import java-11-openjdk-11.0.12.0.7-4.el8

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/jdk-updates-jdk11u-jdk-11.0.12+2-4curve.tar.xz
+SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

.java-11-openjdk.metadata

@@ -1,2 +1,2 @@
-73e3ecc340440bd249c7c0bd815544d63918aebb SOURCES/jdk-updates-jdk11u-jdk-11.0.12+2-4curve.tar.xz
+7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

SOURCES/NEWS

@@ -9,6 +9,21 @@ Live versions of these release notes can be found at:
   * https://bitly.com/openjdk11012
   * https://builds.shipilev.net/backports-monitor/release-notes-11.0.12.txt
 
+* Security fixes
+  - JDK-8256157: Improve bytecode assembly
+  - JDK-8256491: Better HTTP transport
+  - JDK-8258432, CVE-2021-2341: Improve file transfers
+  - JDK-8260453: Improve Font Bounding
+  - JDK-8260960: Signs of jarsigner signing
+  - JDK-8260967, CVE-2021-2369: Better jar file validation
+  - JDK-8262380: Enhance XML processing passes
+  - JDK-8262403: Enhanced data transfer
+  - JDK-8262410: Enhanced rules for zones
+  - JDK-8262477: Enhance String Conclusions
+  - JDK-8262967: Improve Zip file support
+  - JDK-8264066, CVE-2021-2388: Enhance compiler validation
+  - JDK-8264079: Improve abstractions
+  - JDK-8264460: Improve NTLM support
 * Other changes
   - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
   - JDK-7106851: Test should not use System.exit
@@ -17,11 +32,14 @@ Live versions of these release notes can be found at:
   - JDK-8153005: Upgrade the default PKCS12 encryption/MAC algorithms
   - JDK-8171303: sun/java2d/pipe/InterpolationQualityTest.java fails on Windows & Linux
   - JDK-8177068: incomplete classpath causes NPE in Flow
+  - JDK-8185734: [Windows] Structured Exception Catcher missing around gtest execution
   - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll
   - JDK-8190763: Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit()
   - JDK-8195841: PNGImageReader.readNullTerminatedString() doesnt check for non-null terminated strings with length equal to maxLen
+  - JDK-8196100: javax/swing/text/JTextComponent/5074573/bug5074573.java fails
   - JDK-8199646: JShell tests: jdk/jshell/FailOverDirectExecutionControlTest.java failed with java.lang.UnsupportedOperationException
   - JDK-8206925: Support the certificate_authorities extension
+  - JDK-8207160: ClassReader::adjustMethodParams can potentially return null if the args list is empty
   - JDK-8207247: AARCH64: Enable Minimal and Client VM builds
   - JDK-8207404: MulticastSocket tests failing on AIX
   - JDK-8207779: Method::is_valid_method() compares 'this' with NULL
@@ -38,6 +56,7 @@ Live versions of these release notes can be found at:
   - JDK-8214854: JDWP: Unforseen output truncation in logging
   - JDK-8214922: Add vectorization support for fmin/fmax
   - JDK-8215009: GCC 8 compilation error in libjli
+  - JDK-8216184: CDS/appCDS tests failed on Windows due to long path to a classlist file
   - JDK-8216259: AArch64: Vectorize Adler32 intrinsics
   - JDK-8216314: SIGILL in CodeHeapState::print_names()
   - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking
@@ -47,6 +66,7 @@ Live versions of these release notes can be found at:
   - JDK-8218458: [TESTBUG] runtime/NMT/CheckForProperDetailStackTrace.java fails with Expected stack trace missing from output
   - JDK-8219142: Remove unused JIMAGE_ResourcePath
   - JDK-8219586: CodeHeap State Analytics processes dead nmethods
+  - JDK-8220074: Clean up GCC 8.3 errors in LittleCMS
   - JDK-8220407: compiler/intrinsics/math/TestFpMinMaxIntrinsics.java timedout
   - JDK-8222302: [TESTBUG]test/hotspot/jtreg/compiler/intrinsics/sha/cli/TestUseSHAOptionOnUnsupportedCPU.java fails on any other CPU
   - JDK-8222412: AARCH64: multiple instructions encoding issues
@@ -61,11 +81,14 @@ Live versions of these release notes can be found at:
   - JDK-8226374: Restrict TLS signature schemes and named groups
   - JDK-8226627: assert(t->singleton()) failed: must be a constant
   - JDK-8226721: Missing intrinsics for Math.ceil, floor, rint
+  - JDK-8227080: (fs) Files.newInputStream(...).skip(n) is slow
   - JDK-8227222: vmTestbase/jit/FloatingPoint/gen_math/Loops04/Loops04.java failed XMM register should be 0-15
+  - JDK-8227609: (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size
   - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp
   - JDK-8231460: Performance issue (CodeHeap) with large free blocks
   - JDK-8231713: x86_32 build failures after JDK-8226721 (Missing intrinsics for Math.ceil, floor, rint)
   - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns
+  - JDK-8232084: HotSpot build failed with GCC 9.2.1
   - JDK-8232591: AArch64: Add missing match rules for smaddl, smsubl and smnegl
   - JDK-8233185: HttpServer.stop() blocks indefinitely when called on dispatch thread
   - JDK-8233787: Break cycle in vm_version* includes
@@ -75,6 +98,7 @@ Live versions of these release notes can be found at:
   - JDK-8236859: WebSocket over authenticating proxy fails with NPE
   - JDK-8236992: AArch64: remove redundant load_klass in itable stub
   - JDK-8237743: test/langtools/jdk/jshell/FailOverExecutionControlTest.java fails No ExecutionControlProvider with name 'nonExistent' and parameter keys: []
+  - JDK-8237804: sun/security/mscapi tests fail with "Key pair not generated, alias <nnnnnn> already exists"
   - JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class
   - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers
   - JDK-8238812: assert(false) failed: bad AD file
@@ -84,7 +108,9 @@ Live versions of these release notes can be found at:
   - JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files
   - JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler
   - JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version
+  - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873
   - JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string
+  - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
   - JDK-8241372: Several test failures due to javax.net.ssl.SSLException: Connection reset
   - JDK-8241475: AArch64: Add missing support for PopCountVI node
   - JDK-8241829: Cleanup the code for PrinterJob on windows
@@ -92,8 +118,10 @@ Live versions of these release notes can be found at:
   - JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01
   - JDK-8242429: Better implementation for sign extract
   - JDK-8242557: Add length limit for strings in PNGImageWriter
+  - JDK-8242919: Paste locks up jshell
   - JDK-8243155: AArch64: Add support for SqrtVF
   - JDK-8243240: AArch64: Add support for MulVB
+  - JDK-8243452: JFR: Could not create chunk in repository with over 200 recordings
   - JDK-8243559: Remove root certificates with 1024-bit keys
   - JDK-8243597: AArch64: Add support for integer vector abs
   - JDK-8244031: HttpClient should have more tests for HEAD requests
@@ -111,11 +139,15 @@ Live versions of these release notes can be found at:
   - JDK-8248568: compiler/c2/TestBit.java failed: test missing from stdout/stderr
   - JDK-8248870: AARCH64: I2L/L2I conversions can be skipped for masked positive values
   - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable
+  - JDK-8249189: AARCH64: more L2I conversions can be skipped
   - JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function
+  - JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code
   - JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks
   - JDK-8250876: Fix issues with cross-compile on macos
+  - JDK-8251031: Some vmTestbase/nsk/monitoring/RuntimeMXBean tests fail with hostnames starting from digits
   - JDK-8251525: AARCH64: Faster Math.signum(fp)
   - JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE
+  - JDK-8252311: AArch64: save two words in itable lookup stub
   - JDK-8252779: compiler/graalunit/HotspotTest.java failed after 8251525
   - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows
   - JDK-8253167: ARM32 builds fail after JDK-8247910
@@ -123,9 +155,11 @@ Live versions of these release notes can be found at:
   - JDK-8253923: C2 doesn't always run loop opts for compilations that include loops
   - JDK-8253948: Memory leak in ImageFileReader
   - JDK-8254631: Better support ALPN byte wire values in SunJSSE
+  - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards
   - JDK-8255086: Update the root locale display names
   - JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic
   - JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement
+  - JDK-8255992: JFR EventWriter does not use first string from StringPool with id 0
   - JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/PortUnreachable.java fails due to the hard coded threshold is small
   - JDK-8256244: java/lang/ProcessHandle/PermissionTest.java fails with TestNG 7.1
   - JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned
@@ -138,19 +172,31 @@ Live versions of these release notes can be found at:
   - JDK-8257621: JFR StringPool misses cached items across consecutive recordings
   - JDK-8257796: [TESTBUG] TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on x86_32
   - JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check
+  - JDK-8257828: SafeFetch may crash if invoked in non-JavaThreads
+  - JDK-8257853: Remove dependencies on JNF's JNI utility functions in AWT and 2D code
+  - JDK-8257858: [macOS]: Remove JNF dependency from libosxsecurity/KeystoreImpl.m
+  - JDK-8257860: [macOS]: Remove JNF dependency from libosxkrb5/SCDynamicStoreConfig.m
+  - JDK-8257988: Remove JNF dependency from libsaproc/MacosxDebuggerLocal.m
   - JDK-8258414: OldObjectSample events too expensive
   - JDK-8258505: [TESTBUG] TestDivZeroWithSplitIf.java fails due to missing UnlockDiagnosticVMOptions
   - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues
   - JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it
   - JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check
+  - JDK-8259232: Bad JNI lookup during printing
   - JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization
+  - JDK-8259343: [macOS] Update JNI error handling in Cocoa code.
+  - JDK-8259585: Accessible actions do not work on mac os x
+  - JDK-8259651: [macOS] Replace JNF_COCOA_ENTER/EXIT macros
   - JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl
   - JDK-8259710: Inlining trace leaks memory
+  - JDK-8259729: Missed JNFInstanceOf -> IsInstanceOf conversion
   - JDK-8259777: Incorrect predication condition generated by ADLC
   - JDK-8259786: initialize last parameter of getpwuid_r
   - JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name
+  - JDK-8259869: [macOS] Remove desktop module dependencies on JNF Reference APIs
   - JDK-8259886: Improve SSL session cache performance and scalability
   - JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection
+  - JDK-8260030: Improve stringStream buffer handling
   - JDK-8260236: better init AnnotationCollector _contended_group
   - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized
   - JDK-8260284: C2: assert(_base == Int) failed: Not an Int
@@ -158,6 +204,8 @@ Live versions of these release notes can be found at:
   - JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
   - JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory
   - JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory
+  - JDK-8260616: Removing remaining JNF dependencies in the java.desktop module
+  - JDK-8260653: Unreachable nodes keep speculative types alive
   - JDK-8260707: java/lang/instrument/PremainClass/InheritAgent0100.java times out
   - JDK-8260925: HttpsURLConnection does not work  with other JSSE provider.
   - JDK-8260926: Trace resource exhausted events unconditionally
@@ -165,11 +213,14 @@ Live versions of these release notes can be found at:
   - JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code
   - JDK-8261167: print_process_memory_info add a close call after fopen
   - JDK-8261170: Upgrade to freetype 2.10.4
+  - JDK-8261198: [macOS] Incorrect JNI parameters in number conversion in A11Y code
   - JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check
   - JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js
   - JDK-8261262: Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION
+  - JDK-8261354: SIGSEGV at MethodIteratorHost
   - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
   - JDK-8261397: try catch Method failing to work when dividing an integer by 0
+  - JDK-8261422: Adjust problematic String.format calls in jdk/internal/util/Preconditions.java outOfBoundsMessage
   - JDK-8261447: MethodInvocationCounters frequently run into overflow
   - JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur
   - JDK-8261505: Test test/hotspot/jtreg/gc/parallel/TestDynShrinkHeap.java killed by Linux OOM Killer
@@ -197,6 +248,7 @@ Live versions of these release notes can be found at:
   - JDK-8263260: [s390] Support latest hardware (z14 and z15)
   - JDK-8263311: Watch registry changes for remote printers update instead of polling
   - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors
+  - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
   - JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address()
   - JDK-8263448: CTW: fatal error: meet not symmetric
   - JDK-8263504: Some OutputMachOpcodes fields are uninitialized
@@ -204,6 +256,7 @@ Live versions of these release notes can be found at:
   - JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true
   - JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address()
   - JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test
+  - JDK-8263846: Bad JNI lookup getFocusOwner in accessibility code on Mac OS X
   - JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt
   - JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported
   - JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state
@@ -216,7 +269,7 @@ Live versions of these release notes can be found at:
   - JDK-8264640: CMS ParScanClosure misses a barrier
   - JDK-8264786: [macos] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched
   - JDK-8264821: DirectIOTest fails on a system with large block size
-  - JDK-8264846: [macos] libjvm.dylib linker warning due to macOS version mismatch
+  - JDK-8264848: [macos] libjvm.dylib linker warning due to macOS version mismatch
   - JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo
   - JDK-8264958: C2 compilation fails with assert "n is later than its clone"
   - JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE
@@ -224,13 +277,27 @@ Live versions of these release notes can be found at:
   - JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1
   - JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build
   - JDK-8265421: java/lang/String/StringRepeat.java test is missing a memory requirement
+  - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod
   - JDK-8265537: x86 version string truncated after JDK-8249672 11u backport
+  - JDK-8265666: Enable AIX build platform to make external debug symbols
   - JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier
   - JDK-8265690: Use the latest Ubuntu base image version in Docker testing
   - JDK-8265718: Build failure after JDK-8258414 11u backport
   - JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414
   - JDK-8265784: [C2] Hoisting of DecodeN leaves MachTemp inputs behind
+  - JDK-8265938: C2's conditional move optimization does not handle top Phi
+  - JDK-8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified
+  - JDK-8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"
   - JDK-8266713: [AIX] Build failure after 11u backport of JDK-8247753
+  - JDK-8266802: Shenandoah: Round up region size to page size unconditionally
+  - JDK-8266892: avoid maybe-uninitialized gcc warnings on linux s390x
+  - JDK-8266929: Unable to use algorithms from 3p providers
+  - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash
+  - JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC
+  - JDK-8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
+  - JDK-8267641: [11u] 8227609 backport typo
+  - JDK-8267721: Enable sun/security/pkcs11 tests for Amazon Linux 2 AArch64
+  - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired
 
 Notes on individual issues:
 ===========================

SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch

@@ -0,0 +1,32 @@
+From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001
+From: Severin Gehwolf <sgehwolf@redhat.com>
+Date: Wed, 14 Jul 2021 12:06:39 +0200
+Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c
+
+---
+ src/hotspot/os/linux/os_linux.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp
+index e8baf704e3a..12b75b733b5 100644
+--- a/src/hotspot/os/linux/os_linux.cpp
++++ b/src/hotspot/os/linux/os_linux.cpp
+@@ -413,8 +413,15 @@ void os::init_system_properties_values() {
+   //        7: The default directories, normally /lib and /usr/lib.
+ #if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390)
+   #define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib"
++#else
++#if defined(AARCH64)
++  // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems
++  // might not adhere to the FHS and it would be a change in behaviour if we used
++  // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths.
++  #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64"
+ #else
+   #define DEFAULT_LIBPATH "/lib:/usr/lib"
++#endif // AARCH64
+ #endif
+ 
+ // Base path of extensions installed on the system.
+-- 
+2.31.1
+

SOURCES/rh1996182-extend_security_policy.patch

@@ -0,0 +1,18 @@
+commit 598fe421216b0a437fa36ee91a29966599867aa3
+Author: Andrew Hughes <gnu.andrew@redhat.com>
+Date:   Mon Aug 30 16:12:52 2021 +0100
+
+    RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
+
+diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
+index ab59a334cd..5db744ff17 100644
+--- openjdk.orig/src/java.base/share/lib/security/default.policy
++++ openjdk/src/java.base/share/lib/security/default.policy
+@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
+ grant codeBase "jrt:/jdk.crypto.cryptoki" {
+     permission java.lang.RuntimePermission
+                    "accessClassInPackage.com.sun.crypto.provider";
++    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
+     permission java.lang.RuntimePermission
+                    "accessClassInPackage.sun.security.*";
+     permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";

SOURCES/rh1996182-login_to_nss_software_token.patch

@@ -0,0 +1,66 @@
+commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
+Author: Martin Balao <mbalao@redhat.com>
+Date:   Fri Aug 27 19:42:07 2021 +0100
+
+    RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
+index 0cf61732d7..2cd851587c 100644
+--- openjdk.orig/src/java.base/share/classes/module-info.java
++++ openjdk/src/java.base/share/classes/module-info.java
+@@ -182,6 +182,7 @@ module java.base {
+         java.security.jgss,
+         java.sql,
+         java.xml,
++        jdk.crypto.cryptoki,
+         jdk.jartool,
+         jdk.attach,
+         jdk.charsets,
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index b00b738b85..1eca1f8f0a 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+ 
++import jdk.internal.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+  */
+ public final class SunPKCS11 extends AuthProvider {
+ 
++    private static final boolean systemFipsEnabled = SharedSecrets
++            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+     private static final long serialVersionUID = -1354835039035306505L;
+ 
+     static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
+             if (nssModule != null) {
+                 nssModule.setProvider(this);
+             }
++            if (systemFipsEnabled) {
++                // The NSS Software Token in FIPS 140-2 mode requires a user
++                // login for most operations. See sftk_fipsCheck. The NSS DB
++                // (/etc/pki/nssdb) PIN is empty.
++                Session session = null;
++                try {
++                    session = token.getOpSession();
++                    p11.C_Login(session.id(), CKU_USER, new char[] {});
++                } catch (PKCS11Exception p11e) {
++                    if (debug != null) {
++                        debug.println("Error during token login: " +
++                                p11e.getMessage());
++                    }
++                    throw p11e;
++                } finally {
++                    token.releaseSession(session);
++                }
++            }
+         } catch (Exception e) {
+             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+                 throw new UnsupportedOperationException

SPECS/java-11-openjdk.spec

@@ -173,10 +173,8 @@
 %endif
 
 # If you disable both builds, then the build fails
-# Note that the debug build requires the normal build for docs
-%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build}
-# Test slowdebug first as it provides the best diagnostics
-%global rev_build_loop  %{slowdebug_build} %{fastdebug_build} %{normal_build}
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop  %{slowdebug_build} %{fastdebug_build} %{normal_build}
 
 %if %{include_staticlibs}
 %global staticlibs_loop %{staticlibs_suffix}
@@ -338,8 +336,8 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        2
-%global rpmrelease      0
+%global buildver        7
+%global rpmrelease      4
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -368,7 +366,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           0
+%global is_ga           1
 %if %{is_ga}
 %global ea_designator ""
 %global ea_designator_zip ""
@@ -1235,6 +1233,9 @@ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
 Patch1007: rh1915071-always_initialise_configurator_access.patch
 # RH1929465: Improve system FIPS detection
 Patch1008: rh1929465-improve_system_FIPS_detection.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1009: rh1996182-login_to_nss_software_token.patch
+Patch1010: rh1996182-extend_security_policy.patch
 
 #############################################
 #
@@ -1261,13 +1262,15 @@ Patch7: pr3695-toggle_system_crypto_policy.patch
 
 #############################################
 #
-# Patches appearing in 11.0.10
+# Patches appearing in 11.0.13
 #
 # This section includes patches which are present
 # in the listed OpenJDK 11u release and should be
 # able to be removed once that release is out
 # and used by this RPM.
 #############################################
+# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64
+Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -1612,10 +1615,6 @@ if [ %{include_debug_build} -eq 0 -a  %{include_normal_build} -eq 0 -a  %{includ
   echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
   exit 14
 fi
-if [ %{include_normal_build} -eq 0 ] ; then
-  echo "You have disabled the normal build, but this is required to provide docs for the debug build."
-  exit 15
-fi
 %setup -q -c -n %{uniquesuffix ""} -T -a 0
 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084
 prioritylength=`expr length %{priority}`
@@ -1635,6 +1634,7 @@ pushd %{top_level_dir_name}
 %patch3 -p1
 %patch4 -p1
 %patch7 -p1
+%patch8 -p1
 popd # openjdk
 
 %patch1000
@@ -1645,6 +1645,8 @@ popd # openjdk
 %patch1004
 %patch1007
 %patch1008
+%patch1009
+%patch1010
 
 # Extract systemtap tapsets
 %if %{with_systemtap}
@@ -1854,7 +1856,7 @@ done # end of release / debug cycle loop
 %check
 
 # We test debug first as it will give better diagnostics on a crash
-for suffix in %{rev_build_loop} ; do
+for suffix in %{build_loop} ; do
 
 top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
 %if %{include_staticlibs}
@@ -2361,6 +2363,46 @@ end
 %endif
 
 %changelog
+* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-4
+- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
+- Resolves: rhbz#1997357
+
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-3
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1997357
+
+* Wed Jul 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.7-2
+- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668)
+- Resolves: rhbz#1994104
+
+* Tue Jul 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
+- Update to jdk-11.0.12.0+7
+- Update release notes to 11.0.12.0+7
+- Switch to GA mode for final release.
+- Resolves: rhbz#1972395
+
+* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.6-0.0.ea
+- Update to jdk-11.0.12.0+6
+- Update release notes to 11.0.12.0+6
+- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change
+- Resolves: rhbz#1967374
+
+* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.4-0.0.ea
+- Update to jdk-11.0.12.0+4
+- Update release notes to 11.0.12.0+4
+- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
+- Resolves: rhbz#1967374
+
+* Mon Jul 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.3-0.0.ea
+- Update to jdk-11.0.12.0+3
+- Update release notes to 11.0.12.0+3
+- Resolves: rhbz#1967374
+
+* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.2-0.1.ea
+- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
+- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
+- Resolves: rhbz#1966234
+
 * Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.2-0.0.ea
 - Update to jdk-11.0.12.0+2
 - Update release notes to 11.0.12.0+2