF) {
-         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+        return JNI_FALSE;
-     }
-     msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-             " read character is '%c'", fips_enabled);

SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch

@@ -1,98 +0,0 @@
-commit aaf92165ad1cbb1c9818eb60178c91293e13b053
-Author: Andrew John Hughes <andrew@openjdk.org>
-Date:   Mon Jan 24 15:13:14 2022 +0000
-
-    RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
-
-diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
-index fa494b680f..b5aa5c749d 100644
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -57,10 +57,6 @@ public final class Security {
-     private static final Debug sdebug =
-                         Debug.getInstance("properties");
- 
--    /* System property file*/
--    private static final String SYSTEM_PROPERTIES =
--        "/etc/crypto-policies/back-ends/java.config";
--
-     /* The java.security properties */
-     private static Properties props;
- 
-@@ -202,13 +198,6 @@ public final class Security {
-             }
-         }
- 
--        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
--        if (disableSystemProps == null &&
--            "true".equalsIgnoreCase(props.getProperty
--                ("security.useSystemPropertiesFile"))) {
--            loadedProps = loadedProps && SystemConfigurator.configure(props);
--        }
--
-         if (!loadedProps) {
-             initializeStatic();
-             if (sdebug != null) {
-@@ -217,6 +206,28 @@ public final class Security {
-             }
-         }
- 
-+        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-+        if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
-+            "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
-+            if (!SystemConfigurator.configureSysProps(props)) {
-+                if (sdebug != null) {
-+                    sdebug.println("WARNING: System properties could not be loaded.");
-+                }
-+            }
-+        }
-+
-+        // FIPS support depends on the contents of java.security so
-+        // ensure it has loaded first
-+        if (loadedProps) {
-+            boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
-+             if (sdebug != null) {
-+                if (fipsEnabled) {
-+                    sdebug.println("FIPS support enabled.");
-+                } else {
-+                    sdebug.println("FIPS support disabled.");
-+                }
-+             }
-+        }
-     }
- 
-     /*
-diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-index d1f677597d..7da65b1d2c 100644
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -76,7 +76,7 @@ final class SystemConfigurator {
-      * java.security.disableSystemPropertiesFile property is not set and
-      * security.useSystemPropertiesFile is true.
-      */
--    static boolean configure(Properties props) {
-+    static boolean configureSysProps(Properties props) {
-         boolean loadedProps = false;
- 
-         try (BufferedInputStream bis =
-@@ -96,11 +96,19 @@ final class SystemConfigurator {
-                 e.printStackTrace();
-             }
-         }
-+        return loadedProps;
-+    }
-+
-+    /*
-+     * Invoked at the end of java.security.Security initialisation
-+     * if java.security properties have been loaded
-+     */
-+    static boolean configureFIPS(Properties props) {
-+        boolean loadedProps = false;
- 
-         try {
-             if (enableFips()) {
-                 if (sdebug != null) { sdebug.println("FIPS mode detected"); }
--                loadedProps = false;
-                 // Remove all security providers
-                 Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
-                 while (i.hasNext()) {

SOURCES/rh2052829-fips_runtime_nss_detection.patch

@@ -1,220 +0,0 @@
-commit 820d1b1b23be6ea2fd34c687a1be384e7a9830e2
-Author: Andrew John Hughes <andrew@openjdk.org>
-Date:   Mon Feb 28 05:50:10 2022 +0000
-
-    RH2051605: Detect NSS at Runtime for FIPS detection
-
-diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
-index 34d0ff0ce9..8dcb7d9073 100644
---- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
-+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
-@@ -23,25 +23,99 @@
-  * questions.
-  */
- 
--#include <dlfcn.h>
- #include <jni.h>
- #include <jni_util.h>
-+#include "jvm_md.h"
- #include <stdio.h>
- 
- #ifdef SYSCONF_NSS
- #include <nss3/pk11pub.h>
-+#else
-+#include <dlfcn.h>
- #endif //SYSCONF_NSS
- 
- #include "java_security_SystemConfigurator.h"
- 
-+#define MSG_MAX_SIZE 256
- #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
--#define MSG_MAX_SIZE 96
- 
-+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
-+
-+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
- static jmethodID debugPrintlnMethodID = NULL;
- static jobject debugObj = NULL;
- 
--static void throwIOException(JNIEnv *env, const char *msg);
--static void dbgPrint(JNIEnv *env, const char* msg);
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+    jstring jMsg;
-+    if (debugObj != NULL) {
-+        jMsg = (*env)->NewStringUTF(env, msg);
-+        CHECK_NULL(jMsg);
-+        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+    }
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+    jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+    if (cls != 0)
-+        (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
-+{
-+  if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+    dbgPrint(env, msg);
-+  } else {
-+    dbgPrint(env, "systemconf: cannot render message");
-+  }
-+}
-+
-+// Only used when NSS is not linked at build time
-+#ifndef SYSCONF_NSS
-+
-+static void *nss_handle;
-+
-+static jboolean loadNSS(JNIEnv *env)
-+{
-+  char msg[MSG_MAX_SIZE];
-+  int msg_bytes;
-+  const char* errmsg;
-+
-+  nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
-+  if (nss_handle == NULL) {
-+    errmsg = dlerror();
-+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
-+                         errmsg);
-+    handle_msg(env, msg, msg_bytes);
-+    return JNI_FALSE;
-+  }
-+  dlerror(); /* Clear errors */
-+  getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
-+  if ((errmsg = dlerror()) != NULL) {
-+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
-+                         errmsg);
-+    handle_msg(env, msg, msg_bytes);
-+    return JNI_FALSE;
-+  }
-+  return JNI_TRUE;
-+}
-+
-+static void closeNSS(JNIEnv *env)
-+{
-+  char msg[MSG_MAX_SIZE];
-+  int msg_bytes;
-+  const char* errmsg;
-+
-+  if (dlclose(nss_handle) != 0) {
-+    errmsg = dlerror();
-+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
-+                         errmsg);
-+    handle_msg(env, msg, msg_bytes);
-+  }
-+}
-+
-+#endif
- 
- /*
-  * Class:     java_security_SystemConfigurator
-@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-         debugObj = (*env)->NewGlobalRef(env, debugObj);
-     }
- 
-+#ifdef SYSCONF_NSS
-+    getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
-+#else
-+    if (loadNSS(env) == JNI_FALSE) {
-+      dbgPrint(env, "libsystemconf: Failed to load NSS library.");
-+    }
-+#endif
-+
-     return (*env)->GetVersion(env);
- }
- 
-@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-         if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-             return; /* Should not happen */
-         }
-+#ifndef SYSCONF_NSS
-+        closeNSS(env);
-+#endif
-         (*env)->DeleteGlobalRef(env, debugObj);
-     }
- }
-@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
-     char msg[MSG_MAX_SIZE];
-     int msg_bytes;
- 
--#ifdef SYSCONF_NSS
--
--    dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
--    fips_enabled = SECMOD_GetSystemFIPSEnabled();
--    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
--            " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
--    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
--        dbgPrint(env, msg);
-+    if (getSystemFIPSEnabled != NULL) {
-+      dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+      fips_enabled = (*getSystemFIPSEnabled)();
-+      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:"   \
-+                           " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+      handle_msg(env, msg, msg_bytes);
-+      return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-     } else {
--        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
--                " SECMOD_GetSystemFIPSEnabled return value");
--    }
--    return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
--
--#else // SYSCONF_NSS
-+      FILE *fe;
- 
--    FILE *fe;
--
--    dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
--    if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+      dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+      if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-         return JNI_FALSE;
--    }
--    fips_enabled = fgetc(fe);
--    fclose(fe);
--    if (fips_enabled == EOF) {
-+      }
-+      fips_enabled = fgetc(fe);
-+      fclose(fe);
-+      if (fips_enabled == EOF) {
-         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-         return JNI_FALSE;
--    }
--    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
--            " read character is '%c'", fips_enabled);
--    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
--        dbgPrint(env, msg);
--    } else {
--        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
--                " read character");
--    }
--    return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
--
--#endif // SYSCONF_NSS
--}
--
--static void throwIOException(JNIEnv *env, const char *msg)
--{
--    jclass cls = (*env)->FindClass(env, "java/io/IOException");
--    if (cls != 0)
--        (*env)->ThrowNew(env, cls, msg);
--}
--
--static void dbgPrint(JNIEnv *env, const char* msg)
--{
--    jstring jMsg;
--    if (debugObj != NULL) {
--        jMsg = (*env)->NewStringUTF(env, msg);
--        CHECK_NULL(jMsg);
--        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+      }
-+      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:"   \
-+                           " read character is '%c'", fips_enabled);
-+      handle_msg(env, msg, msg_bytes);
-+      return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-     }
- }

SPECS/java-1.8.0-openjdk.spec

@@ -23,6 +23,8 @@
 %bcond_with artifacts
 # Build a fresh libjvm.so for use in a copy of the bootstrap JDK
 %bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
 
 # Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
 %if %{with fresh_libjvm}
@@ -31,6 +33,16 @@
 %global build_hotspot_first 0
 %endif
 
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global jpeg_lib |libjavajpeg[.]so.*
+%else
+%global system_libs 0
+%global link_type bundled
+%global jpeg_lib |libjpeg[.]so.*
+%endif
+
 # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
 # This fixes detailed NMT and other tools which need minimal debug info.
 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@@ -150,11 +162,15 @@
 # Build and test slowdebug first as it provides the best diagnostics
 %global build_loop  %{slowdebug_build} %{fastdebug_build} %{normal_build}
 
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
 %ifarch %{bootstrap_arches}
 %global bootstrap_build true
 %else
 %global bootstrap_build false
 %endif
+%endif
 
 %global bootstrap_targets images
 %global release_targets images docs-zip
@@ -265,11 +281,15 @@
 # New Version-String scheme-style defines
 %global majorver 8
 
-# Standard JPackage naming and versioning defines.
+# Standard JPackage naming and versioning defines
 %global origin          openjdk
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 
+# Settings for local security configuration
+%global security_file %{top_level_dir_name}/jdk/src/share/lib/security/java.security-%{_target_os}
+%global cacerts_file /etc/pki/java/cacerts
+
 # Define vendor information used by OpenJDK
 %global oj_vendor Red Hat, Inc.
 %global oj_vendor_url "https://www.redhat.com/"
@@ -291,15 +311,18 @@
 %endif
 
 # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
-%global shenandoah_project	openjdk
-%global shenandoah_repo		shenandoah-jdk8u
-%global shenandoah_revision    	aarch64-shenandoah-jdk8u322-b06
+%global shenandoah_project      openjdk
+%global shenandoah_repo         shenandoah-jdk8u
+%global openjdk_revision        jdk8u352-b08
+%global shenandoah_revision     shenandoah-%{openjdk_revision}
 # Define old aarch64/jdk8u tree variables for compatibility
 %global project         %{shenandoah_project}
 %global repo            %{shenandoah_repo}
 %global revision        %{shenandoah_revision}
 # Define IcedTea version used for SystemTap tapsets and desktop files
 %global icedteaver      3.15.0
+# Define current Git revision for the FIPS support patches
+%global fipsver 6d1aade0648
 
 # e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04
 %global version_tag     %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*})
@@ -309,7 +332,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      11
+%global rpmrelease      2
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -349,8 +372,7 @@
 # as to why some libraries *cannot* be excluded. In particular,
 # these are:
 # libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so
-%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
-
+%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*%{jpeg_lib}|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
 %global __provides_exclude ^(%{_privatelibs})$
 %global __requires_exclude ^(%{_privatelibs})$
 
@@ -774,6 +796,7 @@ exit 0
 %{_jvmdir}/%{jrelnk -- %{?1}}
 %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security
 %{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts
+%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream
 %dir %{_jvmdir}/%{jredir -- %{?1}}
 %dir %{_jvmdir}/%{jredir -- %{?1}}/bin
 %dir %{_jvmdir}/%{jredir -- %{?1}}/lib
@@ -856,7 +879,11 @@ exit 0
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so
+%if %{system_libs}
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so
+%else
+%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjpeg.so
+%endif
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so
@@ -897,6 +924,7 @@ exit 0
 %{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar
 %{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties
 %{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream
 %{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar
 %{_jvmdir}/%{jredir -- %{?1}}/lib/management/*
 %{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/*
@@ -1097,9 +1125,10 @@ Provides: java%{?1} = %{epoch}:%{javaver}
 Requires: ca-certificates
 # Require javapackages-filesystem for ownership of /usr/lib/jvm/
 Requires: javapackages-filesystem
-# Require zoneinfo data provided by tzdata-java subpackage.
-# 2021e required as of JDK-8275766 in January 2022 CPU
-Requires: tzdata-java >= 2021e
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+Requires: tzdata-java >= 2022d
+# for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
 Requires: lksctp-tools%{?_isa}
 %if ! 0%{?flatpak}
@@ -1111,6 +1140,8 @@ OrderWithRequires: copy-jdk-configs
 %endif
 # for printing support
 Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
 # for FIPS PKCS11 provider
 Requires: nss
 # Post requires alternatives to install tool alternatives
@@ -1293,6 +1324,9 @@ Source16: CheckVendor.java
 # nss fips configuration file
 Source17: nss.fips.cfg.in
 
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
 Source20: repackReproduciblePolycies.sh
 
 # New versions of config files with aarch64 support. This is not upstream yet.
@@ -1320,29 +1354,26 @@ Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
 # RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
 Patch1003: rh1582504-rsa_default_for_keytool.patch
 
-# FIPS support patches
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips
+# as follows: git diff %%{openjdk_revision} common jdk > fips-8u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3183, RH1340845: Support Fedora/RHEL8 system crypto policy
+# PR3655: Allow use of system crypto policy to be disabled by the user
 # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-Patch1001: rh1655466-global_crypto_and_fips.patch
 # RH1760838: No ciphersuites available for SSLSocket in FIPS mode
-Patch1002: rh1760838-fips_default_keystore_type.patch
 # RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
 # RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
-Patch1005: rh1906862-always_initialise_configurator_access.patch
 # RH1929465: Improve system FIPS detection
-Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
-Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
 # RH1996182: Login to the NSS software token in FIPS mode
-Patch1008: rh1996182-login_to_nss_software_token.patch
 # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-Patch1011: rh1991003-enable_fips_keys_import.patch
 # RH2021263: Resolve outstanding FIPS issues
-Patch1014: rh2021263-fips_ensure_security_initialised.patch
-Patch1015: rh2021263-fips_missing_native_returns.patch
 # RH2052819: Fix FIPS reliance on crypto policies
-Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
 # RH2052829: Detect NSS at Runtime for FIPS detection
-Patch1017: rh2052829-fips_runtime_nss_detection.patch
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+Patch1001: fips-8u-%{fipsver}.patch
 
 #############################################
 #
@@ -1364,11 +1395,9 @@ Patch523: pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_
 Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch
 # PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
 # PR3575, RH1567204: System cacerts database handling should not affect jssecacerts
-Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch
-# PR3183, RH1340845: Support Fedora/RHEL8 system crypto policy
-Patch400: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-# PR3655: Allow use of system crypto policy to be disabled by the user
-Patch401: pr3655-toggle_system_crypto_policy.patch
+# RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds
+# Must be applied after crypto policy patch as it also changes java.security
+Patch539: pr2888-rh2055274-support_system_cacerts.patch
 # enable build of speculative store bypass hardened alt-java
 Patch600: rh1750419-redhat_alt_java.patch
 # JDK-8281098, PR3836: Extra compiler flags not passed to adlc build
@@ -1424,14 +1453,17 @@ Patch581: jdk8257794-remove_broken_assert.patch
 
 #############################################
 #
-# Patches appearing in 8u332
+# Patches appearing in 8u362
 #
 # This section includes patches which are present
 # in the listed OpenJDK 8u release and should be
 # able to be removed once that release is out
 # and used by this RPM.
 #############################################
-Patch700: jdk8279077-missing_crash_protector_ppc.patch
+# JDK-8294357: (tz) Update Timezone Data to 2022d
+Patch2002: jdk8294357-tzdata2022d.patch
+# JDK-8295173: (tz) Update Timezone Data to 2022e
+Patch2003: jdk8295173-tzdata2022e.patch
 
 #############################################
 #
@@ -1476,12 +1508,8 @@ BuildRequires: desktop-file-utils
 BuildRequires: elfutils-devel
 BuildRequires: fontconfig-devel
 BuildRequires: freetype-devel
-BuildRequires: giflib-devel
 BuildRequires: gcc-c++
 BuildRequires: gdb
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
 BuildRequires: libxslt
 BuildRequires: libX11-devel
 BuildRequires: libXext-devel
@@ -1492,6 +1520,8 @@ BuildRequires: libXt-devel
 BuildRequires: libXtst-devel
 # Requirement for setting up nss.cfg and nss.fips.cfg
 BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
 BuildRequires: pkgconfig
 BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
@@ -1502,8 +1532,9 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2021e required as of JDK-8275766 in January 2022 CPU
-BuildRequires: tzdata-java >= 2021e
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+BuildRequires: tzdata-java >= 2022d
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
 
@@ -1511,6 +1542,24 @@ BuildRequires: gcc >= 4.8.3-8
 BuildRequires: systemtap-sdt-devel
 %endif
 
+%if %{system_libs}
+BuildRequires: giflib-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h
+Provides: bundled(lcms2) = 2.10.0
+# Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in jdk/src/share/native/sun/awt/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
 # this is always built, also during debug-only build
 # when it is built in debug-only this package is just placeholder
 %{java_rpo %{nil}}
@@ -1799,18 +1848,18 @@ cp %{SOURCE101} %{top_level_dir_name}/common/autoconf/build-aux/
 
 # OpenJDK patches
 
+%if %{system_libs}
 # Remove libraries that are linked
 sh %{SOURCE12}
+%endif
 
 # System library fixes
+%if %{system_libs}
 %patch201
 %patch202
 %patch203
 %patch204
-
-# System security policy fixes
-%patch400
-%patch401
+%endif
 
 %patch1
 %patch3
@@ -1839,26 +1888,21 @@ sh %{SOURCE12}
 %patch581
 %patch113
 
-# Upstreamed fixes
-%patch700
+pushd %{top_level_dir_name}
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
+# system cacerts support
+%patch539 -p1
+# tzdata updates targetted for 8u362
+%patch2002 -p1
+%patch2003 -p1
+popd
 
 # RPM-only fixes
-%patch539
 %patch600
-%patch1000
-%patch1001
-%patch1002
 %patch1003
-%patch1004
-%patch1005
-%patch1006
-%patch1007
-%patch1008
-%patch1011
-%patch1014
-%patch1015
-%patch1016
-%patch1017
 
 # RHEL-only patches
 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -1920,7 +1964,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
 # Setup nss.fips.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
 
+# Setup security policy
+sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file}
+
 %build
+
 # How many CPU's do we have?
 export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
 export NUM_PROC=${NUM_PROC:-1}
@@ -1957,12 +2005,20 @@ function buildjdk() {
     local buildjdk=${2}
     local maketargets="${3}"
     local debuglevel=${4}
+    local link_opt=${5}
 
     local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name}
     # Variable used in hs_err hook on build failures
     local top_builddir_abs_path=$(pwd)/${outputdir}
 
     echo "Using output directory: ${outputdir}";
+
+    if [ "x${link_opt}" = "xbundled" ] ; then
+        libc_link_opt="static";
+    else
+        libc_link_opt="dynamic";
+    fi
+
     echo "Checking build JDK ${buildjdk} is operational..."
     ${buildjdk}/bin/java -version
     echo "Using make targets: ${maketargets}"
@@ -1993,12 +2049,14 @@ function buildjdk() {
     --with-debug-level=${debuglevel} \
     --disable-sysconf-nss \
     --enable-unlimited-crypto \
-    --with-zlib=system \
-    --with-libjpeg=system \
-    --with-giflib=system \
-    --with-libpng=system \
-    --with-lcms=system \
-    --with-stdc++lib=dynamic \
+    --with-zlib=${link_opt} \
+    --with-giflib=${link_opt} \
+%if %{with system_libs}
+    --with-libjpeg=${link_opt} \
+    --with-libpng=${link_opt} \
+    --with-lcms=${link_opt} \
+%endif
+    --with-stdc++lib=${libc_link_opt} \
     --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
     --with-extra-cflags="$EXTRA_CFLAGS" \
     --with-extra-asflags="$EXTRA_ASFLAGS" \
@@ -2055,6 +2113,35 @@ function installjdk() {
 	# https://bugs.openjdk.java.net/browse/JDK-8173610
 	find ${imagepath} -iname '*.so' -exec chmod +x {} \;
 	find ${imagepath}/bin/ -exec chmod +x {} \;
+
+	# Install nss.cfg right away as we will be using the JRE above
+	install -m 644 nss.cfg ${imagepath}/jre/lib/security/
+
+	# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+	install -m 644 nss.fips.cfg ${imagepath}/jre/lib/security/
+
+	# Turn on system security properties
+	sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+	    ${imagepath}/jre/lib/security/java.security
+
+	# Use system-wide tzdata
+	mv ${imagepath}/jre/lib/tzdb.dat{,.upstream}
+	ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
+
+	# Rename OpenJDK cacerts database
+	mv ${imagepath}/jre/lib/security/cacerts{,.upstream}
+	# Install cacerts symlink needed by some apps which hard-code the path
+	ln -sv %{cacerts_file} ${imagepath}/jre/lib/security
+
+	# add alt-java man page
+	pushd ${imagepath}
+	echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+	cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+	popd
+
+	# Print release information
+	cat ${imagepath}/release
+
     fi
 }
 
@@ -2080,6 +2167,7 @@ builddir=%{buildoutputdir -- $suffix}
 bootbuilddir=boot${builddir}
 installdir=%{installoutputdir -- $suffix}
 bootinstalldir=boot${installdir}
+link_opt="%{link_type}"
 
 # Debug builds don't need same targets as release for
 # build speed-up. We also avoid bootstrapping these
@@ -2093,35 +2181,16 @@ else
 fi
 
 if ${run_bootstrap} ; then
-  buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
+  buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
   installjdk ${bootbuilddir} ${bootinstalldir}
-  buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
+  buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
   installjdk ${builddir} ${installdir}
   %{!?with_artifacts:rm -rf ${bootinstalldir}}
 else
-  buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild}
+  buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
   installjdk ${builddir} ${installdir}
 fi
 
-# Install nss.cfg right away as we will be using the JRE above
-export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage}
-
-# Install nss.cfg right away as we will be using the JRE above
-install -m 644 nss.cfg $JAVA_HOME/jre/lib/security/
-
-# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-install -m 644 nss.fips.cfg $JAVA_HOME/jre/lib/security/
-
-# Use system-wide tzdata
-rm $JAVA_HOME/jre/lib/tzdb.dat
-ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/jre/lib/tzdb.dat
-
-# add alt-java man page
-pushd ${JAVA_HOME}
-echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
-cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
-popd
-
 # build cycles
 done
 
@@ -2140,9 +2209,14 @@ $JAVA_HOME/bin/java TestCryptoLevel
 $JAVA_HOME/bin/javac -d . %{SOURCE14}
 $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
 
-# Check system crypto (policy) can be disabled
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
 $JAVA_HOME/bin/javac -d . %{SOURCE15}
-$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
 
 # Check correct vendor values have been set
 $JAVA_HOME/bin/javac -d . %{SOURCE16}
@@ -2158,6 +2232,9 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
 if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
 %endif
 
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
 
 # Check debug symbols are present and can identify code
 find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
@@ -2274,13 +2351,6 @@ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/clien
   done
 %endif
 
-  # Remove empty cacerts database
-  rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security/cacerts
-  # Install cacerts symlink needed by some apps which hardcode the path
-  pushd $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security
-      ln -sf /etc/pki/java/cacerts .
-  popd
-
   # Install versioned symlinks
   pushd $RPM_BUILD_ROOT%{_jvmdir}
     ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix}
@@ -2635,6 +2705,93 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Sun Oct 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.352.b08-2
+- Update to shenandoah-jdk8u352-b08 (GA)
+- Update release notes for shenandoah-8u352-b08.
+- Rebase FIPS patch against 8u352-b07
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Add test to ensure timezones can be translated
+- * This tarball is embargoed until 2022-10-18 @ 1pm PT. *
+- Resolves: rhbz#2133695
+
+* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-5
+- Switch to static builds, reducing system dependencies and making build more portable
+- Resolves: rhbz#2048542
+
+* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-4
+- Sync system cacerts support with RHEL 9, disabling using -Dsecurity.systemCACerts=
+- Move cacerts replacement to install section and retain original of this and tzdb.dat
+- Related: rhbz#2055274
+
+* Mon Aug 29 2022 Stephan Bergmann <sbergman@redhat.com> - 1:1.8.0.345.b01-3
+- Disable copy-jdk-configs for Flatpak builds
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102733
+
+* Wed Aug 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-2
+- Update to shenandoah-jdk8u345-b01 (GA)
+- Update release notes for 8u345-b01.
+- Resolves: rhbz#2112403
+
+* Sun Jul 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.342.b07-2
+- Update to shenandoah-jdk8u342-b07 (GA)
+- Update release notes for 8u342-b07.
+- Switch to GA mode for final release.
+- Resolves: rhbz#2106507
+
+* Sun Jul 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.342.b06-0.1.ea
+- Update to shenandoah-jdk8u342-b06 (EA)
+- Update release notes for shenandoah-8u342-b06.
+- Switch to EA mode for 8u342 pre-release builds.
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Use "git apply" with patches in the tarball script to allow binary diffs
+- Remove redundant "REPOS" variable from tarball script
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Resolves: rhbz#2083265
+
+* Sun Jul 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b09-5
+- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Rebase PR2888/RH2055274 cacerts patch so it applies after the current FIPS patch
+- Perform configuration changes (e.g. nss.cfg, nss.fips.cfg, tzdb.dat) in installjdk
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Explicitly require crypto-policies during build and runtime for system security properties
+- Resolves: rhbz#2097152
+- Resolves: rhbz#2100675
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:1.8.0.332.b09-4
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2102431
+
+* Mon Apr 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b09-3
+- Update to shenandoah-jdk8u332-b09 (GA)
+- Update release notes for 8u332-b09.
+- Switch to GA mode for final release.
+- Resolves: rhbz#2074646
+
+* Mon Apr 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b06-0.2.ea
+- Allow the default keystore to be configured using security.systemCACerts
+- Use of the property can now be disabled using -Djava.security.disableSystemCACerts=true
+- Resolves: rhbz#2055274
+
+* Mon Apr 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b06-0.1.ea
+- Update to shenandoah-jdk8u332-b06 (EA)
+- Update release notes for shenandoah-8u332-b06.
+- Resolves: rhbz#2047536
+
+* Sun Apr 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b01-0.1.ea
+- Update to shenandoah-jdk8u332-b01 (EA)
+- Update release notes for shenandoah-8u332-b01.
+- Switch to EA mode.
+- Remove JDK-8279077 patch now upstream.
+- Related: rhbz#2047536
+
 * Mon Feb 28 2022 Jiri Vanek <jvanek@redhat.com> - 1:1.8.0.322.b06-11
 - Storing and restoring alterntives during update manually
 - Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE