diff --git a/.gitignore b/.gitignore
index c595679..57e6f50 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/jdk-updates-jdk11u-jdk-11.0.14+9-4curve.tar.xz
+SOURCES/openjdk-jdk11u-jdk-11.0.16+8-4curve.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata
index 5813a51..2ec0c41 100644
--- a/.java-11-openjdk.metadata
+++ b/.java-11-openjdk.metadata
@@ -1,2 +1,2 @@
-f8da9d387162a2354eb36d9bdb6d540e84321422 SOURCES/jdk-updates-jdk11u-jdk-11.0.14+9-4curve.tar.xz
+221ac8e48cf86a97fa03d6f628461a3a815d4cbb SOURCES/openjdk-jdk11u-jdk-11.0.16+8-4curve.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/SOURCES/CheckVendor.java b/SOURCES/CheckVendor.java
index e2101cf..29b296b 100644
--- a/SOURCES/CheckVendor.java
+++ b/SOURCES/CheckVendor.java
@@ -21,8 +21,8 @@ along with this program. If not, see .
public class CheckVendor {
public static void main(String[] args) {
- if (args.length < 3) {
- System.err.println("CheckVendor ");
+ if (args.length < 4) {
+ System.err.println("CheckVendor ");
System.exit(1);
}
@@ -32,6 +32,8 @@ public class CheckVendor {
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
+ String vendorVersionString = System.getProperty("java.vendor.version");
+ String expectedVendorVersionString = args[3];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
@@ -46,12 +48,18 @@ public class CheckVendor {
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
- System.err.printf("Invalid vendor bug URL%s, expected %s\n",
+ System.err.printf("Invalid vendor bug URL %s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
- System.err.printf("Vendor information verified as %s, %s, %s\n",
- vendor, vendorURL, vendorBugURL);
+ if (!expectedVendorVersionString.equals(vendorVersionString)) {
+ System.err.printf("Invalid vendor version string %s, expected %s\n",
+ vendorVersionString, expectedVendorVersionString);
+ System.exit(5);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL, vendorVersionString);
}
}
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index 68212a8..b365726 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,583 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 11.0.16 (2022-07-19):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk11016
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt
+
+* Security fixes
+ - JDK-8277608: Address IP Addressing
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
+* Other changes
+ - JDK-6986863: ProfileDeferralMgr throwing ConcurrentModificationException
+ - JDK-7124293: [macosx] VoiceOver reads percentages rather than the actual values for sliders.
+ - JDK-7124301: [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements.
+ - JDK-8133713: [macosx] Accessible JTables always reported as empty
+ - JDK-8139046: Compiler Control: IGVPrintLevel directive should set PrintIdealGraph
+ - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
+ - JDK-8163498: Many long-running security libs tests
+ - JDK-8166727: javac crashed: [jimage.dll+0x1942] ImageStrings::find+0x28
+ - JDK-8169004: Fix redundant @requires tags in tests
+ - JDK-8181571: printing to CUPS fails on mac sandbox app
+ - JDK-8182404: remove jdk.testlibrary.JDKToolFinder and JDKToolLauncher
+ - JDK-8186548: move jdk.testlibrary.JcmdBase closer to tests
+ - JDK-8192057: com/sun/jdi/BadHandshakeTest.java fails with java.net.ConnectException
+ - JDK-8193682: Infinite loop in ZipOutputStream.close()
+ - JDK-8199874: [TESTBUG] runtime/Thread/ThreadPriorities.java fails with "expected 0 to equal 10"
+ - JDK-8202886: [macos] Test java/awt/MenuBar/8007006/bug8007006.java fails on MacOS
+ - JDK-8203238: [TESTBUG] rewrite MemOptions shell test in Java
+ - JDK-8203239: [TESTBUG] remove vmTestbase/vm/gc/kind/parOld test
+ - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use
+ - JDK-8206330: Revisit com/sun/jdi/RedefineCrossEvent.java
+ - JDK-8207364: nsk/jvmti/ResourceExhausted/resexhausted003 fails to start
+ - JDK-8208207: Test nsk/stress/jni/gclocker/gcl001 fails after co-location
+ - JDK-8208246: flags duplications in vmTestbase_vm_g1classunloading tests
+ - JDK-8208249: TriggerUnloadingByFillingMetaspace generates garbage class names
+ - JDK-8208697: vmTestbase/metaspace/stressHierarchy/stressHierarchy012/TestDescription.java fails with OutOfMemoryError: Metaspace
+ - JDK-8209150: [TESTBUG] Add logging to verify JDK-8197901 to a different test
+ - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test
+ - JDK-8209883: ZGC: Compile without C1 broken
+ - JDK-8209920: runtime/logging/RedefineClasses.java fail with OOME with ZGC
+ - JDK-8210022: remove jdk.testlibrary.ProcessThread, TestThread and XRun
+ - JDK-8210039: move OSInfo to top level testlibrary
+ - JDK-8210108: sun/tools/jstatd test build failures after JDK-8210022
+ - JDK-8210112: remove jdk.testlibrary.ProcessTools
+ - JDK-8210649: AssertionError @ jdk.compiler/com.sun.tools.javac.comp.Modules.enter(Modules.java:244)
+ - JDK-8210732: remove jdk.testlibrary.Utils
+ - JDK-8211795: ArrayIndexOutOfBoundsException in PNGImageReader after JDK-6788458
+ - JDK-8211822: Some tests fail after JDK-8210039
+ - JDK-8211962: Implicit narrowing in MacOSX java.desktop jsound
+ - JDK-8212151: jdi/ExclusiveBind.java times out due to "bind failed: Address already in use" on Solaris-X64
+ - JDK-8213440: Lingering INCLUDE_ALL_GCS in test_oopStorage_parperf.cpp
+ - JDK-8214275: CondyRepeatFailedResolution asserts "Dynamic constant has no fixed basic type"
+ - JDK-8214799: Add package declaration to each JTREG test case in the gc folder
+ - JDK-8215544: SA: Modify ClhsdbLauncher to add sudo privileges to enable MacOS tests on Mach5
+ - JDK-8216137: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
+ - JDK-8216265: [testbug] Introduce Platform.sharedLibraryPathVariableName() and adapt all tests.
+ - JDK-8216366: Add rationale to PER_CPU_SHARES define
+ - JDK-8217017: [TESTBUG] Tests fail to compile after JDK-8216265
+ - JDK-8217233: Update build settings for AIX/xlc
+ - JDK-8217340: Compilation failed: tools/launcher/Test7029048.java
+ - JDK-8217473: SA: Tests using ClhsdbLauncher fail on SAP docker containers
+ - JDK-8218136: minor hotspot adjustments for xlclang++ from xlc16 on AIX
+ - JDK-8218751: Do not store original classfiles inside the CDS archive
+ - JDK-8218965: aix: support xlclang++ in the compiler detection
+ - JDK-8220658: Improve the readability of container information in the error log
+ - JDK-8220813: update hotspot tier1_gc tests depending on GC to use @requires vm.gc.X
+ - JDK-8222799: java.beans.Introspector uses an obsolete methods cache
+ - JDK-8222926: Shenandoah build fails with --with-jvm-features=-compiler1
+ - JDK-8223143: Restructure/clean-up for 'loopexit_or_null()'.
+ - JDK-8223363: Bad node estimate assertion failure
+ - JDK-8223389: Shenandoah optimizations fail with assert(!phase->exceeding_node_budget())
+ - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp
+ - JDK-8223502: Node estimate for loop unswitching is not correct: assert(delta <= 2 * required) failed: Bad node estimate
+ - JDK-8224648: assert(!exceeding_node_budget()) failed: Too many NODES required! failure with ctw
+ - JDK-8225475: Node budget asserts on x86_32/64
+ - JDK-8227171: provide function names in native stack trace on aix with xlc16
+ - JDK-8227389: Remove unsupported xlc16 compile options on aix
+ - JDK-8229202: Docker reporting causes secondary crashes in error handling
+ - JDK-8229210: [TESTBUG] Move gc stress tests from JFR directory tree to gc/stress
+ - JDK-8229486: Replace wildcard address with loopback or local host in tests - part 21
+ - JDK-8229499: Node budget assert in fuzzed test
+ - JDK-8230305: Cgroups v2: Container awareness
+ - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target
+ - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy
+ - JDK-8231454: File lock in Windows on a loaded jar due to a leak in Introspector::getBeanInfo
+ - JDK-8231489: GC watermark_0_1 failed due to "metaspace.gc.Fault: GC has happened too rare"
+ - JDK-8231565: More node budget asserts in fuzzed tests
+ - JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS
+ - JDK-8234382: Test tools/javac/processing/model/testgetallmembers/Main.java using too small heap
+ - JDK-8234605: C2 failed "assert(C->live_nodes() - live_at_begin <= 2 * _nodes_required) failed: Bad node estimate: actual = 208 >> request = 101"
+ - JDK-8234608: [TESTBUG] Fix G1 redefineClasses tests and a memory leak
+ - JDK-8235220: ClhsdbScanOops.java fails with sun.jvm.hotspot.types.WrongTypeException
+ - JDK-8235385: Crash on aarch64 JDK due to long offset
+ - JDK-8237479: 8230305 causes slowdebug build failure
+ - JDK-8239559: Cgroups: Incorrect detection logic on some systems
+ - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot
+ - JDK-8240132: ProblemList com/sun/jdi/InvokeHangTest.java
+ - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111
+ - JDK-8240335: C2: assert(found_sfpt) failed: no node in loop that's not input to safepoint
+ - JDK-8240734: ModuleHashes attribute not reproducible between builds
+ - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
+ - JDK-8241707: introduce randomness k/w to hotspot test suite
+ - JDK-8242310: use reproducible random in hotspot compiler tests
+ - JDK-8242311: use reproducible random in hotspot runtime tests
+ - JDK-8242312: use reproducible random in hotspot gc tests
+ - JDK-8242313: use reproducible random in hotspot svc tests
+ - JDK-8242538: java/security/SecureRandom/ThreadSafe.java failed on windows
+ - JDK-8243429: use reproducible random in :vmTestbase_nsk_stress
+ - JDK-8243666: ModuleHashes attribute generated for JMOD and JAR files depends on timestamps
+ - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java
+ - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
+ - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible)
+ - JDK-8245938: Remove unused print_stack(void) method from XToolkit.c
+ - JDK-8246494: introduce vm.flagless at-requires property
+ - JDK-8246741: NetworkInterface/UniqueMacAddressesTest: mac address uniqueness test failed
+ - JDK-8247589: Implementation of Alpine Linux/x64 Port
+ - JDK-8247591: Document Alpine Linux build steps in OpenJDK build guide
+ - JDK-8247592: refactor test/jdk/tools/launcher/Test7029048.java
+ - JDK-8247614: java/nio/channels/DatagramChannel/Connect.java timed out
+ - JDK-8248876: LoadObject with bad base address created for exec file on linux
+ - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
+ - JDK-8252117: com/sun/jdi/BadHandshakeTest.java failed with "ConnectException: Connection refused: connect"
+ - JDK-8252248: __SIGRTMAX is not declared in musl libc
+ - JDK-8252250: isnanf is obsolete
+ - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+ - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota
+ - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
+ - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+ - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+ - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems
+ - JDK-8253872: ArgumentHandler must use the same delimiters as in jvmti_tools.cpp
+ - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code
+ - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection
+ - JDK-8254887: C2: assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop
+ - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes
+ - JDK-8255266: Update Public Suffix List to 3c213aa
+ - JDK-8255604: java/nio/channels/DatagramChannel/Connect.java fails with java.net.BindException: Cannot assign requested address: connect
+ - JDK-8255787: Tag container tests that use cGroups with cgroups keyword
+ - JDK-8256146: Cleanup test/jdk/java/nio/channels/DatagramChannel/Connect.java
+ - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
+ - JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
+ - JDK-8258795: Update IANA Language Subtag Registry to Version 2021-05-11
+ - JDK-8258956: Memory Leak in StringCoding on ThreadLocal resultCached StringCoding.Result
+ - JDK-8259517: Incorrect test path in test cases
+ - JDK-8260518: Change default -mmacosx-version-min to 10.12
+ - JDK-8261169: Upgrade HarfBuzz to the latest 2.8.0
+ - JDK-8262379: Add regression test for JDK-8257746
+ - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
+ - JDK-8263718: unused-result warning happens at os_linux.cpp
+ - JDK-8263856: Github Actions for macos/aarch64 cross-build
+ - JDK-8264179: [TESTBUG] Some compiler tests fail when running without C2
+ - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8265297: javax/net/ssl/SSLSession/TestEnabledProtocols.java failed with "RuntimeException: java.net.SocketException: Connection reset"
+ - JDK-8265343: Update Debian-based cross-compilation recipes
+ - JDK-8266251: compiler.inlining.InlineAccessors shouldn't do testing in driver VM
+ - JDK-8266318: Switch to macos prefix for macOS bundles
+ - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics
+ - JDK-8266545: 8261169 broke Harfbuzz build with gcc 7 and 8
+ - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN)
+ - JDK-8269772: [macos-aarch64] test compilation failed with "SocketException: No buffer space available"
+ - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support
+ - JDK-8270797: ShortECDSA.java test is not complete
+ - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
+ - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
+ - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
+ - JDK-8272358: Some tests may fail when executed with other locales than the US
+ - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
+ - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
+ - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8273176: handle latest VS2019 in abstract_vm_version
+ - JDK-8273655: content-types.properties files are missing some common types
+ - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches
+ - JDK-8274233: Minor cleanup for ToolBox
+ - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
+ - JDK-8274751: Drag And Drop hangs on Windows
+ - JDK-8275082: Update XML Security for Java to 2.3.0
+ - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
+ - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8276657: XSLT compiler tries to define a class with empty name
+ - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations
+ - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
+ - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
+ - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread
+ - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch
+ - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge
+ - JDK-8278065: Refactor subclassAudits to use ClassValue
+ - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
+ - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine
+ - JDK-8278472: Invalid value set to CANDIDATEFORM structure
+ - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
+ - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs
+ - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
+ - JDK-8279219: [REDO] C2 crash when allocating array of size too large
+ - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
+ - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
+ - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism
+ - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64
+ - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+ - JDK-8279668: x86: AVX2 versions of vpxor should be asserted
+ - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region
+ - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
+ - JDK-8279958: Provide configure hints for Alpine/apk package managers
+ - JDK-8280041: Retry loop issues in java.io.ClassCache
+ - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
+ - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
+ - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
+ - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
+ - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
+ - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly
+ - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
+ - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
+ - JDK-8281615: Deadlock caused by jdwp agent
+ - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
+ - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder
+ - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
+ - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive
+ - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
+ - JDK-8282382: Report glibc malloc tunables in error reports
+ - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale
+ - JDK-8282501: Bump update version for OpenJDK: jdk-11.0.16
+ - JDK-8282583: Update BCEL md to include the copyright notice
+ - JDK-8282588: [11] set harfbuzz compilation flag to -std=c++11
+ - JDK-8282589: runtime/ErrorHandling/ErrorHandler.java fails on MacOS aarch64 in jdk 11
+ - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8283018: 11u GHA: Update GCC 9 minor versions
+ - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
+ - JDK-8283323: libharfbuzz optimization level results in extreme build times
+ - JDK-8283350: (tz) Update Timezone Data to 2022a
+ - JDK-8283408: Fix a C2 crash when filling arrays with unsafe
+ - JDK-8283420: [AOT] Exclude TrackedFlagTest/NotTrackedFlagTest in 11u because of intermittent java.lang.AssertionError: duplicate classes for name Ljava/lang/Boolean;
+ - JDK-8283424: compiler/loopopts/LoopUnswitchingBadNodeBudget.java fails with release VMs due to lack of -XX:+UnlockDiagnosticVMOptions
+ - JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
+ - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
+ - JDK-8283614: [11] Repair compiler versions handling after 8233787
+ - JDK-8283641: Large value for CompileThresholdScaling causes assert
+ - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
+ - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284094: Memory leak in invoker_completeInvokeRequest()
+ - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124
+ - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
+ - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284458: CodeHeapState::aggregate() leaks blob_name
+ - JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
+ - JDK-8284573: [11u] ProblemList TestBubbleUpRef.java and TestGCOldWithCMS.java because of 8272195
+ - JDK-8284604: [11u] Update Boot JDK used in GHA to 11.0.14.1
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
+ - JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
+ - JDK-8285395: [JVMCI] [11u] Partial backport of JDK-8220623: InstalledCode
+ - JDK-8285397: JNI exception pending in CUPSfuncs.c:250
+ - JDK-8285445: cannot open file "NUL:"
+ - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285591: [11] add signum checks in DSA.java engineVerify
+ - JDK-8285686: Update FreeType to 2.12.0
+ - JDK-8285720: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails to compile after backport of 8273655
+ - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head
+ - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
+ - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
+ - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
+ - JDK-8286198: [linux] Fix process-memory information
+ - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources
+ - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
+ - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
+ - JDK-8286630: [11] avoid -std=c++11 CXX harfbuzz buildflag on Windows
+ - JDK-8286855: javac error on invalid jar should only print filename
+ - JDK-8287109: Distrust.java failed with CertificateExpiredException
+ - JDK-8287119: Add Distrust.java to ProblemList
+ - JDK-8287362: FieldAccessWatch testcase failed on AIX platform
+ - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
+ - JDK-8287739: [11u] ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+
+Notes on individual issues:
+===========================
+
+core-libs/java.io:serialization:
+
+JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
+=========================================================================================
+`java.util.Vector` is updated to correctly report
+`ClassNotFoundException that occurs during deserialization using
+`java.io.ObjectInputStream.GetField.get(name, object)` when the class
+of an element of the Vector is not found. Without this fix, a
+`StreamCorruptedException` is thrown that does not provide information
+about the missing class.
+
+core-libs/java.net:
+
+JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos
+================================================================
+Support has been added for TLS channel binding tokens for
+Negotiate/Kerberos authentication over HTTPS through
+javax.net.HttpsURLConnection.
+
+Channel binding tokens are increasingly required as an enhanced form
+of security which can mitigate certain kinds of socially engineered,
+man in the middle (MITM) attacks. They work by communicating from a
+client to a server the client's understanding of the binding between
+connection security (as represented by a TLS server cert) and higher
+level authentication credentials (such as a username and
+password). The server can then detect if the client has been fooled by
+a MITM and shutdown the session/connection.
+
+The feature is controlled through a new system property
+`jdk.https.negotiate.cbt` which is described fully at the following
+page:
+
+https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt
+
+core-libs/java.lang:
+
+JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder
+=====================================================================
+ProcessBuilder on Windows is restored to address a regression caused
+by JDK-8250568. Previously, an argument to ProcessBuilder that
+started with a double-quote and ended with a backslash followed by a
+double-quote was passed to a command incorrectly and may cause the
+command to fail. For example the argument `"C:\\Program Files\"`,
+would be seen by the command with extra double-quotes. This update
+restores the long standing behavior that does not treat the backslash
+before the final double-quote specially.
+
+core-libs/java.util.jar:
+
+JDK-8278386: Default JDK compressor will be closed when IOException is encountered
+==================================================================================
+`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods
+have been modified to close out the associated default JDK compressor
+before propagating a Throwable up the
+stack. `ZIPOutputStream.closeEntry()` method has been modified to
+close out the associated default JDK compressor before propagating an
+IOException, not of type ZipException, up the stack.
+
+core-libs/java.io:
+
+JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File
+=================================================================================================
+The Windows implementation of `java.io.File` allows access to NTFS
+Alternate Data Streams (ADS) by default. Such streams have a structure
+like “filename:streamname”. A system property `jdk.io.File.enableADS`
+has been added to control this behavior. To disable ADS support in
+`java.io.File`, the system property `jdk.io.File.enableADS` should be
+set to `false` (case ignored). Stricter path checking however prevents
+the use of special devices such as `NUL:`
+
+New in release OpenJDK 11.0.15 (2022-04-19):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk11015
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.15.txt
+
+* New features
+ - JDK-8253795: Implementation of JEP 391: macOS/AArch64 Port
+* Security fixes
+ - JDK-8269938: Enhance XML processing passes redux
+ - JDK-8270504, CVE-2022-21426: Better XPath expression handling
+ - JDK-8272255: Completely handle MIDI files
+ - JDK-8272261: Improve JFR recording file processing
+ - JDK-8272594: Better record of recordings
+ - JDK-8274221: More definite BER encodings
+ - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
+ - JDK-8275151, CVE-2022-21443: Improved Object Identification
+ - JDK-8277227: Better identification of OIDs
+ - JDK-8277672, CVE-2022-21434: Better invocation handler handling
+ - JDK-8278356: Improve file creation
+ - JDK-8278449: Improve keychain support
+ - JDK-8278798: Improve supported intrinsic
+ - JDK-8278805: Enhance BMP image loading
+ - JDK-8278972, CVE-2022-21496: Improve URL supports
+ - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
+* Other changes
+ - JDK-8065704: Set LC_ALL=C for all relevant commands in the build system
+ - JDK-8177814: jdk/editpad is not in jdk TEST.groups
+ - JDK-8186780: clang fastdebug assertion failure in os_linux_x86:os::verify_stack_alignment()
+ - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently
+ - JDK-8193277: SimpleFileObject inconsistency between getName and getShortName
+ - JDK-8199079: Test javax/swing/UIDefaults/6302464/bug6302464.java is unstable
+ - JDK-8202142: jfr/event/io/TestInstrumentation is unstable
+ - JDK-8207011: Remove uses of the register storage class specifier
+ - JDK-8207793: [TESTBUG] runtime/Metaspace/FragmentMetaspace.java fails: heap needs to be increased
+ - JDK-8208074: [TESTBUG] vmTestbase/nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption/TestDescription.java failed with NullPointerException
+ - JDK-8210194: [TESTBUG] jvmti_FollowRefObjects.cpp missing initializer for member _jvmtiHeapCallbacks::heap_reference_callback
+ - JDK-8210236: Prepare ciReceiverTypeData::translate_receiver_data_from for concurrent class unloading
+ - JDK-8211170: AArch64: Warnings in C1 and template interpreter
+ - JDK-8211333: AArch64: Fix another build failure after JDK-8211029
+ - JDK-8214004: Missing space between compiler thread name and task info in hs_err
+ - JDK-8214026: Canonicalized archive paths appearing in diagnostics
+ - JDK-8214761: Bug in parallel Kahan summation implementation
+ - JDK-8216969: ParseException thrown for certain months with russian locale
+ - JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient
+ - JDK-8220634: SymLinkArchiveTest should handle not being able to create symlinks
+ - JDK-8222825: ARM32 SIGILL issue on single core CPU (not supported PLDW instruction)
+ - JDK-8223142: Clean-up WS and CB.
+ - JDK-8225559: assertion error at TransTypes.visitApply
+ - JDK-8232533: G1 uses only a single thread for pretouching the java heap
+ - JDK-8233827: Enable screenshots in the enhanced failure handler on Linux/macOS
+ - JDK-8233986: ProblemList javax/swing/plaf/basic/BasicTextUI/8001470/bug8001470.java for windows-x64
+ - JDK-8234930: Use MAP_JIT when allocating pages for code cache on macOS
+ - JDK-8236210: javac generates wrong annotation for fields generated from record components
+ - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful
+ - JDK-8237787: rewrite vmTestbase/vm/compiler/CodeCacheInfo* from shell to java
+ - JDK-8237798: rewrite vmTestbase/jit/tiered from shell to java
+ - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails
+ - JDK-8240904: Screen flashes on test failures when running tests from make
+ - JDK-8241004: NMT tests fail on unaligned thread size with debug build
+ - JDK-8241423: NUMA APIs fail to work in dockers due to dependent syscalls are disabled by default
+ - JDK-8247272: SA ELF file support has never worked for 64-bit causing address to symbol name mapping to fail
+ - JDK-8247515: OSX pc_to_symbol() lookup does not work with core files
+ - JDK-8249019: clean up FileInstaller $test.src $cwd in vmTestbase_vm_compiler tests
+ - JDK-8250750: JDK-8247515 fix for OSX pc_to_symbol() lookup fails with some symbols
+ - JDK-8251126: nsk.share.GoldChecker should read golden file from ${test.src}
+ - JDK-8251127: clean up FileInstaller $test.src $cwd in remaining vmTestbase_vm_compiler tests
+ - JDK-8251132: make main classes public in vmTestbase/jit tests
+ - JDK-8251558: J2DBench should support shaped and translucent windows
+ - JDK-8251998: remove usage of PropertyResolvingWrapper in vmTestbase/jit/t
+ - JDK-8252005: narrow disabling of allowSmartActionArgs in vmTestbase
+ - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost"
+ - JDK-8253816: Support macOS W^X
+ - JDK-8253817: Support macOS Aarch64 ABI in Interpreter
+ - JDK-8253818: Support macOS Aarch64 ABI for compiled wrappers
+ - JDK-8253819: Implement os/cpu for macOS/AArch64
+ - JDK-8253839: Update tests and JDK code for macOS/Aarch64
+ - JDK-8254072: AArch64: Get rid of --disable-warnings-as-errors on Windows+ARM64 build
+ - JDK-8254085: javax/swing/text/Caret/TestCaretPositionJTextPane.java failed with "RuntimeException: Wrong caret position"
+ - JDK-8254827: JVMCI: Enable it for Windows+AArch64
+ - JDK-8254940: AArch64: Cleanup non-product thread members
+ - JDK-8254941: Implement Serviceability Agent for macOS/AArch64
+ - JDK-8255035: Update BCEL to Version 6.5.0
+ - JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale
+ - JDK-8255410: Add ChaCha20 and Poly1305 support to SunPKCS11 provider
+ - JDK-8255776: Change build system for macOS/AArch64
+ - JDK-8256154: Some TestNG tests require default constructors
+ - JDK-8256321: Some "inactive" color profiles use the wrong profile class
+ - JDK-8256373: [Windows/HiDPI] The Frame#setBounds does not work in a minimized state
+ - JDK-8257467: [TESTBUG] -Wdeprecated-declarations is reported at sigset() in exesigtest.c
+ - JDK-8257769: Cipher.getParameters() throws NPE for ChaCha20-Poly1305
+ - JDK-8258554: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
+ - JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream)
+ - JDK-8261205: AssertionError: Cannot add metadata to an intersection type
+ - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
+ - JDK-8262894: [macos_aarch64] SIGBUS in Assembler::ld_st2
+ - JDK-8262896: [macos_aarch64] Crash in jni_fast_GetLongField
+ - JDK-8262903: [macos_aarch64] Thread::current() called on detached thread
+ - JDK-8263185: Mallinfo deprecated in glibc 2.33
+ - JDK-8264650: Cross-compilation to macos/aarch64
+ - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark
+ - JDK-8266168: -Wmaybe-uninitialized happens in check_code.c
+ - JDK-8266170: -Wnonnull happens in classLoaderData.inline.hpp
+ - JDK-8266171: -Warray-bounds happens in imageioJPEG.c
+ - JDK-8266172: -Wstringop-overflow happens in vmError.cpp
+ - JDK-8266173: -Wmaybe-uninitialized happens in jni_util.c
+ - JDK-8266174: -Wmisleading-indentation happens in libmlib_image sources
+ - JDK-8266176: -Wmaybe-uninitialized happens in libArrayIndexOutOfBoundsExceptionTest.c
+ - JDK-8266187: Memory leak in appendBootClassPath()
+ - JDK-8266421: Deadlock in Sound System
+ - JDK-8266889: [macosx-aarch64] Crash with SIGBUS in MarkActivationClosure::do_code_blob during vmTestbase/nsk/jvmti/.../bi04t002 test run
+ - JDK-8268014: Build failure on SUSE Linux Enterprise Server 11.4 (s390x) due to 'SYS_get_mempolicy' was not declared
+ - JDK-8268542: serviceability/logging/TestFullNames.java tests only 1st test case
+ - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
+ - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
+ - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8272345: macos doesn't check `os::set_boot_path()` result
+ - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
+ - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication
+ - JDK-8273277: C2: Move conditional negation into rc_predicate
+ - JDK-8273341: Update Siphash to version 1.0
+ - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12
+ - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests
+ - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests
+ - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure
+ - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
+ - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java
+ - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
+ - JDK-8273682: Upgrade Jline to 3.20.0
+ - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time
+ - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions
+ - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp
+ - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
+ - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures
+ - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah
+ - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
+ - JDK-8274658: ISO 4217 Amendment 170 Update
+ - JDK-8274714: Incorrect verifier protected access error message
+ - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
+ - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
+ - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
+ - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime
+ - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault
+ - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
+ - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem
+ - JDK-8275811: Incorrect instance to dispose
+ - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
+ - JDK-8276141: XPathFactory set/getProperty method
+ - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
+ - JDK-8276314: [JVMCI] check alignment of call displacement during code installation
+ - JDK-8276623: JDK-8275650 accidentally pushed "out" file
+ - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows
+ - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for
+ - JDK-8277385: Zero: Enable CompactStrings support
+ - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last
+ - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop
+ - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
+ - JDK-8277795: ldap connection timeout not honoured under contention
+ - JDK-8277796: Bump update version for OpenJDK: jdk-11.0.15
+ - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3
+ - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx
+ - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx
+ - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux
+ - JDK-8278309: [windows] use of uninitialized OSThread::_state
+ - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
+ - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
+ - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
+ - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
+ - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0
+ - JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler
+ - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers
+ - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest
+ - JDK-8279379: GHA: Print tests that are in error
+ - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
+ - JDK-8279702: [macosx] ignore xcodebuild warnings on M1
+ - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16
+ - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks
+ - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id"
+ - JDK-8280155: [PPC64, s390] frame size checks are not yet correct
+ - JDK-8280414: Memory leak in DefaultProxySelector
+ - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
+ - JDK-8280786: Build failure on Solaris after 8262392
+ - JDK-8280999: array_bounds should be array-bounds after 8278507
+ - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
+ - JDK-8281520: JFR: A wrong parameter is passed to the constructor of LeakKlassWriter
+ - JDK-8281599: test/lib/jdk/test/lib/KnownOIDs.java is redundant since JDK-8268801
+ - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
+ - JDK-8282372: [11] build issue on MacOS/aarch64 12.2.1 using Xcode 13.1: call to 'log2_intptr' is ambiguous
+ - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
+ - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
+ - JDK-8283018: 11u GHA: Update GCC 9 minor versions
+ - JDK-8283270: [11u] broken JRT_ENTRY_NO_ASYNC after Backport of JDK-8253795
+ - JDK-8283778: 11u GHA: Fix GCC 9 ubuntu package names
+ - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
+ - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
+
+Notes on individual issues:
+===========================
+
+security-libs/javax.crypto:pkcs11:
+
+JDK-8275737: SunPKCS11 Provider Supports ChaCha20-Poly1305 Cipher and ChaCha20 KeyGenerator if Supported by PKCS11 Library
+==========================================================================================================================
+SunPKCS11 provider is enhanced to support the following crypto
+services and algorithms when the underlying PKCS11 library supports
+the corresponding PKCS#11 mechanisms:
+
+* ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism
+* ChaCha20-Poly1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism
+* ChaCha20-Poly1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism
+* ChaCha20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism
+
+New in release OpenJDK 11.0.14.1 (2022-02-08):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk110141
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.1.txt
+
+* Other changes
+ - JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient
+ - JDK-8280786: Build failure on Solaris after 8262392
+ - JDK-8281324: Bump update version for OpenJDK: jdk-11.0.14.1
+
New in release OpenJDK 11.0.14 (2022-01-18):
=============================================
Live versions of these release notes can be found at:
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
index 06a0b07..552bd0f 100644
--- a/SOURCES/TestSecurityProperties.java
+++ b/SOURCES/TestSecurityProperties.java
@@ -9,35 +9,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+ private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
+
+ private static final String MSG_PREFIX = "DEBUG: ";
+
public static void main(String[] args) {
+ if (args.length == 0) {
+ System.err.println("TestSecurityProperties ");
+ System.err.println("Invoke with 'true' if system security properties should be enabled.");
+ System.err.println("Invoke with 'false' if system security properties should be disabled.");
+ System.exit(1);
+ }
+ boolean enabled = Boolean.valueOf(args[0]);
+ System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
+ if (enabled) {
+ loadPolicy(jdkProps);
+ }
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
- String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
- System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
-
+
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
- System.out.println("Debug: Java version is " + javaVersion);
+ System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
- try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
+
+ private static void loadPolicy(Properties props) {
+ try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+
}
diff --git a/SOURCES/fips-11u-9087e80d0ab.patch b/SOURCES/fips-11u-9087e80d0ab.patch
new file mode 100644
index 0000000..a396fb8
--- /dev/null
+++ b/SOURCES/fips-11u-9087e80d0ab.patch
@@ -0,0 +1,1610 @@
+diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
+index a73c0f38181..80710886ed8 100644
+--- a/make/autoconf/libraries.m4
++++ b/make/autoconf/libraries.m4
+@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
+ LIB_SETUP_LIBFFI
+ LIB_SETUP_BUNDLED_LIBS
+ LIB_SETUP_MISC_LIBS
++ LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_SOLARIS_STLPORT
+ LIB_TESTS_SETUP_GRAALUNIT
+
+@@ -223,3 +224,62 @@ AC_DEFUN_ONCE([LIB_SETUP_SOLARIS_STLPORT],
+ fi
+ ])
+
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
+index 0ae23b93167..a242acc1234 100644
+--- a/make/autoconf/spec.gmk.in
++++ b/make/autoconf/spec.gmk.in
+@@ -826,6 +826,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+ # Libraries
+ #
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
+index a529768f39e..daf9c947172 100644
+--- a/make/lib/Lib-java.base.gmk
++++ b/make/lib/Lib-java.base.gmk
+@@ -178,6 +178,31 @@ ifeq ($(OPENJDK_TARGET_OS_TYPE), unix)
+ endif
+ endif
+
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++ NAME := systemconf, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++ ))
++
++ TARGETS += $(BUILD_LIBSYSTEMCONF)
++endif
++
+ ################################################################################
+ # Create the symbols file for static builds.
+
+diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml
+index fb07d54c1f0..c5813e2b7aa 100644
+--- a/make/nb_native/nbproject/configurations.xml
++++ b/make/nb_native/nbproject/configurations.xml
+@@ -2950,6 +2950,9 @@
+ LinuxWatchService.c
+
+
++
++ systemconf.c
++
+
+
+
+@@ -29301,6 +29304,11 @@
+ tool="0"
+ flavor2="0">
+
++
++
+
++#include
++#include "jvm_md.h"
++#include
++
++#ifdef SYSCONF_NSS
++#include
++#else
++#include
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+index b36510a376b..ad5182e1e7c 100644
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -32,6 +32,7 @@ import java.net.URL;
+
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.misc.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -47,12 +48,20 @@ import sun.security.jca.*;
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ *
Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -67,6 +76,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -83,6 +105,7 @@ public final class Security {
+ props = new Properties();
+ boolean loadedProps = false;
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -98,6 +121,7 @@ public final class Security {
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -192,6 +216,61 @@ public final class Security {
+ }
+ }
+
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps && systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
+ }
+
+ /*
+diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..90f6dd2ebc0
+--- /dev/null
++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,248 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ AccessController.doPrivileged(new PrivilegedAction() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ boolean systemSecPropsLoaded = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ systemSecPropsLoaded = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++ return systemSecPropsLoaded;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry
-
-+
-+ systemconf.c
-+
-
-
-
-@@ -29301,6 +29304,11 @@
- tool="0"
- flavor2="0">
-
-+
-+
-
-+#include
-+#include
-+#include
-+
-+#ifdef SYSCONF_NSS
-+#include
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+#define MSG_MAX_SIZE 96
-+
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void throwIOException(JNIEnv *env, const char *msg);
-+static void dbgPrint(JNIEnv *env, const char* msg);
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+ jclass sysConfCls, debugCls;
-+ jfieldID sdebugFld;
-+
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return JNI_EVERSION; /* JNI version not supported */
-+ }
-+
-+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+ if (sysConfCls == NULL) {
-+ printf("libsystemconf: SystemConfigurator class not found\n");
-+ return JNI_ERR;
-+ }
-+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+ "sdebug", "Lsun/security/util/Debug;");
-+ if (sdebugFld == NULL) {
-+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+ if (debugObj != NULL) {
-+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+ if (debugCls == NULL) {
-+ printf("libsystemconf: Debug class not found\n");
-+ return JNI_ERR;
-+ }
-+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+ "println", "(Ljava/lang/String;)V");
-+ if (debugPrintlnMethodID == NULL) {
-+ printf("libsystemconf: Debug::println(String) method not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->NewGlobalRef(env, debugObj);
-+ }
-+
-+ return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+
-+ if (debugObj != NULL) {
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return; /* Should not happen */
-+ }
-+ (*env)->DeleteGlobalRef(env, debugObj);
-+ }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+ (JNIEnv *env, jclass cls)
-+{
-+ int fips_enabled;
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+
-+#ifdef SYSCONF_NSS
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " SECMOD_GetSystemFIPSEnabled return value");
-+ }
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+
-+#else // SYSCONF_NSS
-+
-+ FILE *fe;
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
-+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " read character");
-+ }
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+
-+#endif // SYSCONF_NSS
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2019, 2020, Red Hat, Inc.
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
-@@ -30,13 +30,9 @@
- import java.io.FileInputStream;
- import java.io.IOException;
-
--import java.nio.file.Files;
--import java.nio.file.Path;
--
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.regex.Pattern;
-
- import sun.security.util.Debug;
-
-@@ -58,10 +54,21 @@
- private static final String CRYPTO_POLICIES_JAVA_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
-- private static final String CRYPTO_POLICIES_CONFIG =
-- CRYPTO_POLICIES_BASE_DIR + "/config";
-+ private static boolean systemFipsEnabled = false;
-+
-+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+ private static native boolean getSystemFIPSEnabled()
-+ throws IOException;
-
-- private static boolean systemFipsEnabled = false;
-+ static {
-+ AccessController.doPrivileged(new PrivilegedAction() {
-+ public Void run() {
-+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+ return null;
-+ }
-+ });
-+ }
-
- /*
- * Invoked when java.security.Security class is initialized, if
-@@ -170,16 +177,34 @@
- }
-
- /*
-- * FIPS is enabled only if crypto-policies are set to "FIPS"
-- * and the com.redhat.fips property is true.
-+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
-+ * system property is true (default) and the system is in FIPS mode.
-+ *
-+ * There are 2 possible ways in which OpenJDK detects that the system
-+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+ * /proc/sys/crypto/fips_enabled file is read.
- */
- private static boolean enableFips() throws Exception {
- boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (shouldEnable) {
-- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
-- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-- return pattern.matcher(cryptoPoliciesConfig).find();
-+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+ }
-+ try {
-+ shouldEnable = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + shouldEnable);
-+ }
-+ return shouldEnable;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
-+ }
- } else {
- return false;
- }
diff --git a/SOURCES/rh1991003-enable_fips_keys_import.patch b/SOURCES/rh1991003-enable_fips_keys_import.patch
deleted file mode 100644
index ac9bdb5..0000000
--- a/SOURCES/rh1991003-enable_fips_keys_import.patch
+++ /dev/null
@@ -1,590 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
-index 53f32d12cc..28ab184617 100644
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -82,6 +82,10 @@ public final class Security {
- public boolean isSystemFipsEnabled() {
- return SystemConfigurator.isSystemFipsEnabled();
- }
-+ @Override
-+ public boolean isPlainKeySupportEnabled() {
-+ return SystemConfigurator.isPlainKeySupportEnabled();
-+ }
- });
-
- // doPrivileged here because there are multiple
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-index 5565acb7c6..874c6221eb 100644
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -55,6 +55,7 @@ final class SystemConfigurator {
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
- private static boolean systemFipsEnabled = false;
-+ private static boolean plainKeySupportEnabled = false;
-
- private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-
-@@ -149,6 +150,16 @@ final class SystemConfigurator {
- }
- loadedProps = true;
- systemFipsEnabled = true;
-+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
-+ "true");
-+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
-+ if (sdebug != null) {
-+ if (plainKeySupportEnabled) {
-+ sdebug.println("FIPS support enabled with plain key support");
-+ } else {
-+ sdebug.println("FIPS support enabled without plain key support");
-+ }
-+ }
- }
- } catch (Exception e) {
- if (sdebug != null) {
-@@ -176,6 +187,19 @@ final class SystemConfigurator {
- return systemFipsEnabled;
- }
-
-+ /**
-+ * Returns {@code true} if system FIPS alignment is enabled
-+ * and plain key support is allowed. Plain key support is
-+ * enabled by default but can be disabled with
-+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
-+ *
-+ * @return a boolean indicating whether plain key support
-+ * should be enabled.
-+ */
-+ static boolean isPlainKeySupportEnabled() {
-+ return plainKeySupportEnabled;
-+ }
-+
- /*
- * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
- * system property is true (default) and the system is in FIPS mode.
-diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-index d8caa5640c..21bc6d0b59 100644
---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -27,4 +27,5 @@ package jdk.internal.misc;
-
- public interface JavaSecuritySystemConfiguratorAccess {
- boolean isSystemFipsEnabled();
-+ boolean isPlainKeySupportEnabled();
- }
-diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-index ffee2c1603..ff3d5e0e4a 100644
---- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-+++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
-
- import javax.net.ssl.*;
-
-+import jdk.internal.misc.SharedSecrets;
-+
- abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
- X509ExtendedKeyManager keyManager;
- boolean isInitialized;
-
-@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- KeyStoreException, NoSuchAlgorithmException,
- UnrecoverableKeyException {
- if ((ks != null) && SunJSSE.isFIPS()) {
-- if (ks.getProvider() != SunJSSE.cryptoProvider) {
-+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
-+ !plainKeySupportEnabled) {
- throw new KeyStoreException("FIPS mode: KeyStore must be "
- + "from provider " + SunJSSE.cryptoProvider.getName());
- }
-@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- keyManager = new X509KeyManagerImpl(
- Collections.emptyList());
- } else {
-- if (SunJSSE.isFIPS() &&
-- (ks.getProvider() != SunJSSE.cryptoProvider)) {
-+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
-+ && !plainKeySupportEnabled) {
- throw new KeyStoreException(
- "FIPS mode: KeyStore must be " +
- "from provider " + SunJSSE.cryptoProvider.getName());
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-new file mode 100644
-index 0000000000..b848a1fd78
---- /dev/null
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,290 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11;
-+
-+import java.math.BigInteger;
-+import java.security.KeyFactory;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.util.HashMap;
-+import java.util.Map;
-+import java.util.concurrent.locks.ReentrantLock;
-+
-+import javax.crypto.Cipher;
-+import javax.crypto.spec.DHPrivateKeySpec;
-+import javax.crypto.spec.IvParameterSpec;
-+
-+import sun.security.jca.JCAUtil;
-+import sun.security.pkcs11.TemplateManager;
-+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
-+import sun.security.pkcs11.wrapper.CK_MECHANISM;
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+import sun.security.pkcs11.wrapper.PKCS11Exception;
-+import sun.security.rsa.RSAUtil.KeyType;
-+import sun.security.util.Debug;
-+import sun.security.util.ECUtil;
-+
-+final class FIPSKeyImporter {
-+
-+ private static final Debug debug =
-+ Debug.getInstance("sunpkcs11");
-+
-+ private static P11Key importerKey = null;
-+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
-+ private static CK_MECHANISM importerKeyMechanism = null;
-+ private static Cipher importerCipher = null;
-+
-+ private static Provider sunECProvider = null;
-+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
-+
-+ private static KeyFactory DHKF = null;
-+ private static final ReentrantLock DHKFLock = new ReentrantLock();
-+
-+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
-+ throws PKCS11Exception {
-+ long keyID = -1;
-+ Token token = sunPKCS11.getToken();
-+ if (debug != null) {
-+ debug.println("Private or Secret key will be imported in" +
-+ " system FIPS mode.");
-+ }
-+ if (importerKey == null) {
-+ importerKeyLock.lock();
-+ try {
-+ if (importerKey == null) {
-+ if (importerKeyMechanism == null) {
-+ // Importer Key creation has not been tried yet. Try it.
-+ createImporterKey(token);
-+ }
-+ if (importerKey == null || importerCipher == null) {
-+ if (debug != null) {
-+ debug.println("Importer Key could not be" +
-+ " generated.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ if (debug != null) {
-+ debug.println("Importer Key successfully" +
-+ " generated.");
-+ }
-+ }
-+ } finally {
-+ importerKeyLock.unlock();
-+ }
-+ }
-+ long importerKeyID = importerKey.getKeyID();
-+ try {
-+ byte[] keyBytes = null;
-+ byte[] encKeyBytes = null;
-+ long keyClass = 0L;
-+ long keyType = 0L;
-+ Map attrsMap = new HashMap<>();
-+ for (CK_ATTRIBUTE attr : attributes) {
-+ if (attr.type == CKA_CLASS) {
-+ keyClass = attr.getLong();
-+ } else if (attr.type == CKA_KEY_TYPE) {
-+ keyType = attr.getLong();
-+ }
-+ attrsMap.put(attr.type, attr);
-+ }
-+ BigInteger v = null;
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ if (keyType == CKK_RSA) {
-+ if (debug != null) {
-+ debug.println("Importing an RSA private key...");
-+ }
-+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+ KeyType.RSA,
-+ null,
-+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ } else if (keyType == CKK_DSA) {
-+ if (debug != null) {
-+ debug.println("Importing a DSA private key...");
-+ }
-+ keyBytes = new sun.security.provider.DSAPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_EC) {
-+ if (debug != null) {
-+ debug.println("Importing an EC private key...");
-+ }
-+ if (sunECProvider == null) {
-+ sunECProviderLock.lock();
-+ try {
-+ if (sunECProvider == null) {
-+ sunECProvider = Security.getProvider("SunEC");
-+ }
-+ } finally {
-+ sunECProviderLock.unlock();
-+ }
-+ }
-+ keyBytes = ECUtil.generateECPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ECUtil.getECParameterSpec(sunECProvider,
-+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+ .getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_DH) {
-+ if (debug != null) {
-+ debug.println("Importing a Diffie-Hellman private key...");
-+ }
-+ if (DHKF == null) {
-+ DHKFLock.lock();
-+ try {
-+ if (DHKF == null) {
-+ DHKF = KeyFactory.getInstance(
-+ "DH", P11Util.getSunJceProvider());
-+ }
-+ } finally {
-+ DHKFLock.unlock();
-+ }
-+ }
-+ DHPrivateKeySpec spec = new DHPrivateKeySpec
-+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO);
-+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else {
-+ if (debug != null) {
-+ debug.println("Unrecognized private key type.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ if (debug != null) {
-+ debug.println("Importing a secret key...");
-+ }
-+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+ }
-+ if (keyBytes == null || keyBytes.length == 0) {
-+ if (debug != null) {
-+ debug.println("Private or secret key plain bytes could" +
-+ " not be obtained. Import failed.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+ null);
-+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+ attrsMap.values().toArray(attributes);
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
-+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+ keyClass, keyType, attributes);
-+ keyID = token.p11.C_UnwrapKey(hSession,
-+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+ if (debug != null) {
-+ debug.println("Imported key ID: " + keyID);
-+ }
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ } finally {
-+ importerKey.releaseKeyID();
-+ }
-+ return Long.valueOf(keyID);
-+ }
-+
-+ private static void createImporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Importer Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ try {
-+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+ Session s = null;
-+ try {
-+ s = token.getObjSession();
-+ long keyID = token.p11.C_GenerateKey(
-+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+ attributes);
-+ if (debug != null) {
-+ debug.println("Importer Key ID: " + keyID);
-+ }
-+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+ 256 >> 3, null);
-+ } catch (PKCS11Exception e) {
-+ // best effort
-+ } finally {
-+ token.releaseSession(s);
-+ }
-+ if (importerKey != null) {
-+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ importerKey = null;
-+ importerCipher = null;
-+ // importerKeyMechanism value is kept initialized to indicate that
-+ // Importer Key creation has been tried and failed.
-+ }
-+ }
-+}
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 1eca1f8f0a..72674a7330 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
-
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.*;
-@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider {
- private static final boolean systemFipsEnabled = SharedSecrets
- .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+ private static final MethodHandle fipsImportKey;
-+ static {
-+ MethodHandle fipsImportKeyTmp = null;
-+ if (plainKeySupportEnabled) {
-+ try {
-+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "importKey",
-+ MethodType.methodType(Long.class, SunPKCS11.class,
-+ long.class, CK_ATTRIBUTE[].class));
-+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer initialization" +
-+ " failed", t);
-+ }
-+ }
-+ fipsImportKey = fipsImportKeyTmp;
-+ }
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider {
- // request multithreaded access first
- initArgs.flags = CKF_OS_LOCKING_OK;
- PKCS11 tmpPKCS11;
-+ MethodHandle fipsKeyImporter = null;
-+ if (plainKeySupportEnabled) {
-+ fipsKeyImporter = MethodHandles.insertArguments(
-+ fipsImportKey, 0, this);
-+ }
- try {
- tmpPKCS11 = PKCS11.getInstance(
- library, functionList, initArgs,
-- config.getOmitInitialize());
-+ config.getOmitInitialize(), fipsKeyImporter);
- } catch (PKCS11Exception e) {
- if (debug != null) {
- debug.println("Multi-threaded initialization failed: " + e);
-@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider {
- initArgs.flags = 0;
- }
- tmpPKCS11 = PKCS11.getInstance(library,
-- functionList, initArgs, config.getOmitInitialize());
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
- }
- p11 = tmpPKCS11;
-
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 04a369f453..8d2081abaa 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
-
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
- import java.util.*;
-
- import java.security.AccessController;
-@@ -150,16 +151,28 @@ public class PKCS11 {
-
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter)
-+ throws IOException, PKCS11Exception {
- // we may only call C_Initialize once per native .so/.dll
- // so keep a cache using the (non-canonicalized!) path
- PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
- if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null;
- if ((pInitArgs != null)
- && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter);
-+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ }
- }
- if (omitInitialize == false) {
- try {
-@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
- super.C_GenerateRandom(hSession, randomData);
- }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // Creating sensitive key objects from plain key material in a
-+ // FIPS-configured NSS Software Token is not allowed. We apply
-+ // a key-unwrapping scheme to achieve so.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // See FIPSPKCS11::C_CreateObject.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ if (attr.type == CKA_CLASS &&
-+ (attr.getLong() == CKO_PRIVATE_KEY ||
-+ attr.getLong() == CKO_SECRET_KEY)) {
-+ return true;
-+ }
-+ }
-+ return false;
-+ }
-+}
- }
diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch
deleted file mode 100644
index 10c5666..0000000
--- a/SOURCES/rh1996182-login_to_nss_software_token.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
-Author: Martin Balao
-Date: Fri Aug 27 19:42:07 2021 +0100
-
- RH1996182: Login to the NSS Software Token in FIPS Mode
-
-diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
-index 5460efcf8c..f08dc2fafc 100644
---- openjdk.orig/src/java.base/share/classes/module-info.java
-+++ openjdk/src/java.base/share/classes/module-info.java
-@@ -182,6 +182,7 @@ module java.base {
- java.security.jgss,
- java.sql,
- java.xml,
-+ jdk.crypto.cryptoki,
- jdk.jartool,
- jdk.attach,
- jdk.charsets,
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 5e227f4531..164de8ff08 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler;
- import javax.security.auth.callback.PasswordCallback;
-
- import jdk.internal.misc.InnocuousThread;
-+import jdk.internal.misc.SharedSecrets;
-+
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
- import static sun.security.util.SecurityConstants.PROVIDER_VER;
-@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- */
- public final class SunPKCS11 extends AuthProvider {
-
-+ private static final boolean systemFipsEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider {
- if (nssModule != null) {
- nssModule.setProvider(this);
- }
-+ if (systemFipsEnabled) {
-+ // The NSS Software Token in FIPS 140-2 mode requires a user
-+ // login for most operations. See sftk_fipsCheck. The NSS DB
-+ // (/etc/pki/nssdb) PIN is empty.
-+ Session session = null;
-+ try {
-+ session = token.getOpSession();
-+ p11.C_Login(session.id(), CKU_USER, new char[] {});
-+ } catch (PKCS11Exception p11e) {
-+ if (debug != null) {
-+ debug.println("Error during token login: " +
-+ p11e.getMessage());
-+ }
-+ throw p11e;
-+ } finally {
-+ token.releaseSession(session);
-+ }
-+ }
- } catch (Exception e) {
- if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
- throw new UnsupportedOperationException
diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
deleted file mode 100644
index 9490624..0000000
--- a/SOURCES/rh2021263-fips_ensure_security_initialised.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
-Author: Andrew Hughes
-Date: Tue Jan 18 02:00:55 2022 +0000
-
- RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
-
-diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-index 2ec51d57806..8489b940c43 100644
---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-@@ -36,6 +36,7 @@ import java.io.FilePermission;
- import java.io.ObjectInputStream;
- import java.io.RandomAccessFile;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
-
- /** A repository of "shared secrets", which are a mechanism for
-@@ -368,6 +369,9 @@ public class SharedSecrets {
- }
-
- public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ if (javaSecuritySystemConfiguratorAccess == null) {
-+ unsafe.ensureClassInitialized(Security.class);
-+ }
- return javaSecuritySystemConfiguratorAccess;
- }
- }
diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch
deleted file mode 100644
index b8c8ba5..0000000
--- a/SOURCES/rh2021263-fips_missing_native_returns.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
-Author: Fridrich Strba
-Date: Mon Jan 17 19:44:03 2022 +0000
-
- RH2021263: Return in C code after having generated Java exception
-
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-index 6f4656bfcb6..34d0ff0ce91 100644
---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
deleted file mode 100644
index b5351a8..0000000
--- a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
-Author: Andrew Hughes
-Date: Tue Jan 18 02:09:27 2022 +0000
-
- RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
-
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
-index 28ab1846173..f9726741afd 100644
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -61,10 +61,6 @@ public final class Security {
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-- /* System property file*/
-- private static final String SYSTEM_PROPERTIES =
-- "/etc/crypto-policies/back-ends/java.config";
--
- /* The java.security properties */
- private static Properties props;
-
-@@ -206,22 +202,36 @@ public final class Security {
- }
- }
-
-+ if (!loadedProps) {
-+ initializeStatic();
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties " +
-+ "-- using defaults");
-+ }
-+ }
-+
- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
- "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
-- if (SystemConfigurator.configure(props)) {
-- loadedProps = true;
-+ if (!SystemConfigurator.configureSysProps(props)) {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: System properties could not be loaded.");
-+ }
- }
- }
-
-- if (!loadedProps) {
-- initializeStatic();
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
- if (sdebug != null) {
-- sdebug.println("unable to load security properties " +
-- "-- using defaults");
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS support enabled.");
-+ } else {
-+ sdebug.println("FIPS support disabled.");
-+ }
- }
- }
--
- }
-
- /*
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-index 874c6221ebe..b7ed41acf0f 100644
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -76,7 +76,7 @@ final class SystemConfigurator {
- * java.security.disableSystemPropertiesFile property is not set and
- * security.useSystemPropertiesFile is true.
- */
-- static boolean configure(Properties props) {
-+ static boolean configureSysProps(Properties props) {
- boolean loadedProps = false;
-
- try (BufferedInputStream bis =
-@@ -96,11 +96,19 @@ final class SystemConfigurator {
- e.printStackTrace();
- }
- }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * Invoked at the end of java.security.Security initialisation
-+ * if java.security properties have been loaded
-+ */
-+ static boolean configureFIPS(Properties props) {
-+ boolean loadedProps = false;
-
- try {
- if (enableFips()) {
- if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-- loadedProps = false;
- // Remove all security providers
- Iterator> i = props.entrySet().iterator();
- while (i.hasNext()) {
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
index d6d6192..c6e4517 100644
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@@ -85,7 +85,7 @@
# in alternatives those are slaves and master, very often triplicated by man pages
# in files all masters and slaves are ghosted
# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
-# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
# TODO - fix those hardcoded lists via single list
# Those files must *NOT* be ghosted for *slowdebug* packages
# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
@@ -197,11 +197,15 @@
%global staticlibs_loop %{nil}
%endif
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
+%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
@@ -315,12 +319,8 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
-%global updatever 14
+%global updatever 16
%global patchver 0
-# If you bump featurever, you must bump also vendor_version_string
-# Used via new version scheme. JDK 11 was
-# GA'ed in September 2018 => 18.9
-%global vendor_version_string 18.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -353,17 +353,20 @@
%endif
%endif
%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 9087e80d0ab
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 9
-%global rpmrelease 6
+%global buildver 8
+%global rpmrelease 2
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -379,12 +382,11 @@
%endif
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-# Omit trailing 0 in filenames when the patch version is 0
-%if 0%{?patchver} > 0
-%global filever %{newjavaver}
-%else
-%global filever %{featurever}.%{interimver}.%{updatever}
-%endif
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
%global javaver %{featurever}
@@ -461,6 +463,9 @@
%global alternatives_requires %{_sbindir}/alternatives
%endif
+%global family %{name}.%{_arch}
+%global family_noarch %{name}
+
%if %{with_systemtap}
# Where to install systemtap tapset (links)
# We would like these to be in a package specific sub-dir,
@@ -478,6 +483,50 @@
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
+%define save_alternatives() %{expand:
+ # warning! alternatives are localised!
+ # LANG=cs_CZ.UTF-8 alternatives --display java | head
+ # LANG=en_US.UTF-8 alternatives --display java | head
+ function nonLocalisedAlternativesDisplayOfMaster() {
+ LANG=en_US.UTF-8 alternatives --display "$MASTER"
+ }
+ function headOfAbove() {
+ nonLocalisedAlternativesDisplayOfMaster | head -n $1
+ }
+ MASTER="%{?1}"
+ LOCAL_LINK="%{?2}"
+ FAMILY="%{?3}"
+ rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
+ if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
+ if headOfAbove 1 | grep -q manual ; then
+ if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
+ headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
+ fi
+ fi
+ fi
+}
+
+%define save_and_remove_alternatives() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ upgrade1_uninstal0=%{?3}
+ if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
+ %{save_alternatives %{?1} %{?2} %{?4}}
+ fi
+ alternatives --remove "%{?1}" "%{?2}"
+}
+
+%define set_if_needed_alternatives() %{expand:
+ MASTER="%{?1}"
+ FAMILY="%{?2}"
+ ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
+ if [ -e "$ALTERNATIVES_FILE" ] ; then
+ rm "$ALTERNATIVES_FILE"
+ alternatives --set $MASTER $FAMILY
+ fi
+}
+
%define post_script() %{expand:
update-desktop-database %{_datadir}/applications &> /dev/null || :
@@ -485,20 +534,19 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
exit 0
}
-
-%define post_headless() %{expand:
-%ifarch %{share_arches}
-%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
-%endif
-
+%define alternatives_java_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
ext=.gz
+key=java
alternatives \\
- --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\
+ --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\
--slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
--slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
--slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\
@@ -524,12 +572,23 @@ alternatives \\
--slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\
%{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext
+%{set_if_needed_alternatives $key %{family}}
+
for X in %{origin} %{javaver} ; do
- alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+ key=jre_"$X"
+ alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+ %{set_if_needed_alternatives $key %{family}}
done
-update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+key=jre_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+%define post_headless() %{expand:
+%ifarch %{share_arches}
+%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
+%endif
update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@@ -556,26 +615,34 @@ exit 0
%define postun_headless() %{expand:
- alternatives --remove java %{jrebindir -- %{?1}}/java
- alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
- alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
- alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}}
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
}
%define posttrans_script() %{expand:
%{update_desktop_icons}
}
-%define post_devel() %{expand:
+%define alternatives_javac_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
ext=.gz
+key=javac
alternatives \\
- --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\
+ --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\
--slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
%ifarch %{aot_arches}
--slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\
@@ -643,15 +710,22 @@ alternatives \\
--slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\
%{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\
--slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
- %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\
+ %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
+
+%{set_if_needed_alternatives $key %{family}}
for X in %{origin} %{javaver} ; do
- alternatives \\
- --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+ key=java_sdk_"$X"
+ alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+ %{set_if_needed_alternatives $key %{family}}
done
-update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+key=java_sdk_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+%define post_devel() %{expand:
update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@@ -659,10 +733,14 @@ exit 0
}
%define postun_devel() %{expand:
- alternatives --remove javac %{sdkbindir -- %{?1}}/javac
- alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
- alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
- alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
update-desktop-database %{_datadir}/applications &> /dev/null || :
@@ -674,42 +752,54 @@ exit 0
}
%define posttrans_devel() %{expand:
+%{alternatives_javac_install -- %{?1}}
%{update_desktop_icons}
}
-%define post_javadoc() %{expand:
-
+%define alternatives_javadoc_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
-alternatives \\
- --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\
- $PRIORITY --family %{name}
+key=javadocdir
+alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+%{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
%define postun_javadoc() %{expand:
- alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
exit 0
}
-%define post_javadoc_zip() %{expand:
-
+%define alternatives_javadoczip_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
-
-alternatives \\
- --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\
- $PRIORITY --family %{name}
+key=javadoczip
+alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+%{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
%define postun_javadoc_zip() %{expand:
- alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
exit 0
}
@@ -1039,8 +1129,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-# 2021a required as of JDK-8260356 in April 2021 CPU
-Requires: tzdata-java >= 2021a
+# 2022a required as of JDK-8283350 in 11.0.16
+Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1053,6 +1143,10 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
+# for FIPS PKCS11 provider
+Requires: nss
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# Postun requires alternatives to uninstall tool alternatives
@@ -1196,7 +1290,7 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz
+Source0: openjdk-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@@ -1247,25 +1341,28 @@ Patch600: rh1750419-redhat_alt_java.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1842572-rsa_default_for_keytool.patch
-# FIPS support patches
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips
+# as follows: git diff %%{vcstag} src make > fips-11u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-Patch1001: rh1655466-global_crypto_and_fips.patch
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-Patch1002: rh1818909-fips_default_keystore_type.patch
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
-Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
-Patch1008: rh1929465-improve_system_FIPS_detection.patch
# RH1996182: Login to the NSS software token in FIPS mode
-Patch1009: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-Patch1011: rh1991003-enable_fips_keys_import.patch
-# RH2021263: Resolve outstanding FIPS issues
-Patch1014: rh2021263-fips_ensure_security_initialised.patch
-Patch1015: rh2021263-fips_missing_native_returns.patch
-Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
+# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+# RH2021263: Return in C code after having generated Java exception
+# RH2052819: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+# RH2051605: Detect NSS at Runtime for FIPS detection
+# RH2052819: Fix FIPS reliance on crypto policies
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+Patch1001: fips-11u-%{fipsver}.patch
#############################################
#
@@ -1285,10 +1382,8 @@ Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
#############################################
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
-Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-# PR3695: Allow use of system crypto policy to be disabled by the user
-Patch7: pr3695-toggle_system_crypto_policy.patch
+# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+Patch8: jdk8275535-rh2053256-ldap_auth.patch
#############################################
#
@@ -1299,12 +1394,10 @@ Patch7: pr3695-toggle_system_crypto_policy.patch
# need to be reviewed & pushed to the appropriate
# updates tree of OpenJDK.
#############################################
-# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
-Patch101: jdk8257794-remove_broken_assert.patch
#############################################
#
-# Patches appearing in 11.0.13
+# Patches appearing in 11.0.15
#
# This section includes patches which are present
# in the listed OpenJDK 11u release and should be
@@ -1337,8 +1430,10 @@ BuildRequires: libXrandr-devel
BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
-# Requirements for setting up the nss.cfg and FIPS support
-BuildRequires: nss-devel >= 3.53
+# Requirement for setting up nss.cfg and nss.fips.cfg
+BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -1349,8 +1444,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2021a required as of JDK-8260356 in April 2021 CPU
-BuildRequires: tzdata-java >= 2021a
+# 2022a required as of JDK-8283350 in 11.0.16
+BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1654,6 +1749,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
+echo "Preparing %{oj_vendor_version}"
+
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@@ -1700,25 +1797,16 @@ pushd %{top_level_dir_name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
-%patch4 -p1
-%patch7 -p1
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
popd # openjdk
-%patch101
-
-%patch1000
%patch600
-%patch1001
-%patch1002
%patch1003
-%patch1004
-%patch1007
-%patch1008
-%patch1009
-%patch1011
-%patch1014
-%patch1015
-%patch1016
+
+%patch8
# Extract systemtap tapsets
%if %{with_systemtap}
@@ -1837,7 +1925,7 @@ function buildjdk() {
--with-version-build=%{buildver} \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
- --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-version-string="%{oj_vendor_version}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
@@ -1845,7 +1933,7 @@ function buildjdk() {
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
- --enable-sysconf-nss \
+ --disable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-libjpeg=${link_opt} \
@@ -1915,6 +2003,10 @@ function installjdk() {
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/conf/security/java.security
+
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
@@ -1925,6 +2017,10 @@ function installjdk() {
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
+
+ # Print release information
+ cat ${imagepath}/release
+
fi
}
@@ -2025,13 +2121,18 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-# Check system crypto (policy) can be disabled
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
-$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@@ -2341,6 +2442,9 @@ end
%posttrans
%{posttrans_script %{nil}}
+%posttrans headless
+%{alternatives_java_install %{nil}}
+
%post devel
%{post_devel %{nil}}
@@ -2350,14 +2454,14 @@ end
%posttrans devel
%{posttrans_devel %{nil}}
-%post javadoc
-%{post_javadoc %{nil}}
+%posttrans javadoc
+%{alternatives_javadoc_install %{nil}}
%postun javadoc
%{postun_javadoc %{nil}}
-%post javadoc-zip
-%{post_javadoc_zip %{nil}}
+%posttrans javadoc-zip
+%{alternatives_javadoczip_install %{nil}}
%postun javadoc-zip
%{postun_javadoc_zip %{nil}}
@@ -2370,6 +2474,9 @@ end
%post headless-slowdebug
%{post_headless -- %{debug_suffix_unquoted}}
+%posttrans headless-slowdebug
+%{alternatives_java_install -- %{debug_suffix_unquoted}}
+
%postun slowdebug
%{postun_script -- %{debug_suffix_unquoted}}
@@ -2405,6 +2512,9 @@ end
%posttrans fastdebug
%{posttrans_script -- %{fastdebug_suffix_unquoted}}
+%posttrans headless-fastdebug
+%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
+
%post devel-fastdebug
%{post_devel -- %{fastdebug_suffix_unquoted}}
@@ -2511,6 +2621,107 @@ end
%endif
%changelog
+* Fri Jul 22 2022 Andrew Hughes - 1:11.0.16.0.8-2
+- Update to jdk-11.0.16+8
+- Update release notes to 11.0.16+8
+- Switch to GA mode for release
+- Resolves: rhbz#2106515
+
+* Sat Jul 16 2022 Andrew Hughes - 1:11.0.16.0.7-0.1.ea
+- Update to jdk-11.0.16+7
+- Update release notes to 11.0.16+7
+- Switch to EA mode for 11.0.16 pre-release builds.
+- Use same tarball naming style as java-17-openjdk and java-latest-openjdk
+- Drop JDK-8257794 patch now upstreamed
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Use "git apply" with patches in the tarball script to allow binary diffs
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+- Explicitly require crypto-policies during build and runtime for system security properties
+- Resolves: rhbz#2083298
+
+* Thu Jul 14 2022 Jiri Vanek - 1:11.0.16.0.7-0.1.ea
+- Add additional patch during tarball generation to align tests with ECC changes
+- Related: rhbz#2083298
+
+* Fri Jul 08 2022 Andrew Hughes - 1:11.0.15.0.10-6
+- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Resolves: rhbz#2099838
+- Resolves: rhbz#2090378
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:11.0.15.0.10-5
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2102430
+
+* Thu Jun 30 2022 Stephan Bergmann - 1:11.0.15.0.10-4
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102731
+
+* Sun Apr 24 2022 Andrew Hughes - 1:11.0.15.0.10-3
+- Update to jdk-11.0.15.0+10
+- Update release notes to 11.0.15.0+10
+- Switch to GA mode for release
+- Resolves: rhbz#2073593
+
+* Tue Apr 12 2022 Andrew Hughes - 1:11.0.15.0.8-0.1.ea
+- Update to jdk-11.0.15.0+8
+- Update release notes to 11.0.15.0+8
+- Rebase RH1996182 FIPS patch after JDK-8254410
+- Resolves: rhbz#2048549
+
+* Tue Apr 12 2022 Andrew Hughes - 1:11.0.15.0.1-0.1.ea
+- Update to jdk-11.0.15.0+1
+- Update release notes to 11.0.15.0+1
+- Switch to EA mode for 11.0.15 pre-release builds.
+- Related: rhbz#2048549
+
+* Mon Feb 28 2022 Andrew Hughes - 1:11.0.14.1.1-6
+- Detect NSS at runtime for FIPS detection
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
+- Resolves: rhbz#2052827
+
+* Fri Feb 25 2022 Andrew Hughes - 1:11.0.14.1.1-5
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053284
+
+* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-4
+- Storing and restoring alterntives during update manually
+- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
+-- The move of alternatives creation to posttrans to fix:
+-- Bug 1200302 - dnf reinstall breaks alternatives
+-- Had caused the alternatives to be removed, and then created again,
+-- instead of being added, and then removing the old, and thus persisting
+-- the selection in family
+-- Thus this fix, is storing the family of manually selected master, and if
+-- stored, then it is restoring the family of the master
+- Resolves: rhbz#2008192
+
+* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-3
+- Family extracted to globals
+- Resolves: rhbz#2008192
+
+* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-2
+- alternatives creation moved to posttrans
+- Thus fixing the old reisntall issue:
+- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
+- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
+- Resolves: rhbz#2008192
+
+* Fri Feb 18 2022 Andrew Hughes - 1:11.0.14.1.1-1
+- Update to jdk-11.0.14.1+1
+- Update release notes to 11.0.14.1+1
+- Require tzdata 2021e as of JDK-8275766.
+- Resolves: rhbz#2052809
+- Resolves: rhbz#1966234
+
* Thu Feb 17 2022 Andrew Hughes - 1:11.0.14.0.9-6
- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
- Resolves: rhbz#2052816