import java-1.8.0-openjdk-1.8.0.312.b02-0.1.ea.el8

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b05-4curve.tar.xz
+SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b02-4curve.tar.xz
 SOURCES/tapsets-icedtea-3.15.0.tar.xz

.java-1.8.0-openjdk.metadata

@@ -1,2 +1,2 @@
-4f9408282a6fea81415d1aaf84e1f80fe30e83b0 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b05-4curve.tar.xz
+873cb707016be925eecfe741b891f1f01de48dea SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b02-4curve.tar.xz
 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

SOURCES/NEWS

@@ -3,6 +3,53 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 8u312 (2021-10-19):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bitly.com/openjdk8u312
+  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u312.txt
+
+* Other changes
+  - JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection
+  - JDK-8004148: NPE in sun.awt.SunToolkit.getWindowDeactivationTime
+  - JDK-8027154: [TESTBUG] Test java/awt/Mouse/GetMousePositionTest/GetMousePositionWithPopup.java fails
+  - JDK-8035001: TEST_BUG: the retry logic in RMID.start() should check that the subprocess hasn't terminated
+  - JDK-8035424: (reflect) Performance problem in sun.reflect.generics.parser.SignatureParser
+  - JDK-8042557: compiler/uncommontrap/TestSpecTrapClassUnloading.java fails with: GC triggered before VM initialization completed
+  - JDK-8054118: java/net/ipv6tests/UdpTest.java failed intermittently
+  - JDK-8065215: Print warning summary at end of configure
+  - JDK-8072767: DefaultCellEditor for comboBox creates ActionEvent with wrong source object
+  - JDK-8079891: Store configure log in $BUILD/configure.log
+  - JDK-8080082: configure fails if you create an empty directory and then run configure from it
+  - JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing
+  - JDK-8134989: java/net/MulticastSocket/TestInterfaces.java failed due to unexpected IP address
+  - JDK-8156584: Initialization race in sun.security.x509.AlgorithmId.get
+  - JDK-8166673: The new implementation of Robot.waitForIdle() may hang
+  - JDK-8170467: (reflect) Optimize SignatureParser's use of StringBuilders
+  - JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails
+  - JDK-8202837: PBES2 AlgorithmId encoding error in PKCS12 KeyStore
+  - JDK-8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error
+  - JDK-8214418: half-closed SSLEngine status may cause application dead loop
+  - JDK-8214513: A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11
+  - JDK-8220786: Create new switch to redirect error reporting output to stdout or stderr
+  - JDK-8229243: SunPKCS11-Solaris provider tests failing on Solaris 11.4
+  - JDK-8231222: fix pkcs11 P11_DEBUG guarded native traces
+  - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers
+  - JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print
+  - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
+  - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
+  - JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken.
+  - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test
+  - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"
+  - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames()
+  - JDK-8263311: Watch registry changes for remote printers update instead of polling
+  - JDK-8265238: [8u] [macos] build failure in OpenJDK8u after JDK-8211301 in older xcode
+  - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container
+  - JDK-8265978: make test should look for more locations when searching for exit code
+  - JDK-8269810: [8u] Update generated_configure.sh after JDK-8250876 backport
+  - JDK-8269953: config.log is not in build directory after 8u backport of JDK-8079891
+  - JDK-8271466: StackGap test fails on aarch64 due to "-m64"
+
 New in release OpenJDK 8u302 (2021-07-20):
 ===========================================
 Live versions of these release notes can be found at:
@@ -10,6 +57,20 @@ Live versions of these release notes can be found at:
   * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u302.txt
 
 * Security fixes
+  - JDK-8256157: Improve bytecode assembly
+  - JDK-8256491: Better HTTP transport
+  - JDK-8258432, CVE-2021-2341: Improve file transfers
+  - JDK-8260453: Improve Font Bounding
+  - JDK-8260960: Signs of jarsigner signing
+  - JDK-8260967, CVE-2021-2369: Better jar file validation
+  - JDK-8262380: Enhance XML processing passes
+  - JDK-8262403: Enhanced data transfer
+  - JDK-8262410: Enhanced rules for zones
+  - JDK-8262477: Enhance String Conclusions
+  - JDK-8262967: Improve Zip file support
+  - JDK-8264066, CVE-2021-2388: Enhance compiler validation
+  - JDK-8264079: Improve abstractions
+  - JDK-8264460: Improve NTLM support
 * Other changes
   - JDK-6878250: (so) IllegalBlockingModeException thrown when reading from a closed SocketChannel's InputStream
   - JDK-6990210: [TEST_BUG] EventDispatchThread/HandleExceptionOnEDT/HandleExceptionOnEDT.java fails on gnome
@@ -139,7 +200,12 @@ Live versions of these release notes can be found at:
   - JDK-8266929: Unable to use algorithms from 3p providers
   - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash
   - JDK-8267426: MonitorVmStartTerminate test timed out on Embedded VM
+  - JDK-8267545: [8u] Enable Xcode 12 builds on macOS
   - JDK-8267689: [aarch64] Crash due to bad shift in indirect addressing mode
+  - JDK-8268444: keytool -v -list print is incorrect after backport JDK-8141457
+  - JDK-8269388: Default build of OpenJDK 8 fails on newer GCCs with warnings as errors on format-overflow
+  - JDK-8269468: JDK-8269388 breaks the build on older GCCs
+  - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
 * Shenandoah
   - [backport] JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState
   - [backport] JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp
@@ -171,7 +237,7 @@ Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
 Alias Name: verisignclass3ca [jdk]
 Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
 
-Alias Name: verisignclass3g2caÂ[jdk]
+Alias Name: verisignclass3g2ca [jdk]
 Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
 
 Alias Name: verisigntsaca [jdk]
@@ -204,6 +270,10 @@ U+000007F that were previously encoded using UTF-8 may need to either
 be modified to perform the UTF-8 conversion, or set the Java security
 property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior.
 
+See the updated guide at
+https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html
+for more information.
+
 JDK-8244460: Support for certificate_authorities Extension
 ==========================================================
 The "certificate_authorities" extension is an optional extension

SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch

@@ -0,0 +1,344 @@
+diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk
+--- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk
++++ openjdk/jdk/make/lib/SecurityLibraries.gmk
+@@ -289,3 +289,34 @@
+ 
+   endif
+ endif
++
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++  LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++  LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++  $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
++      LIBRARY := systemconf, \
++      OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
++      SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
++      LANG := C, \
++      OPTIMIZATION := LOW, \
++      CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++      CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++      MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
++      LDFLAGS := $(LDFLAGS_JDKLIB) \
++          $(call SET_SHARED_LIBRARY_ORIGIN), \
++      LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
++      OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
++      DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
++
++  BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
++endif
++
+diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
+new file mode 100644
+--- /dev/null
++++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
+@@ -0,0 +1,35 @@
++#
++# Copyright (c) 2021, Red Hat, Inc.
++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++#
++# This code is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License version 2 only, as
++# published by the Free Software Foundation.  Oracle designates this
++# particular file as subject to the "Classpath" exception as provided
++# by Oracle in the LICENSE file that accompanied this code.
++#
++# This code is distributed in the hope that it will be useful, but WITHOUT
++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# version 2 for more details (a copy is included in the LICENSE file that
++# accompanied this code).
++#
++# You should have received a copy of the GNU General Public License version
++# 2 along with this work; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++# or visit www.oracle.com if you need additional information or have any
++# questions.
++#
++
++# Define public interface.
++
++SUNWprivate_1.1 {
++	global:
++		DEF_JNI_OnLoad;
++		DEF_JNI_OnUnLoad;
++		Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
++	local:
++		*;
++};
+diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2019, 2020, Red Hat, Inc.
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
+  *
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+@@ -30,14 +30,9 @@
+ import java.io.FileInputStream;
+ import java.io.IOException;
+ 
+-import java.nio.file.Files;
+-import java.nio.file.FileSystems;
+-import java.nio.file.Path;
+-
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.regex.Pattern;
+ 
+ import sun.security.util.Debug;
+ 
+@@ -59,10 +54,21 @@
+     private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+             CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+ 
+-    private static final String CRYPTO_POLICIES_CONFIG =
+-            CRYPTO_POLICIES_BASE_DIR + "/config";
++    private static boolean systemFipsEnabled = false;
++
++    private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++    private static native boolean getSystemFIPSEnabled()
++            throws IOException;
+ 
+-    private static boolean systemFipsEnabled = false;
++    static {
++        AccessController.doPrivileged(new PrivilegedAction<Void>() {
++            public Void run() {
++                System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++                return null;
++            }
++        });
++    }
+ 
+     /*
+      * Invoked when java.security.Security class is initialized, if
+@@ -171,17 +177,34 @@
+     }
+ 
+     /*
+-     * FIPS is enabled only if crypto-policies are set to "FIPS"
+-     * and the com.redhat.fips property is true.
++     * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
++     * system property is true (default) and the system is in FIPS mode.
++     *
++     * There are 2 possible ways in which OpenJDK detects that the system
++     * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++     * available at OpenJDK's built-time, it is called; 2) otherwise, the
++     * /proc/sys/crypto/fips_enabled file is read.
+      */
+-    private static boolean enableFips() throws Exception {
++    private static boolean enableFips() throws IOException {
+         boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+         if (shouldEnable) {
+-            Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
+-            String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
+-            if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+-            Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+-            return pattern.matcher(cryptoPoliciesConfig).find();
++            if (sdebug != null) {
++                sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++            }
++            try {
++                shouldEnable = getSystemFIPSEnabled();
++                if (sdebug != null) {
++                    sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++                            + shouldEnable);
++                }
++                return shouldEnable;
++            } catch (IOException e) {
++                if (sdebug != null) {
++                    sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++                    sdebug.println(e.getMessage());
++                }
++                throw e;
++            }
+         } else {
+             return false;
+         }
+diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
+new file mode 100644
+--- /dev/null
++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
+@@ -0,0 +1,168 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include <dlfcn.h>
++#include <jni.h>
++#include <jni_util.h>
++#include <stdio.h>
++
++#ifdef SYSCONF_NSS
++#include <nss3/pk11pub.h>
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++#define MSG_MAX_SIZE 96
++
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void throwIOException(JNIEnv *env, const char *msg);
++static void dbgPrint(JNIEnv *env, const char* msg);
++
++/*
++ * Class:     java_security_SystemConfigurator
++ * Method:    JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++    JNIEnv *env;
++    jclass sysConfCls, debugCls;
++    jfieldID sdebugFld;
++
++    if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++        return JNI_EVERSION; /* JNI version not supported */
++    }
++
++    sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++    if (sysConfCls == NULL) {
++        printf("libsystemconf: SystemConfigurator class not found\n");
++        return JNI_ERR;
++    }
++    sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++            "sdebug", "Lsun/security/util/Debug;");
++    if (sdebugFld == NULL) {
++        printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++        return JNI_ERR;
++    }
++    debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++    if (debugObj != NULL) {
++        debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++        if (debugCls == NULL) {
++            printf("libsystemconf: Debug class not found\n");
++            return JNI_ERR;
++        }
++        debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++                "println", "(Ljava/lang/String;)V");
++        if (debugPrintlnMethodID == NULL) {
++            printf("libsystemconf: Debug::println(String) method not found\n");
++            return JNI_ERR;
++        }
++        debugObj = (*env)->NewGlobalRef(env, debugObj);
++    }
++
++    return (*env)->GetVersion(env);
++}
++
++/*
++ * Class:     java_security_SystemConfigurator
++ * Method:    JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++    JNIEnv *env;
++
++    if (debugObj != NULL) {
++        if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++            return; /* Should not happen */
++        }
++        (*env)->DeleteGlobalRef(env, debugObj);
++    }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++  (JNIEnv *env, jclass cls)
++{
++    int fips_enabled;
++    char msg[MSG_MAX_SIZE];
++    int msg_bytes;
++
++#ifdef SYSCONF_NSS
++
++    dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++    fips_enabled = SECMOD_GetSystemFIPSEnabled();
++    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++            " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++        dbgPrint(env, msg);
++    } else {
++        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++                " SECMOD_GetSystemFIPSEnabled return value");
++    }
++    return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++
++#else // SYSCONF_NSS
++
++    FILE *fe;
++
++    dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++    if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++        throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++    }
++    fips_enabled = fgetc(fe);
++    fclose(fe);
++    if (fips_enabled == EOF) {
++        throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++    }
++    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++            " read character is '%c'", fips_enabled);
++    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++        dbgPrint(env, msg);
++    } else {
++        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++                " read character");
++    }
++    return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++
++#endif // SYSCONF_NSS
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++    jclass cls = (*env)->FindClass(env, "java/io/IOException");
++    if (cls != 0)
++        (*env)->ThrowNew(env, cls, msg);
++}
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++    jstring jMsg;
++    if (debugObj != NULL) {
++        jMsg = (*env)->NewStringUTF(env, msg);
++        CHECK_NULL(jMsg);
++        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++    }
++}

SOURCES/rh1929465-improve_system_FIPS_detection-root.patch

@@ -0,0 +1,152 @@
+diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac
+--- openjdk.orig/common/autoconf/configure.ac
++++ openjdk/common/autoconf/configure.ac
+@@ -212,6 +212,7 @@
+ LIB_SETUP_ALSA
+ LIB_SETUP_FONTCONFIG
+ LIB_SETUP_MISC_LIBS
++LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_STATIC_LINK_LIBSTDCPP
+ LIB_SETUP_ON_WINDOWS
+ 
+diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4
+--- openjdk.orig/common/autoconf/libraries.m4
++++ openjdk/common/autoconf/libraries.m4
+@@ -1067,3 +1067,63 @@
+     BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
+   fi
+ ])
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++  ###############################################################################
++  #
++  # Check for the NSS library
++  #
++
++  AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++  # default is not available
++  DEFAULT_SYSCONF_NSS=no
++
++  AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++     [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++  [
++    case "${enableval}" in
++      yes)
++        sysconf_nss=yes
++        ;;
++      *)
++        sysconf_nss=no
++        ;;
++    esac
++  ],
++  [
++    sysconf_nss=${DEFAULT_SYSCONF_NSS}
++  ])
++  AC_MSG_RESULT([$sysconf_nss])
++
++  USE_SYSCONF_NSS=false
++  if test "x${sysconf_nss}" = "xyes"; then
++      PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++      if test "x${NSS_FOUND}" = "xyes"; then
++         AC_MSG_CHECKING([for system FIPS support in NSS])
++         saved_libs="${LIBS}"
++         saved_cflags="${CFLAGS}"
++         CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++         LIBS="${LIBS} ${NSS_LIBS}"
++         AC_LANG_PUSH([C])
++         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
++                                         [[SECMOD_GetSystemFIPSEnabled()]])],
++                        [AC_MSG_RESULT([yes])],
++                        [AC_MSG_RESULT([no])
++                        AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++         AC_LANG_POP([C])
++         CFLAGS="${saved_cflags}"
++         LIBS="${saved_libs}"
++         USE_SYSCONF_NSS=true
++      else
++         dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++         dnl in nss3/pk11pub.h.
++         AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++      fi
++  fi
++  AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in
+--- openjdk.orig/common/autoconf/spec.gmk.in
++++ openjdk/common/autoconf/spec.gmk.in
+@@ -312,6 +312,10 @@
+ ALSA_LIBS:=@ALSA_LIBS@
+ ALSA_CFLAGS:=@ALSA_CFLAGS@
+ 
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ PACKAGE_PATH=@PACKAGE_PATH@
+ 
+ # Source file for cacerts
+diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl
+--- openjdk.orig/common/bin/compare_exceptions.sh.incl
++++ openjdk/common/bin/compare_exceptions.sh.incl
+@@ -280,6 +280,7 @@
+ ./jre/lib/i386/libsplashscreen.so
+ ./jre/lib/i386/libsunec.so
+ ./jre/lib/i386/libsunwjdga.so
++./jre/lib/i386/libsystemconf.so
+ ./jre/lib/i386/libt2k.so
+ ./jre/lib/i386/libunpack.so
+ ./jre/lib/i386/libverify.so
+@@ -433,6 +434,7 @@
+ ./jre/lib/amd64/libsplashscreen.so
+ ./jre/lib/amd64/libsunec.so
+ ./jre/lib/amd64/libsunwjdga.so
++//jre/lib/amd64/libsystemconf.so
+ ./jre/lib/amd64/libt2k.so
+ ./jre/lib/amd64/libunpack.so
+ ./jre/lib/amd64/libverify.so
+@@ -587,6 +589,7 @@
+ ./jre/lib/sparc/libsplashscreen.so
+ ./jre/lib/sparc/libsunec.so
+ ./jre/lib/sparc/libsunwjdga.so
++./jre/lib/sparc/libsystemconf.so
+ ./jre/lib/sparc/libt2k.so
+ ./jre/lib/sparc/libunpack.so
+ ./jre/lib/sparc/libverify.so
+@@ -741,6 +744,7 @@
+ ./jre/lib/sparcv9/libsplashscreen.so
+ ./jre/lib/sparcv9/libsunec.so
+ ./jre/lib/sparcv9/libsunwjdga.so
++./jre/lib/sparcv9/libsystemconf.so
+ ./jre/lib/sparcv9/libt2k.so
+ ./jre/lib/sparcv9/libunpack.so
+ ./jre/lib/sparcv9/libverify.so
+diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml
+--- openjdk.orig/common/nb_native/nbproject/configurations.xml
++++ openjdk/common/nb_native/nbproject/configurations.xml
+@@ -53,6 +53,9 @@
+                   <in>jvmtiEnterTrace.cpp</in>
+                 </df>
+               </df>
++              <df name="libsystemconf">
++                <in>systemconf.c</in>
++              </df>
+             </df>
+           </df>
+           <df name="jdk">
+@@ -12772,6 +12775,11 @@
+             tool="0"
+             flavor2="0">
+       </item>
++      <item path="../../jdk/src/solaris/native/java/security/systemconf.c"
++            ex="false"
++            tool="0"
++            flavor2="0">
++      </item>
+       <item path="../../jdk/src/share/native/java/util/TimeZone.c"
+             ex="false"
+             tool="0"

SOURCES/rh1996182-login_to_nss_software_token.patch

@@ -0,0 +1,55 @@
+# HG changeset patch
+# User mbalao
+# Date 1630103180 -3600
+#      Fri Aug 27 23:26:20 2021 +0100
+# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
+# Parent  c90394a76ee02a689f95199559d5724824b4b25e
+RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -42,6 +42,8 @@
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+ 
++import sun.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+ 
+@@ -58,6 +60,9 @@
+  */
+ public final class SunPKCS11 extends AuthProvider {
+ 
++    private static final boolean systemFipsEnabled = SharedSecrets
++            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+     private static final long serialVersionUID = -1354835039035306505L;
+ 
+     static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -368,6 +373,24 @@
+             if (nssModule != null) {
+                 nssModule.setProvider(this);
+             }
++            if (systemFipsEnabled) {
++                // The NSS Software Token in FIPS 140-2 mode requires a user
++                // login for most operations. See sftk_fipsCheck. The NSS DB
++                // (/etc/pki/nssdb) PIN is empty.
++                Session session = null;
++                try {
++                    session = token.getOpSession();
++                    p11.C_Login(session.id(), CKU_USER, new char[] {});
++                } catch (PKCS11Exception p11e) {
++                    if (debug != null) {
++                        debug.println("Error during token login: " +
++                                p11e.getMessage());
++                    }
++                    throw p11e;
++                } finally {
++                    token.releaseSession(session);
++                }
++            }
+         } catch (Exception e) {
+             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+                 throw new UnsupportedOperationException

SPECS/java-1.8.0-openjdk.spec

@@ -118,10 +118,8 @@
 %endif
 
 # If you disable both builds, then the build fails
-# Note that the debug build requires the normal build for docs
-%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build}
-# Test slowdebug first as it provides the best diagnostics
-%global rev_build_loop  %{slowdebug_build} %{fastdebug_build} %{normal_build}
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop  %{slowdebug_build} %{fastdebug_build} %{normal_build}
 
 %ifarch %{bootstrap_arches}
 %global bootstrap_build 1
@@ -163,7 +161,7 @@
 # as to why some libraries *cannot* be excluded. In particular,
 # these are:
 # libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so
-%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
+%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
 
 %global __provides_exclude ^(%{_privatelibs})$
 %global __requires_exclude ^(%{_privatelibs})$
@@ -265,7 +263,7 @@
 # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
 %global shenandoah_project	aarch64-port
 %global shenandoah_repo		jdk8u-shenandoah
-%global shenandoah_revision    	aarch64-shenandoah-jdk8u302-b05
+%global shenandoah_revision    	aarch64-shenandoah-jdk8u312-b02
 # Define old aarch64/jdk8u tree variables for compatibility
 %global project         %{shenandoah_project}
 %global repo            %{shenandoah_repo}
@@ -281,7 +279,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      0
+%global rpmrelease      1
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -745,6 +743,7 @@ exit 0
 %endif
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsctp.so
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsunec.so
+%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsystemconf.so
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libunpack.so
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libverify.so
 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libzip.so
@@ -979,8 +978,6 @@ OrderWithRequires: copy-jdk-configs
 %endif
 # for printing support
 Requires: cups-libs
-# for FIPS PKCS11 provider
-Requires: nss
 # Post requires alternatives to install tool alternatives
 Requires(post):   %{alternatives_requires}
 # in version 1.7 and higher for --family switch
@@ -1197,6 +1194,11 @@ Patch1002: rh1760838-fips_default_keystore_type.patch
 Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
 # RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
 Patch1005: rh1906862-always_initialise_configurator_access.patch
+# RH1929465: Improve system FIPS detection
+Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
+Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1008: rh1996182-login_to_nss_software_token.patch
 
 #############################################
 #
@@ -1337,8 +1339,8 @@ BuildRequires: libXinerama-devel
 BuildRequires: libXrender-devel
 BuildRequires: libXt-devel
 BuildRequires: libXtst-devel
-# Requirements for setting up the nss.cfg
-BuildRequires: nss-devel
+# Requirements for setting up the nss.cfg and FIPS support
+BuildRequires: nss-devel >= 3.53
 BuildRequires: pkgconfig
 BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
@@ -1539,7 +1541,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n
 Summary: %{origin_nice} %{majorver} API documentation
 Group:   Documentation
 Requires: javapackages-filesystem
-Obsoletes: javadoc-debug
+Obsoletes: javadoc-slowdebug < 1:1.8.0.212.b04-4
 BuildArch: noarch
 
 %{java_javadoc_rpo %{nil}}
@@ -1551,7 +1553,7 @@ The %{origin_nice} %{majorver} API documentation.
 Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive
 Group:   Documentation
 Requires: javapackages-filesystem
-Obsoletes: javadoc-zip-debug
+Obsoletes: javadoc-zip-slowdebug < 1:1.8.0.212.b04-4
 BuildArch: noarch
 
 %{java_javadoc_rpo %{nil}}
@@ -1626,10 +1628,6 @@ if [ %{include_debug_build} -eq 0 -a  %{include_normal_build} -eq 0 -a  %{includ
   echo "You have disabled all builds (normal,fastdebug,debug). That is a no go."
   exit 14
 fi
-if [ %{include_normal_build} -eq 0 ] ; then
-  echo "You have disabled the normal build, but this is required to provide docs for the debug build."
-  exit 15
-fi
 
 echo "Update version: %{updatever}"
 echo "Build number: %{buildver}"
@@ -1701,6 +1699,9 @@ sh %{SOURCE12}
 %patch1003
 %patch1004
 %patch1005
+%patch1006
+%patch1007
+%patch1008
 
 # RHEL-only patches
 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -1835,6 +1836,7 @@ function buildjdk() {
     --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
     --with-boot-jdk=${buildjdk} \
     --with-debug-level=${debuglevel} \
+    --enable-sysconf-nss \
     --enable-unlimited-crypto \
     --with-zlib=system \
     --with-libjpeg=system \
@@ -1927,7 +1929,7 @@ done
 %check
 
 # We test debug first as it will give better diagnostics on a crash
-for suffix in %{rev_build_loop} ; do
+for suffix in %{build_loop} ; do
 
 export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage}
 
@@ -2422,6 +2424,66 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Sun Sep 19 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b02-0.1.ea
+- Update to aarch64-shenandoah-jdk8u312-b02 (EA)
+- Update release notes for 8u312-b02.
+- Related: rhbz#1999937
+
+* Mon Sep 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b01-0.1.ea
+- Update to aarch64-shenandoah-jdk8u312-b01 (EA)
+- Update release notes for 8u312-b01.
+- Switch to EA mode.
+- Remove "-clean" suffix as no 8u312 builds are unclean.
+- Related: rhbz#1999937
+
+* Fri Sep 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-4
+- Remove non-Free test and demo files from source tarball.
+- Related: rhbz#1999937
+
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-3
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1997358
+
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-2
+- Fix path to libsystemconf.so on 8u.
+- Resolves: rhbz#1971679
+
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-2
+- Port FIPS system detection support to OpenJDK 8u
+- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
+- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
+- Resolves: rhbz#1971679
+
+* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:1.8.0.302.b08-2
+- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
+- Resolves: rhbz#1971679
+
+* Fri Jul 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-1
+- Update to aarch64-shenandoah-jdk8u302-b08 (EA)
+- Update release notes for 8u302-b08.
+- Switch to GA mode for final release.
+- This tarball is embargoed until 2021-07-20 @ 1pm PT.
+- Resolves: rhbz#1972395
+
+* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b07-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b07 (EA)
+- Update release notes for 8u302-b07.
+- Resolves: rhbz#1967812
+
+* Tue Jul 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b06-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b06 (EA)
+- Update release notes for 8u302-b06.
+- Resolves: rhbz#1967812
+
+* Tue Jul 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.2.ea
+- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
+- Fix name of javadoc debug packages in Obsoletes declarations and add version where it was removed.
+- Resolves: rhbz#1966233
+
+* Mon Jul 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.1.ea
+- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
+- Resolves: rhbz#1966233
+
 * Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.0.ea
 - Update to aarch64-shenandoah-jdk8u302-b05 (EA)
 - Update release notes for 8u302-b05.