rpms
/
java-11-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-11-openjdk-11.0.14.1.1-6.el9

This commit is contained in:
CentOS Sources 2022-04-05 05:45:31 -04:00 committed by Stepan Oksanichenko
parent 561b9cc3f9
commit 9a76bdbac2
15 changed files with 2376 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve-clean.tar.xz
SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

2
.java-11-openjdk.metadata
View File

@ -1,2 +1,2 @@
6453aa42343678f2e4a86362921ff373625f3ed3 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve-clean.tar.xz
dc2a5d071dcf324a925de54709e153c6df94dd43 SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

866
SOURCES/NEWS
View File

@ -3,6 +3,872 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 11.0.14.1 (2022-02-08):
=============================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk110141
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.1.txt
* Other changes
- JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient
- JDK-8280786: Build failure on Solaris after 8262392
- JDK-8281324: Bump update version for OpenJDK: jdk-11.0.14.1
New in release OpenJDK 11.0.14 (2022-01-18):
=============================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk11014
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.txt
* New features
- JDK-8248238: Implementation: JEP 388: Windows AArch64 Support
* Security fixes
- JDK-8217375: jarsigner breaks old signature with long lines in manifest
- JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside
- JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
- JDK-8268488: More valuable DerValues
- JDK-8268494: Better inlining of inlined interfaces
- JDK-8268512: More content for ContentInfo
- JDK-8268795: Enhance digests of Jar files
- JDK-8268801: Improve PKCS attribute handling
- JDK-8268813, CVE-2022-21283: Better String matching
- JDK-8269151: Better construction of EncryptedPrivateKeyInfo
- JDK-8269944: Better HTTP transport redux
- JDK-8270386, CVE-2022-21291: Better verification of scan methods
- JDK-8270392, CVE-2022-21293: Improve String constructions
- JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
- JDK-8270492, CVE-2022-21282: Better resolution of URIs
- JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
- JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
- JDK-8270952, CVE-2022-21277: Improve TIFF file handling
- JDK-8271962: Better TrueType font loading
- JDK-8271968: Better canonical naming
- JDK-8271987: Manifest improved manifest entries
- JDK-8272014, CVE-2022-21305: Better array indexing
- JDK-8272026, CVE-2022-21340: Verify Jar Verification
- JDK-8272236, CVE-2022-21341: Improve serial forms for transport
- JDK-8272272: Enhance jcmd communication
- JDK-8272462: Enhance image handling
- JDK-8273290: Enhance sound handling
- JDK-8273756, CVE-2022-21360: Enhance BMP image support
- JDK-8273838, CVE-2022-21365: Enhanced BMP processing
- JDK-8274096, CVE-2022-21366: Improve decoding of image files
- JDK-8279541: Improve HarfBuzz
* Other changes
- JDK-6849922: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.html fails
- JDK-7105119: [TEST_BUG] [macosx] In test UIDefaults.toString() must be called with the invokeLater()
- JDK-7151826: [TEST_BUG] [macosx] The test javax/swing/JPopupMenu/4966112/bug4966112.java not for mac
- JDK-7179006: [macosx] Print-to-file doesn't work: printing to the default printer instead
- JDK-8015602: [macosx] Test javax/swing/SpringLayout/4726194/bug4726194.java fails on MacOSX
- JDK-8034084: nsk.nsk/jvmti/ThreadStart/threadstart003 Wrong number of thread end events
- JDK-8039261: [TEST_BUG]: There is not a minimal security level in Java Preferences and the TestApplet.html is blocked.
- JDK-8047218: [TEST_BUG] java/awt/FullScreen/AltTabCrashTest/AltTabCrashTest.java fails with exception
- JDK-8075909: [TEST_BUG] The regression-swing case failed as it does not have the 'Open' button when select 'subdir' folder with NimbusLAF
- JDK-8078219: Verify lack of @test tag in files in java/net test directory
- JDK-8080569: java/lang/ProcessBuilder/DestroyTest.java fails with "RuntimeException: Process terminated prematurely"
- JDK-8081652: [TESTBUG] java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java timed out intermittently
- JDK-8129310: java/net/Socket/asyncClose/AsyncClose.java fails intermittently
- JDK-8131745: java/lang/management/ThreadMXBean/AllThreadIds.java still fails intermittently
- JDK-8136517: [macosx]Test java/awt/Focus/8073453/AWTFocusTransitionTest.java fails on MacOSX
- JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
- JDK-8143021: [TEST_BUG] Test javax/swing/JColorChooser/Test6541987.java fails
- JDK-8159597: [TEST_BUG] closed/javax/swing/JPopupMenu/4760494/bug4760494.java leaves key pressed
- JDK-8159904: [TEST_BUG] Failure on solaris of java/awt/Window/MultiWindowApp/MultiWindowAppTest.java
- JDK-8163086: java/awt/Window/TranslucentJAppletTest/TranslucentJAppletTest.java fails
- JDK-8165828: [TEST_BUG] The reg case:javax/swing/plaf/metal/MetalIcons/MetalHiDPIIconsTest.java failed as No Metal Look and Feel
- JDK-8169953: JComboBox/8057893: ComboBoxEdited event is not fired! on Windows
- JDK-8169954: JFileChooser/8021253: java.lang.RuntimeException: Default button is not pressed
- JDK-8169959: javax/swing/JTable/6263446/bug6263446.java: Table should be editing
- JDK-8171381: [TEST_BUG] [macos] javax/swing/JPopupMenu/7156657/bug7156657.java fails on OS X
- JDK-8171998: javax/swing/JMenu/4692443/bug4692443.java fails on Windows
- JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently
- JDK-8179880: Refactor javax/security shell tests to plain java tests
- JDK-8180568: Refactor javax/crypto shell tests to plain java tests
- JDK-8180569: Refactor sun/security/krb5/ shell tests to plain java tests
- JDK-8180571: Refactor sun/security/pkcs11 shell tests to plain java tests and fix failures
- JDK-8180573: Refactor sun/security/tools shell tests to plain java tests
- JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar
- JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
- JDK-8195703: BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2'
- JDK-8196096: javax/swing/JPopupMenu/6580930/bug6580930.java fails
- JDK-8197560: test javax/swing/JTree/8003400/Test8003400.java fails
- JDK-8197800: Test java/awt/Focus/NonFocusableWindowTest/NoEventsTest.java fails on Windows
- JDK-8197811: Test java/awt/Choice/PopupPosTest/PopupPosTest.java fails on Windows
- JDK-8198616: java/awt/Focus/6378278/InputVerifierTest.java fails on mac
- JDK-8198617: java/awt/Focus/6382144/EndlessLoopTest.java fails on mac
- JDK-8198619: java/awt/Focus/FocusTraversalPolicy/ButtonGroupLayoutTraversal/ButtonGroupLayoutTraversalTest.java fails on mac
- JDK-8198623: java/awt/KeyboardFocusmanager/TypeAhead/EnqueueWithDialogButtonTest/EnqueueWithDialogButtonTest.java fails on mac
- JDK-8198624: java/awt/KeyboardFocusmanager/TypeAhead/SubMenuShowTest/SubMenuShowTest.html fails on mac
- JDK-8199138: Add RISC-V support to Zero
- JDK-8199529: javax/swing/text/Utilities/8142966/SwingFontMetricsTest.java fails on windows
- JDK-8201224: Make string buffer size dynamic in mlvmJvmtiUtils.c
- JDK-8202342: [Graal] fromTonga/nsk/jvmti/unit/FollowReferences/followref003/TestDescription.java fails with "Location mismatch" errors
- JDK-8204161: [TESTBUG] auto failed with the "Applet thread threw exception: java.lang.UnsupportedOperationException" exception
- JDK-8206085: Refactor langtools/tools/javac/versions/Versions.java
- JDK-8207936: TestZipFile failed with java.lang.AssertionError exception
- JDK-8208242: Add @requires to vmTestbase/gc/g1 tests
- JDK-8209611: use C++ compiler for hotspot tests
- JDK-8210182: Remove macros for C compilation from vmTestBase but non jvmti
- JDK-8210198: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[A-F] tests
- JDK-8210205: build fails on AIX in hotspot cpp tests (for example getstacktr001.cpp)
- JDK-8210242: [TESTBUG] vmTestbase/nsk/stress/jni/jnistress001.java crashes with EXCEPTION_ACCESS_VIOLATION on windows-x86
- JDK-8210353: Move java/util/Arrays/TimSortStackSize2.java back to tier1
- JDK-8210385: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[A-N] tests
- JDK-8210392: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
- JDK-8210395: Add doc to SecurityTools.java
- JDK-8210429: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[G-Z] tests
- JDK-8210481: Remove #ifdef cplusplus from vmTestbase
- JDK-8210593: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[N-R] tests
- JDK-8210665: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[R-U] tests
- JDK-8210689: Remove the multi-line old C style for string literals
- JDK-8210700: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti/unit tests
- JDK-8210726: Fix up a few minor nits forgotten by JDK-8210665
- JDK-8210920: Native C++ tests are not using CXXFLAGS
- JDK-8210984: [TESTBUG] hs203t003 fails with "# ERROR: hs203t003.cpp, 218: NSK_CPP_STUB2 ( ResumeThread, jvmti, thread)"
- JDK-8211036: Remove the NSK_STUB macros from vmTestbase for non jvmti
- JDK-8211131: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[G-I]*
- JDK-8211148: var in implicit lambdas shouldn't be accepted for source < 11
- JDK-8211171: move JarUtils to top-level testlibrary
- JDK-8211227: Inconsistent TLS protocol version in debug output
- JDK-8211261: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[A-G]*
- JDK-8211432: [REDO] Handle JNIGlobalRefLocker.cpp
- JDK-8211782: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[I-S]*
- JDK-8211801: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[A-E]
- JDK-8211899: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[E-M]
- JDK-8211905: Remove multiple casts for EM06 file
- JDK-8211999: Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI)
- JDK-8212082: Remove the NSK_CPP_STUB macros for remaining vmTestbase/jvmti/[sS]*
- JDK-8212083: Handle remaining gc/lock native code and fix two strings
- JDK-8212148: Remove remaining NSK_CPP_STUBs
- JDK-8213110: Remove the use of applets in automatic tests
- JDK-8213189: Make restricted headers in HTTP Client configurable and remove Date by default
- JDK-8213263: fix legal headers in test/langtools
- JDK-8213296: Fix legal headers in test/jdk/java/net
- JDK-8213301: Fix legal headers in jdk logging tests
- JDK-8213305: Fix legal headers in test/java/math
- JDK-8213306: Fix legal headers in test/java/nio
- JDK-8213328: Update test copyrights in test/java/util/zip and test/jdk/tools
- JDK-8213330: Fix legal headers in i18n tests
- JDK-8213707: [TEST] vmTestbase/nsk/stress/except/except011.java failed due to wrong class name
- JDK-8214469: [macos] PIT: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.java fails
- JDK-8215410: Regression test for JDK-8214994
- JDK-8215568: Refactor SA clhsdb tests to use ClhsdbLauncher
- JDK-8215624: Add parallel heap iteration for jmap histo
- JDK-8215889: assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC
- JDK-8216318: The usage of Disposer in the java.awt.Robot can be deleted
- JDK-8216417: cleanup of IPv6 scope-id handling
- JDK-8217377: javax/swing/JPopupMenu/6583251/bug6583251.java failed with UnsupportedOperation exception
- JDK-8217438: Adapt tools//launcher/Test7029048.java for AIX
- JDK-8217633: Configurable extensions with system properties
- JDK-8217882: java/net/httpclient/MaxStreams.java failed once
- JDK-8217903: java/net/httpclient/Response204.java fails with 404
- JDK-8218483: Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5"
- JDK-8219986: Change to Xcode 10.1 for building on Macosx at Oracle
- JDK-8220575: Correctly format test URI's that contain a retrieved IPv6 address
- JDK-8221259: New tests for java.net.Socket to exercise long standing behavior
- JDK-8221305: java/awt/FontMetrics/MaxAdvanceIsMax.java fails on MacOS + Solaris
- JDK-8221902: PIT: javax/swing/JRadioButton/FocusTraversal/FocusTraversal.java fails on ubuntu
- JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04
- JDK-8222446: assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ
- JDK-8223137: Rename predicate 'do_unroll_only()' to 'is_unroll_only()'.
- JDK-8223138: Small clean-up in loop-tree support.
- JDK-8223139: Rename mandatory policy-do routines.
- JDK-8223140: Clean-up in 'ok_to_convert()'
- JDK-8223141: Change (count) suffix _ct into _cnt.
- JDK-8223400: Replace some enums with static const members in hotspot/runtime
- JDK-8223658: Performance regression of XML.validation in 13-b19
- JDK-8223923: C2: Missing interference with mismatched unsafe accesses
- JDK-8224829: AsyncSSLSocketClose.java has timing issue
- JDK-8225083: Remove Google certificate that is expiring in December 2021
- JDK-8226514: Replace wildcard address with loopback or local host in tests - part 17
- JDK-8226943: compile error in libfollowref003.cpp with XCode 10.2 on macosx
- JDK-8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed due to "SSLException: An established connection was aborted by the software in your host machine"
- JDK-8228508: [TESTBUG] java/net/httpclient/SmokeTest.java fails on Windows7
- JDK-8229935: [TEST_BUG]: bug8132119.java inconsistently positions text
- JDK-8230019: [REDO] compiler/types/correctness/* tests fail with "assert(recv == __null || recv->is_klass()) failed: wrong type"
- JDK-8230067: Add optional automatic retry when running jtreg tests
- JDK-8230228: [TESTBUG] Several runtime/ErrorHandling tests may fail on some platforms
- JDK-8231501: VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99
- JDK-8233403: Improve verbosity of some httpclient tests
- JDK-8233550: [TESTBUG] JTree tests fail regularly on MacOS
- JDK-8233552: [TESTBUG] JTable Test bug7068740.java fails on MacOS
- JDK-8233553: [TESTBUG] JSpinner test bug4973721.java fails on MacOS
- JDK-8233555: [TESTBUG] JRadioButton tests failing on MacoS
- JDK-8233556: [TESTBUG] JPopupMenu tests fail on MacOS
- JDK-8233559: [TESTBUG] TestNimbusOverride.java is failing on macos
- JDK-8233560: [TESTBUG] ToolTipManager/Test6256140.java is failing on macos
- JDK-8233561: [TESTBUG] Swing text test bug8014863.java fails on macos
- JDK-8233562: [TESTBUG] Swing StyledEditorKit test bug4506788.java fails on MacOS
- JDK-8233564: [TESTBUG] MouseComboBoxTest.java is failing
- JDK-8233566: [TESTBUG] KeyboardFocusManager tests failing on MacoS
- JDK-8233567: [TESTBUG] FocusSubRequestTest.java fails on macos
- JDK-8233569: [TESTBUG] JTextComponent test bug6361367.java fails on macos
- JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos
- JDK-8233634: [TESTBUG] Swing text test bug4278839.java fails on macos
- JDK-8233635: [TESTBUG] ProgressMonitorEscapeKeyPress.java fails on macos
- JDK-8233637: [TESTBUG] Swing ActionListenerCalledTwiceTest.java fails on macos
- JDK-8233638: [TESTBUG] Swing test ScreenMenuBarInputTwice.java fails on macos
- JDK-8233641: [TESTBUG] JMenuItem test bug4171437.java fails on macos
- JDK-8233642: [TESTBUG] JMenuBar test bug 4750590.java fails on macos
- JDK-8233643: [TESTBUG] JMenu test bug4515762.java fails on macos
- JDK-8233644: [TESTBUG] JInternalFrame test bug8020708.java is failing on macos
- JDK-8233647: [TESTBUG] JColorChooser/Test8051548.java is failing on macos
- JDK-8234802: [TESTBUG] Test Right Mouse Button Drag Gesture Recognition in all the platforms
- JDK-8234823: java/net/Socket/Timeouts.java testcase testTimedConnect2() fails on Windows 10
- JDK-8235784: java/lang/invoke/VarHandles/VarHandleTestByteArrayAsInt.java fails due to timeout with fastdebug bits
- JDK-8236042: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -Xcomp -XX:TieredStopAtLevel=1
- JDK-8236177: assert(status == 0) failed: error ETIMEDOUT(60), cond_wait
- JDK-8236596: HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel
- JDK-8237354: Add option to jcmd to write a gzipped heap dump
- JDK-8237589: Fix copyright header formatting
- JDK-8238677: java/net/httpclient/ssltest/CertificateTest.java should not specify TLS version
- JDK-8239334: Tab Size does not work correctly in JTextArea with setLineWrap on
- JDK-8239422: [TESTBUG] compiler/c1/TestPrintIRDuringConstruction.java failed when C1 is disabled
- JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual
- JDK-8240256: Better resource cleaning for SunPKCS11 Provider
- JDK-8242044: Add basic HTTP/1.1 support to the HTTP/2 Test Server
- JDK-8242526: PIT: javax/swing/JInternalFrame/8020708/bug8020708.java fails in mach5 ubuntu system
- JDK-8242793: Incorrect copyright header in ContinuousCallSiteTargetChange.java
- JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
- JDK-8244292: Headful clients failing with --illegal-access=deny
- JDK-8245147: Refactor and improve utility of test/langtools/tools/javac/versions/Versions.java
- JDK-8245165: Update bug id for javax/swing/text/StyledEditorKit/4506788/bug4506788.java in ProblemList
- JDK-8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA
- JDK-8246114: java/net/MulticastSocket/Promiscuous.java fails after 8241072 (multi-homed systems)
- JDK-8246807: Incorrect copyright header in TimeZoneDatePermissionCheck.sh
- JDK-8247403: JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder
- JDK-8247510: typo in IllegalHandshakeMessage
- JDK-8248187: [TESTBUG] javax/swing/plaf/basic/BasicGraphicsUtils/8132119/bug8132119.java fails with String is not properly drawn
- JDK-8248341: ProblemList java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java
- JDK-8248500: AArch64: Remove the r18 dependency on Windows AArch64
- JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
- JDK-8249195: Change to Xcode 11.3.1 for building on Macos at Oracle
- JDK-8250521: Configure initial RTO to use minimal retry for loopback connections on Windows
- JDK-8250810: Push missing parts of JDK-8248817
- JDK-8250839: Improve test template SSLEngineTemplate with SSLContextTemplate
- JDK-8250863: Build error with GCC 10 in NetworkInterface.c and k_standard.c
- JDK-8250888: nsk/jvmti/scenarios/general_functions/GF08/gf08t001/TestDriver.java fails
- JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits
- JDK-8251377: [macos11] JTabbedPane selected tab text is barely legible
- JDK-8251570: JDK-8215624 causes assert(worker_id < _n_workers) failed: Invalid worker_id
- JDK-8251930: AArch64: Native types mismatch in hotspot
- JDK-8252049: Native memory leak in ciMethodData ctor
- JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly
- JDK-8252114: Windows-AArch64: Enable and test ZGC and ShenandoahGC
- JDK-8253015: Aarch64: Move linux code out from generic CPU feature detection
- JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens
- JDK-8253497: Core Libs Terminology Refresh
- JDK-8253682: The AppletInitialFocusTest1.java is unstable
- JDK-8253763: ParallelObjectIterator should have virtual destructor
- JDK-8253866: Security Libs Terminology Refresh
- JDK-8254802: ThrowingPushPromisesAsStringCustom.java fails in "try throwing in GET_BODY"
- JDK-8255227: java/net/httpclient/FlowAdapterPublisherTest.java intermittently failing with TestServer: start exception: java.io.IOException: Invalid preface
- JDK-8255264: Support for identifying the full range of IPv4 localhost addresses on Windows
- JDK-8255716: AArch64: Regression: JVM crashes if manually offline a core
- JDK-8255722: Create a new test for rotated blit
- JDK-8256009: Remove src/hotspot/share/adlc/Test/i486.ad
- JDK-8256066: Tests use deprecated TestNG API that is no longer available in new versions
- JDK-8256152: tests fail because of ambiguous method resolution
- JDK-8256182: Update qemu-debootstrap cross-compilation recipe
- JDK-8256201: java/awt/FullScreen/FullscreenWindowProps/FullscreenWindowProps.java failed
- JDK-8256202: Some tweaks for jarsigner tests PosixPermissionsTest and SymLinkTest
- JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font
- JDK-8256956: RegisterImpl::max_slots_per_register is incorrect on AMD64
- JDK-8258457: testlibrary_tests/ctw/JarDirTest.java fails with InvalidPathException on windows
- JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3
- JDK-8259237: Demo selection changes with left/right arrow key. No need to press space for selection.
- JDK-8260571: Add PrintMetaspaceStatistics to print metaspace statistics upon VM exit
- JDK-8260690: JConsole User Guide Link from the Help menu is not accessible by keyboard
- JDK-8261036: Reduce classes loaded by CleanerFactory initialization
- JDK-8261071: AArch64: Refactor interpreter native wrappers
- JDK-8261075: Create stubRoutines.inline.hpp with SafeFetch implementation
- JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled
- JDK-8261297: NMT: Final report should use scale 1
- JDK-8261661: gc/stress/TestReclaimStringsLeaksMemory.java fails because Reserved memory size is too big
- JDK-8261916: gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed
- JDK-8262438: sun/security/ssl/SSLLogger/LoggingFormatConsistency.java failed with "SocketException: Socket is closed"
- JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
- JDK-8262844: (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3
- JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
- JDK-8263068: Rename safefetch.hpp to safefetch.inline.hpp
- JDK-8263303: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
- JDK-8263362: Avoid division by 0 in java/awt/font/TextJustifier.java justify
- JDK-8263773: Reenable German localization for builds at Oracle
- JDK-8263897: compiler/c2/aarch64/TestVolatilesSerial.java failed with "java.lang.RuntimeException: Wrong method"
- JDK-8264526: javax/swing/text/html/parser/Parser/8078268/bug8078268.java timeout
- JDK-8264824: java/net/Inet6Address/B6206527.java doesn't close ServerSocket properly
- JDK-8265019: Update tests for additional TestNG test permissions
- JDK-8265173: [test] divert spurious log output away from stream under test in ProcessBuilder Basic test
- JDK-8265524: Upgrading JSZip from v3.2.2 to v3.6.0
- JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java
- JDK-8266579: Update test/jdk/java/lang/ProcessHandle/PermissionTest.java & test/jdk/java/sql/testng/util/TestPolicy.java
- JDK-8266949: Check possibility to disable OperationTimedOut on Unix
- JDK-8267246: -XX:MaxRAMPercentage=0 is unreasonable for jtreg tests on many-core machines
- JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl
- JDK-8267304: Bump global JTReg memory limit to 768m
- JDK-8267652: c2 loop unrolling by 8 results in reading memory past array
- JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected
- JDK-8268093: Manual Testcase: "sun/security/krb5/config/native/TestDynamicStore.java" Fails with NPE
- JDK-8268555: Update HttpClient tests that use ITestContext to jtreg 6+1
- JDK-8268672: C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only
- JDK-8269034: AccessControlException for SunPKCS11 daemon threads
- JDK-8269426: Rename test/jdk/java/lang/invoke/t8150782 to accessClassAndFindClass
- JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
- JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles
- JDK-8269768: JFR Terminology Refresh
- JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
- JDK-8269984: [macos] JTabbedPane title looks like disabled
- JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags
- JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS
- JDK-8270216: [macOS] Update named used for Java run loop mode
- JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
- JDK-8270290: NTLM authentication fails if HEAD request is used
- JDK-8270317: Large Allocation in CipherSuite
- JDK-8270344: Session resumption errors
- JDK-8270517: Add Zero support for LoongArch
- JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
- JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling
- JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected"
- JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
- JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
- JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
- JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling
- JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine"
- JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
- JDK-8272180: Upgrade JSZip from v3.6.0 to v3.7.1
- JDK-8272181: Windows-AArch64:Backport fix of `Backtracing broken on PAC enabled systems`
- JDK-8272316: Wrong Boot JDK help message in 11
- JDK-8272318: Improve performance of HeapDumpAllTest
- JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
- JDK-8272570: C2: crash in PhaseCFG::global_code_motion
- JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late
- JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182
- JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
- JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
- JDK-8272783: Epsilon: Refactor tests to improve performance
- JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed
- JDK-8272828: Add correct licenses to jszip.md
- JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests
- JDK-8272850: Drop zapping values in the Zap* option descriptions
- JDK-8272902: Bump update version for OpenJDK: jdk-11.0.14
- JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups
- JDK-8272966: test/jdk/java/awt/Robot/FlushCurrentEvent.java fails by timeout
- JDK-8273026: Slow LoginContext.login() on multi threading application
- JDK-8273229: Update OS detection code to recognize Windows Server 2022
- JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit
- JDK-8273308: PatternMatchTest.java fails on CI
- JDK-8273314: Add tier4 test groups
- JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
- JDK-8273358: macOS Monterey does not have the font Times needed by Serif
- JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero
- JDK-8273498: compiler/c2/Test7179138_1.java timed out
- JDK-8273541: Cleaner Thread creates with normal priority instead of MAX_PRIORITY - 2
- JDK-8273547: [11u] [JVMCI] Partial module-info.java backport of JDK-8223332
- JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch
- JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
- JDK-8273671: Backport of 8260616 misses one JNF header inclusion removal
- JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem
- JDK-8273795: Zero SPARC64 debug builds fail due to missing interpreter fields
- JDK-8273826: Correct Manifest file name and NPE checks
- JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral
- JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
- JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character
- JDK-8273968: JCK javax_xml tests fail in CI
- JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
- JDK-8274083: Update testing docs to mention tiered testing
- JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated
- JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
- JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern
- JDK-8274381: missing CAccessibility definitions in JNI code
- JDK-8274407: (tz) Update Timezone Data to 2021c
- JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
- JDK-8274468: TimeZoneTest.java fails with tzdata2021b
- JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah
- JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287
- JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform
- JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
- JDK-8274840: Update OS detection code to recognize Windows 11
- JDK-8274860: gcc 10.2.1 produces an uninitialized warning in sharedRuntimeTrig.cpp
- JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag
- JDK-8275131: Exceptions after a touchpad gesture on macOS
- JDK-8275713: TestDockerMemoryMetrics test fails on recent runc
- JDK-8275766: (tz) Update Timezone Data to 2021e
- JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
- JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance
- JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
- JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32
- JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point
- JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
- JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
- JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
- JDK-8276854: Windows GHA builds fail due to broken Cygwin
- JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes
- JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
- JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint
- JDK-8277815: Fix mistakes in legal header backports
Notes on individual issues:
===========================
core-svc/tools:
JDK-8250554: New Option Added to jcmd for Writing a gzipped Heap Dump
=====================================================================
A new integer option `gz` has been added to the `GC.heap_dump`
diagnostic command. If it is specified, it will enable the gzip
compression of the written heap dump. The supplied value is the
compression level. It can range from 1 (fastest) to 9 (slowest, but
best compression). The recommended level is 1.
security-libs/javax.net.ssl:
JDK-8260310: Configurable Extensions With System Properties
===========================================================
Two new system properties have been added. The system property,
`jdk.tls.client.disableExtensions`, is used to disable TLS extensions
used in the client. The system property,
`jdk.tls.server.disableExtensions`, is used to disable TLS extensions
used in the server. If an extension is disabled, it will be neither
produced nor processed in the handshake messages.
The property string is a list of comma separated standard TLS
extension names, as registered in the IANA documentation (for example,
server_name, status_request, and signature_algorithms_cert). Note that
the extension names are case sensitive. Unknown, unsupported,
misspelled and duplicated TLS extension name tokens will be ignored.
Please note that the impact of blocking TLS extensions is
complicated. For example, a TLS connection may not be able to be
established if a mandatory extension is disabled. Please do not
disable mandatory extensions, and do not use this feature unless you
clearly understand the impact.
security-libs/javax.crypto:pkcs11:
JDK-8272907: New SunPKCS11 Configuration Properties
===================================================
The SunPKCS11 provider gains new provider configuration attributes to
better control native resources usage. The SunPKCS11 provider consumes
native resources in order to work with native PKCS11 libraries. To
manage and better control the native resources, additional
configuration attributes are added to control the frequency of
clearing native references as well as whether to destroy the
underlying PKCS11 Token after logout.
The 3 new attributes for the SunPKCS11 provider configuration file
are:
1) `destroyTokenAfterLogout` (boolean, defaults to false)
If set to true, when `java.security.AuthProvider.logout()` is called
upon the SunPKCS11 provider instance, the underlying Token object will
be destroyed and resources will be freed. This essentially renders the
SunPKCS11 provider instance unusable after `logout()` calls. Note that
a PKCS11 provider with this attribute set to `true` should not be
added to the system provider list since the provider object is not
usable after a `logout()` method call.
2) `cleaner.shortInterval` (integer, defaults to 2000, in milliseconds)
This defines the frequency for clearing native references during busy
periods (such as, how often should the cleaner thread processes the
no-longer-needed native references in the queue to free up native
memory). Note that the cleaner thread will switch to the
'longInterval' frequency after 200 failed tries (such as, when no
references are found in the queue).
3) `cleaner.longInterval` (integer, defaults to 60000, in milliseconds)
This defines the frequency for checking native reference during
non-busy period (such as, how often should the cleaner thread check
the queue for native references). Note that the cleaner thread will
switch back to the 'shortInterval' value if native PKCS11 references
for cleaning are detected.
core-libs/java.nio:
JDK-8271517: Zip File System Provider Throws ZipException when entry name element contains "." or "."
=====================================================================================================
The ZIP file system provider has been changed to reject existing ZIP
files that contain entries with "." or ".." in name elements. ZIP
files with these entries can not be used as a file system. Invoking
the `java.nio.file.FileSystems.newFileSystem(...)` methods will throw
`ZipException` if the ZIP file contains these entries.
security-libs/java.security:
JDK-8272535: Removed Google's GlobalSign Root Certificate
=========================================================
The following root certificate from Google has been removed from the
`cacerts` keystore:
Alias Name: globalsignr2ca [jdk]
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
core-libs/java.time:
JDK-8274857: Update Timezone Data to 2021c
===========================================
IANA Time Zone Database, on which JDK's Date/Time libraries are based,
has been updated to version 2021c
(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
that with this update, some of the time zone rules prior to the year
1970 have been modified according to the changes which were introduced
with 2021b. For more detail, refer to the announcement of 2021b
(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)
New in release OpenJDK 11.0.13 (2021-10-19):
=============================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk11013
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt
* Security fixes
- JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference
- JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close
- JDK-8263314: Enhance XML Dsig modes
- JDK-8265167, CVE-2021-35556: Richer Text Editors
- JDK-8265574: Improve handling of sheets
- JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
- JDK-8265776: Improve Stream handling for SSL
- JDK-8266097, CVE-2021-35561: Better hashing support
- JDK-8266103: Better specified spec values
- JDK-8266109: More Resilient Classloading
- JDK-8266115: More Manifest Jar Loading
- JDK-8266137, CVE-2021-35564: Improve Keystore integrity
- JDK-8266689, CVE-2021-35567: More Constrained Delegation
- JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
- JDK-8267712: Better LDAP reference processing
- JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
- JDK-8267735, CVE-2021-35586: Better BMP support
- JDK-8268193: Improve requests of certificates
- JDK-8268199: Correct certificate requests
- JDK-8268205: Enhance DTLS client handshake
- JDK-8268506: More Manifest Digests
- JDK-8269618, CVE-2021-35603: Better session identification
- JDK-8269624: Enhance method selection support
- JDK-8270398: Enhance canonicalization
- JDK-8270404: Better canonicalization
* Other changes
- JDK-8024368: private methods are allocated vtable indices
- JDK-8042902: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails intermittently
- JDK-8140466: ChaCha20 and Poly1305 TLS Cipher Suites
- JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream
- JDK-8158066: SourceDebugExtensionTest fails to rename file
- JDK-8168304: Make all of DependencyContext_test available in product mode
- JDK-8169246: java/net/DatagramSocket/ReportSocketClosed.java fails intermittently with BindException
- JDK-8181313: SA: Remove libthread_db dependency on Linux
- JDK-8193214: Incorrect annotations.without.processors warnings with JDK 9
- JDK-8194230: jdk/internal/jrtfs/remote/RemoteRuntimeImageTest.java fails with java.lang.NullPointerException
- JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails
- JDK-8199931: java/net/MulticastSocket/UnreferencedMulticastSockets.java fails with "incorrect data received"
- JDK-8206083: Make tools/javac/api/T6265137.java robust to JDK version changes
- JDK-8206350: java/util/Locale/bcp47u/SystemPropertyTests.java failed on Mac 10.13 with zh_CN and zh_TW locales.
- JDK-8207316: java/nio/channels/spi/SelectorProvider/inheritedChannel/InheritedChannelTest.java failed
- JDK-8208227: tools/jdeps/DotFileTest.java fails on Win-X64
- JDK-8208363: test/jdk/java/lang/Package/PackageFromManifest.java missing module dependencies declaration
- JDK-8209380: ARM: cleanup maybe-uninitialized and reorder compiler warnings
- JDK-8209768: Refactor java/util/prefs/CheckUserPrefsStorage.sh to plain java test
- JDK-8209772: Refactor shell test java/util/ServiceLoader/basic/basic.sh to java
- JDK-8209773: Refactor shell test javax/naming/module/basic.sh to java
- JDK-8209832: Refactor jdk/internal/reflect/Reflection/GetCallerClassTest.sh to plain java test
- JDK-8209930: Refactor java/util/zip/ZipFile/deletetempjar.sh to plain java test
- JDK-8210406: Refactor java.util.PluggableLocale:i18n shell tests to plain java tests
- JDK-8210407: Refactor java.util.Calendar:i18n shell tests to plain java tests
- JDK-8210495: compiler crashes because of illegal signature in otherwise legal code
- JDK-8210669: Some launcher tests assume a pre-JDK 9 run-time image layout
- JDK-8210802: temp files left by tests in jdk/java/net/httpclient
- JDK-8210819: Update the host name in CNameTest.java
- JDK-8210908: Refactor java/util/prefs/PrefsSpi.sh to plain java test
- JDK-8210934: Move sun/net/www/protocol/http/GetErrorStream.java to OpenJDK
- JDK-8210959: JShell fails and exits when statement throws an exception whose message contains a '%'.
- JDK-8211055: Provide print to a file (PDF) feature even when printer was not connected
- JDK-8211092: test/jdk/sun/net/www/http/HttpClient/MultiThreadTest.java fails intermittently when cleaning up
- JDK-8211296: Remove HotSpot deprecation warning suppression for Mac/clang
- JDK-8211325: test/jdk/java/net/Socket/LingerTest.java fails with cleaning up
- JDK-8212040: Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12
- JDK-8212695: Add explicit timeout to several HTTP Client tests
- JDK-8212718: Refactor some annotation processor tests to better use collections
- JDK-8213007: Update the link in test/jdk/sun/security/provider/SecureRandom/DrbgCavp.java
- JDK-8213137: Remove static initialization of monitor/mutex instances
- JDK-8213235: java/nio/channels/SocketChannel/AsyncCloseChannel.java fails with threads that didn't exit
- JDK-8213409: Refactor sun.text.IntHashtable:i18n shell tests to plain java tests
- JDK-8213576: Make test AsyncCloseChannel.java run in othervm
- JDK-8213694: Test Timeout.java should run in othervm mode
- JDK-8213718: [TEST] Wrong classname in vmTestbase/nsk/stress/except/except002 and except003
- JDK-8213922: fix ctw stand-alone build
- JDK-8214195: Align stdout messages in test/jdk/java/math/BigInteger/PrimitiveConversionTests.java
- JDK-8214520: [TEST_BUG] sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java failed with incorrect jtreg tags order
- JDK-8214937: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed due to unexpected expiration date
- JDK-8216532: tools/launcher/Test7029048.java fails (Solaris)
- JDK-8217825: Verify @AfterTest is used correctly in WebSocket tests
- JDK-8218145: block_if_requested is not proper inlined due to size
- JDK-8219417: bump jtreg requiredVersion to b14
- JDK-8219552: bump jtreg requiredVersion to b14 in test/jdk/sanity/client/
- JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException
- JDK-8220445: Support for side by side MSVC Toolset versions
- JDK-8221988: add possibility to build with Visual Studio 2019
- JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail
- JDK-8223050: JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods
- JDK-8224853: CDS address sanitizer errors
- JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
- JDK-8225583: Examine the HttpResponse.BodySubscribers for null handling and multiple subscriptions
- JDK-8225690: Multiple AttachListener threads can be created
- JDK-8225790: Two NestedDialogs tests fail on Ubuntu
- JDK-8226319: Add forgotten test/jdk/java/net/httpclient/BodySubscribersTest.java
- JDK-8226533: JVMCI: findUniqueConcreteMethod should handle statically bindable methods directly
- JDK-8226602: Test convenience reactive primitives from java.net.http with RS TCK
- JDK-8226683: Remove review suggestion from fix to 8219804
- JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134"
- JDK-8227766: CheckUnhandledOops is broken in MemAllocator
- JDK-8227815: Minimal VM: set_state is not a member of AttachListener
- JDK-8230674: Heap dumps should exclude dormant CDS archived objects of unloaded classes
- JDK-8230808: Remove Access::equals()
- JDK-8230841: Remove oopDesc::equals()
- JDK-8231717: Improve performance of charset decoding when charset is always compactable
- JDK-8232243: Wrong caret position in JTextPane on Windows with a screen resolution > 100%
- JDK-8232782: Shenandoah: streamline post-LRB CAS barrier (aarch64)
- JDK-8233790: Forward output from heap dumper to jcmd/jmap
- JDK-8233989: Create an IPv4 version of java/net/MulticastSocket/SetLoopbackMode.java
- JDK-8234510: Remove file seeking requirement for writing a heap dump
- JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file
- JDK-8235216: typo in test filename
- JDK-8235866: bump jtreg requiredVersion to 4.2b16
- JDK-8236111: narrow allowSmartActionArgs disabling
- JDK-8236413: AbstractConnectTimeout should tolerate both NoRouteToHostException and UnresolvedAddressException
- JDK-8236671: NullPointerException in JKS keystore
- JDK-8238930: problem list compiler/c2/Test8004741.java
- JDK-8238943: switch to jtreg 5.0
- JDK-8240555: Using env of JAVA_TOOL_OPTIONS and _JAVA_OPTIONS breaks QuietOption.java test
- JDK-8240983: Incorrect copyright header in Apache Santuario 2.1.3 files
- JDK-8241336: Some java.net tests failed with NoRouteToHostException on MacOS with special network configuration
- JDK-8241353: NPE in ToolProvider.getSystemJavaCompiler
- JDK-8241768: git needs .gitattributes
- JDK-8242882: opening jar file with large manifest might throw NegativeArraySizeException
- JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty"
- JDK-8245134: test/lib/jdk/test/lib/security/KeyStoreUtils.java should allow to specify aliases
- JDK-8246261: TCKLocalTime.java failed due to "AssertionError: expected [18:14:22] but found [18:14:23]"
- JDK-8246387: switch to jtreg 5.1
- JDK-8247421: [TESTBUG] ReturnBlobToWrongHeapTest.java failed allocating blob
- JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
- JDK-8248352: [TEST_BUG] Test test/jdk/java/awt/font/TextLayout/ArabicDiacriticTest.java can leave frame open
- JDK-8248403: AArch64: Remove uses of kernel integer types
- JDK-8248414: AArch64: Remove uses of long and unsigned long ints
- JDK-8248657: Windows: strengthening in ThreadCritical regarding memory model
- JDK-8248666: AArch64: Use THREAD_LOCAL instead of __thread
- JDK-8248668: AArch64: Avoid MIN/MAX macros when using MSVC
- JDK-8248671: AArch64: Remove unused variables
- JDK-8248682: AArch64: Use ATTRIBUTE_ALIGNED helper
- JDK-8248816: C1: Fix signature conflict in LIRGenerator::strength_reduce_multiply
- JDK-8249095: tools/javac/launcher/SourceLauncherTest.java fails on Windows
- JDK-8249548: backward focus traversal gets stuck in button group
- JDK-8249773: Upgrade ReceiveISA.java test to be resilient to failure due to stray packets and interference
- JDK-8249897: jdk/javadoc/tool/LangVers.java uses @ignore w/o bug-id
- JDK-8249898: jdk/javadoc/tool/6176978/T6176978.java uses @ignore w/o bug-id
- JDK-8249899: jdk/javadoc/tool/InlineTagsWithBraces.java uses @ignore w/o bug-id
- JDK-8250588: Shenandoah: LRB needs to save/restore fp registers for runtime call
- JDK-8250824: AArch64: follow up for JDK-8248414
- JDK-8251166: Add automated testcases for changes done in JDK-8214112
- JDK-8251252: Add automated testcase for fix done in JDK-8214253
- JDK-8251254: Add automated test for fix done in JDK-8218472
- JDK-8251361: Potential race between Logger configuration and GCs in HttpURLConWithProxy test
- JDK-8251549: Update docs on building for Git
- JDK-8251945: SIGSEGV in PackageEntry::purge_qualified_exports()
- JDK-8252194: Add automated test for fix done in JDK-8218469
- JDK-8252648: Shenandoah: name gang tasks consistently
- JDK-8252825: Add automated test for fix done in JDK-8218479
- JDK-8252853: AArch64: gc/shenandoah/TestVerifyJCStress.java fails intermittently with C1
- JDK-8252857: AArch64: Shenandoah C1 CAS is not sequentially consistent
- JDK-8253048: AArch64: When CallLeaf, no need to preserve callee-saved registers in caller
- JDK-8253424: Add support for running pre-submit testing using GitHub Actions
- JDK-8253631: Remove unimplemented CompileBroker methods after JEP-165
- JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably
- JDK-8253899: Make IsClassUnloadingEnabled signature match specification
- JDK-8254024: Enhance native libs for AWT and Swing to work with GraalVM Native Image
- JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command
- JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow
- JDK-8254175: Build no-pch configuration in debug mode for submit checks
- JDK-8254244: Some code emitted by TemplateTable::branch is unused when running TieredCompilation
- JDK-8254270: linux 32 bit build doesn't compile libjdwp/log_messages.c
- JDK-8254282: Add Linux x86_32 builds to submit workflow
- JDK-8254850: Update terminology in java.awt.GridBagLayout source code comments
- JDK-8255255: Update Apache Santuario (XML Signature) to version 2.2.1
- JDK-8255305: Add Linux x86_32 tier1 to submit workflow
- JDK-8255352: Archive important test outputs in submit workflow
- JDK-8255373: Submit workflow artifact name is always "test-results_.zip"
- JDK-8255452: Doing GC during JVMTI MethodExit event posting breaks return oop
- JDK-8255718: Zero: VM should know it runs in interpreter-only mode
- JDK-8255790: GTKL&F: Java 16 crashes on initialising GTKL&F on Manjaro Linux
- JDK-8255810: Zero: build fails without JVMTI
- JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch
- JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow
- JDK-8256215: Shenandoah: re-organize saving/restoring machine state in assembler code
- JDK-8256267: Relax compiler/floatingpoint/NaNTest.java for x86_32 and lower -XX:+UseSSE
- JDK-8256277: Github Action build on macOS should define OS and Xcode versions
- JDK-8256354: Github Action build on Windows should define OS and MSVC versions
- JDK-8256393: Github Actions build on Linux should define OS and GCC versions
- JDK-8256414: add optimized build to submit workflow
- JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing
- JDK-8257056: Submit workflow should apt-get update to avoid package installation errors
- JDK-8257148: Remove obsolete code in AWTView.m
- JDK-8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280
- JDK-8257620: Do not use objc_msgSend_stret to get macOS version
- JDK-8257913: Add more known library locations to simplify Linux cross-compilation
- JDK-8258703: Incorrect 512-bit vector registers restore on x86_32
- JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test
- JDK-8259535: ECDSA SignatureValue do not always have the specified length
- JDK-8259679: GitHub actions should use MSVC 14.28
- JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386"
- JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386"
- JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
- JDK-8260923: Add more tests for SSLSocket input/output shutdown
- JDK-8261072: AArch64: Fix MacroAssembler::get_thread convention
- JDK-8261147: C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions
- JDK-8261238: NMT should not limit baselining by size threshold
- JDK-8261496: Shenandoah: reconsider pacing updates memory ordering
- JDK-8261652: Remove some dead comments from os_bsd_x86
- JDK-8261846: [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream
- JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"
- JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info.
- JDK-8262392: Update Mesa 3-D Headers to version 21.0.3
- JDK-8262409: sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception"
- JDK-8262470: Printed GlyphVector outline with low DPI has bad quality on Windows
- JDK-8262862: Harden tests sun/security/x509/URICertStore/ExtensionsWithLDAP.java and krb5/canonicalize/Test.java
- JDK-8263136: C4530 was reported from VS 2019 at access bridge
- JDK-8263227: C2: inconsistent spilling due to dead nodes in exception block
- JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers"
- JDK-8263407: SPARC64 detection fails on Athena (SPARC64-X)
- JDK-8263432: javac may report an invalid package/class clash on case insensitive filesystems
- JDK-8263490: [macos] Crash occurs on JPasswordField with activated InputMethod
- JDK-8263531: Remove unused buffer int
- JDK-8263667: Avoid running GitHub actions on branches named pr/*
- JDK-8263776: [JVMCI] add helper to perform Java upcalls
- JDK-8264016: [JVMCI] add some thread local fields for use by JVMCI
- JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M
- JDK-8265132: C2 compilation fails with assert "missing precedence edge"
- JDK-8265231: (fc) ReadDirect and WriteDirect tests fail after fix for JDK-8264821
- JDK-8265335: Epsilon: Minor typo in EpsilonElasticTLABDecay description
- JDK-8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter
- JDK-8265761: Font with missed font family name is not properly printed on Windows
- JDK-8265773: incorrect jdeps message "jdk8internals" to describe a removed JDK internal API
- JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container
- JDK-8266018: Shenandoah: fix an incorrect assert
- JDK-8266206: Build failure after JDK-8264752 with older GCCs
- JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
- JDK-8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong
- JDK-8266404: Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report
- JDK-8266480: Implicit null check optimization does not update control of hoisted memory operation
- JDK-8266615: C2 incorrectly folds subtype checks involving an interface array
- JDK-8266642: Improve ResolvedMethodTable hash function
- JDK-8266749: AArch64: Backtracing broken on PAC enabled systems
- JDK-8266761: AssertionError in sun.net.httpserver.ServerImpl.responseCompleted
- JDK-8266813: Shenandoah: Use shorter instruction sequence for checking if marking in progress
- JDK-8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header
- JDK-8267348: Rewrite gc/epsilon/TestClasses.java to use Metaspace with less classes
- JDK-8267396: Avoid recording "pc" in unhandled oops detector for better performance
- JDK-8267399: C2: java/text/Normalizer/ConformanceTest.java test failed with assertion
- JDK-8267424: CTW: C1 fails with "State must not be null"
- JDK-8267459: Pasting Unicode characters into JShell does not work.
- JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
- JDK-8267666: Add option to jcmd GC.heap_dump to use existing file
- JDK-8267695: Bump update version for OpenJDK: jdk-11.0.13
- JDK-8267751: (test) jtreg.SkippedException has no serial VersionUID
- JDK-8267773: PhaseStringOpts::int_stringSize doesn't handle min_jint correctly
- JDK-8268103: JNI functions incorrectly return a double after JDK-8265836
- JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size
- JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info.
- JDK-8268347: C2: nested locks optimization may create unbalanced monitor enter/exit code
- JDK-8268360: Missing check for infinite loop during node placement
- JDK-8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop
- JDK-8268366: Incorrect calculation of has_fpu_registers in C1 linear scan
- JDK-8268369: SIGSEGV in PhaseCFG::implicit_null_check due to missing null check
- JDK-8268417: Add test from JDK-8268360
- JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance
- JDK-8268617: [11u REDO] - WebSocket over authenticating proxy fails with NPE
- JDK-8268620: InfiniteLoopException test may fail on x86 platforms
- JDK-8268635: Corrupt oop in ClassLoaderData
- JDK-8268699: Shenandoah: Add test for JDK-8268127
- JDK-8268771: javadoc -notimestamp option does not work on index.html
- JDK-8268775: Password is being converted to String in AccessibleJPasswordField
- JDK-8268776: Test `ADatagramSocket.java` missing /othervm from @run tag
- JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server
- JDK-8269304: Regression ~5% in 2005 in b27
- JDK-8269415: [11u] Remove ea from DEFAULT_PROMOTED_VERSION_PRE in OpenJDK 11u
- JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient
- JDK-8269529: javax/swing/reliability/HangDuringStaticInitialization.java fails in Windows debug build
- JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark
- JDK-8269614: [s390] Interpreter checks wrong bit for slow path instance allocation
- JDK-8269650: Optimize gc-locker in [Get|Release]StringCritical for latin string
- JDK-8269661: JNI_GetStringCritical does not lock char array
- JDK-8269668: [aarch64] java.library.path not including /usr/lib64
- JDK-8269763: The JEditorPane is blank after JDK-8265167
- JDK-8269795: C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV
- JDK-8269847: JDK-8269594 backport breaks 11u builds
- JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
- JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
- JDK-8269882: stack-use-after-scope in NewObjectA
- JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
- JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode
- JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
- JDK-8270184: [TESTBUG] Add coverage for jvmci ResolvedJavaType.toJavaName() for lambdas
- JDK-8270196: [11u] [JVMCI] JavaType.toJavaName() returns incorrect type name for lambdas
- JDK-8270556: Exclude security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA
- JDK-8270893: IndexOutOfBoundsException while reading large TIFF file
- JDK-8272078: Wrong Checksums in Temurin BootJDK dependencies
- JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
- JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
- JDK-8272197: Update 11u GHA workflow with Shenandoah configurations
- JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
- JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
- JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
- JDK-8272628: Problemlist gc/stress/gcbasher/TestGCBasherWithCMS.java for x86_32
- JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848
- JDK-8272772: Shenandoah: compiler/c2/aarch64/TestVolatilesShenandoah.java fails in 11u
- JDK-8273939: Backport of 8248414 to JDK11 breaks MacroAssembler::adrp
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8271434: Removed IdenTrust Root Certificate
===============================================
The following root certificate from IdenTrust has been removed from
the `cacerts` keystore:
Alias Name: identrustdstx3 [jdk]
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
JDK-8261922: Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280
=====================================================================================================
The `gencert` command of the `keytool` utility has been updated to
create AKID from the SKID of the issuing certificate as specified by
RFC 5280.
security-libs/javax.net.ssl:
JDK-8210799: ChaCha20 and Poly1305 TLS Cipher Suites
====================================================
New TLS cipher suites using the `ChaCha20-Poly1305` algorithm have
been added to JSSE. These cipher suites are enabled by default. The
TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3.
The following cipher suites are available for TLS 1.2:
* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for
details on these new TLS cipher suites.
JDK-8219551: Updated the Default Enabled Cipher Suites Preference
=================================================================
The preference of the default enabled cipher suites has been
changed. The compatibility impact should be minimal. If needed,
applications can customize the enabled cipher suites and the
preference. For more details, refer to the SunJSSE provider
documentation and the JSSE Reference Guide documentation.
New in release OpenJDK 11.0.12 (2021-07-20):
=============================================
Live versions of these release notes can be found at:

12
SOURCES/jdk8257794-remove_broken_assert.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
index d18d70b5f9..30ab380e40 100644
--- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
+++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) {
#ifdef ASSERT
if (istate->_msg != initialize) {
assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit");
- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
}
// Verify linkages.
interpreterState l = istate;

32
SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch
View File

@ -1,32 +0,0 @@
From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001
From: Severin Gehwolf <sgehwolf@redhat.com>
Date: Wed, 14 Jul 2021 12:06:39 +0200
Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c
---
src/hotspot/os/linux/os_linux.cpp | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp
index e8baf704e3a..12b75b733b5 100644
--- a/src/hotspot/os/linux/os_linux.cpp
+++ b/src/hotspot/os/linux/os_linux.cpp
@@ -413,8 +413,15 @@ void os::init_system_properties_values() {
// 7: The default directories, normally /lib and /usr/lib.
#if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390)
#define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib"
+#else
+#if defined(AARCH64)
+ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems
+ // might not adhere to the FHS and it would be a change in behaviour if we used
+ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths.
+ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64"
#else
#define DEFAULT_LIBPATH "/lib:/usr/lib"
+#endif // AARCH64
#endif
// Base path of extensions installed on the system.
--
2.31.1

26
SOURCES/jdk8275535-rh2053256-ldap_auth.patch Normal file
View File

@ -0,0 +1,26 @@
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
index 300f3682655..6f3eb6c450b 100644
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
@@ -226,6 +226,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
ctx = getLdapCtxFromUrl(
r.getDomainName(), url, new LdapURL(u), env);
return ctx;
+ } catch (AuthenticationException e) {
+ // do not retry on a different endpoint to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
// try the next element
lastException = e;
@@ -278,6 +282,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
for (String u : urls) {
try {
return getUsingURL(u, env);
+ } catch (AuthenticationException e) {
+ // do not retry on a different URL to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
ex = e;
}

2
SOURCES/nss.fips.cfg.in
View File

@ -1,6 +1,6 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = @NSS_SECMOD@
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

590
SOURCES/rh1991003-enable_fips_keys_import.patch Normal file
View File

@ -0,0 +1,590 @@
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 53f32d12cc..28ab184617 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -82,6 +82,10 @@ public final class Security {
public boolean isSystemFipsEnabled() {
return SystemConfigurator.isSystemFipsEnabled();
}
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
});
// doPrivileged here because there are multiple
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 5565acb7c6..874c6221eb 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -55,6 +55,7 @@ final class SystemConfigurator {
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
@@ -149,6 +150,16 @@ final class SystemConfigurator {
}
loadedProps = true;
systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
}
} catch (Exception e) {
if (sdebug != null) {
@@ -176,6 +187,19 @@ final class SystemConfigurator {
return systemFipsEnabled;
}
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
/*
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
* system property is true (default) and the system is in FIPS mode.
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
index d8caa5640c..21bc6d0b59 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
@@ -27,4 +27,5 @@ package jdk.internal.misc;
public interface JavaSecuritySystemConfiguratorAccess {
boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
}
diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
index ffee2c1603..ff3d5e0e4a 100644
--- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
import javax.net.ssl.*;
+import jdk.internal.misc.SharedSecrets;
+
abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
X509ExtendedKeyManager keyManager;
boolean isInitialized;
@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException {
if ((ks != null) && SunJSSE.isFIPS()) {
- if (ks.getProvider() != SunJSSE.cryptoProvider) {
+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
+ !plainKeySupportEnabled) {
throw new KeyStoreException("FIPS mode: KeyStore must be "
+ "from provider " + SunJSSE.cryptoProvider.getName());
}
@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
keyManager = new X509KeyManagerImpl(
Collections.<Builder>emptyList());
} else {
- if (SunJSSE.isFIPS() &&
- (ks.getProvider() != SunJSSE.cryptoProvider)) {
+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
+ && !plainKeySupportEnabled) {
throw new KeyStoreException(
"FIPS mode: KeyStore must be " +
"from provider " + SunJSSE.cryptoProvider.getName());
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
index 0000000000..b848a1fd78
--- /dev/null
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,290 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 1eca1f8f0a..72674a7330 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider {
private static final boolean systemFipsEnabled = SharedSecrets
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider {
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
index 04a369f453..8d2081abaa 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -150,16 +151,28 @@ public class PKCS11 {
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
} else {
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
}

18
SOURCES/rh1996182-extend_security_policy.patch
View File

@ -1,18 +0,0 @@
commit 598fe421216b0a437fa36ee91a29966599867aa3
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Aug 30 16:12:52 2021 +0100
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
index ab59a334cd..5db744ff17 100644
--- openjdk.orig/src/java.base/share/lib/security/default.policy
+++ openjdk/src/java.base/share/lib/security/default.policy
@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
grant codeBase "jrt:/jdk.crypto.cryptoki" {
permission java.lang.RuntimePermission
"accessClassInPackage.com.sun.crypto.provider";
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";

12
SOURCES/rh1996182-login_to_nss_software_token.patch
View File

@ -5,7 +5,7 @@ Date: Fri Aug 27 19:42:07 2021 +0100
RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 0cf61732d7..2cd851587c 100644
index 5460efcf8c..f08dc2fafc 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java
@@ -182,6 +182,7 @@ module java.base {
@ -17,19 +17,19 @@ index 0cf61732d7..2cd851587c 100644
jdk.attach,
jdk.charsets,
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index b00b738b85..1eca1f8f0a 100644
index 5e227f4531..164de8ff08 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
import jdk.internal.misc.InnocuousThread;
+import jdk.internal.misc.SharedSecrets;
+
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
*/
public final class SunPKCS11 extends AuthProvider {
@ -39,7 +39,7 @@ index b00b738b85..1eca1f8f0a 100644
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) {
nssModule.setProvider(this);
}

28
SOURCES/rh2021263-fips_ensure_security_initialised.patch Normal file
View File

@ -0,0 +1,28 @@
commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:00:55 2022 +0000
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
index 2ec51d57806..8489b940c43 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
@@ -36,6 +36,7 @@ import java.io.FilePermission;
import java.io.ObjectInputStream;
import java.io.RandomAccessFile;
import java.security.ProtectionDomain;
+import java.security.Security;
import java.security.Signature;
/** A repository of "shared secrets", which are a mechanism for
@@ -368,6 +369,9 @@ public class SharedSecrets {
}
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ if (javaSecuritySystemConfiguratorAccess == null) {
+ unsafe.ensureClassInitialized(Security.class);
+ }
return javaSecuritySystemConfiguratorAccess;
}
}

24
SOURCES/rh2021263-fips_missing_native_returns.patch Normal file
View File

@ -0,0 +1,24 @@
commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
Author: Fridrich Strba <fstrba@suse.com>
Date: Mon Jan 17 19:44:03 2022 +0000
RH2021263: Return in C code after having generated Java exception
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 6f4656bfcb6..34d0ff0ce91 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
fips_enabled = fgetc(fe);
fclose(fe);
if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
" read character is '%c'", fips_enabled);

99
SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch Normal file
View File

@ -0,0 +1,99 @@
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:09:27 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 28ab1846173..f9726741afd 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
}
}
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties " +
+ "-- using defaults");
+ }
+ }
+
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
}
}
- if (!loadedProps) {
- initializeStatic();
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
if (sdebug != null) {
- sdebug.println("unable to load security properties " +
- "-- using defaults");
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
}
}
-
}
/*
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 874c6221ebe..b7ed41acf0f 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {

220
SOURCES/rh2052829-fips_runtime_nss_detection.patch Normal file
View File

@ -0,0 +1,220 @@
commit e2be09f982af1cc05f5e6556d51900bca4757416
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Feb 28 05:30:32 2022 +0000
RH2051605: Detect NSS at Runtime for FIPS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 34d0ff0ce91..8dcb7d9073f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,25 +23,99 @@
* questions.
*/
-#include <dlfcn.h>
#include <jni.h>
#include <jni_util.h>
+#include "jvm_md.h"
#include <stdio.h>
#ifdef SYSCONF_NSS
#include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
#endif //SYSCONF_NSS
#include "java_security_SystemConfigurator.h"
+#define MSG_MAX_SIZE 256
#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-#define MSG_MAX_SIZE 96
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-static void throwIOException(JNIEnv *env, const char *msg);
-static void dbgPrint(JNIEnv *env, const char* msg);
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "systemconf: cannot render message");
+ }
+}
+
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+ if (nss_handle == NULL) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ dlerror(); /* Clear errors */
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+ if ((errmsg = dlerror()) != NULL) {
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ if (dlclose(nss_handle) != 0) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ }
+}
+
+#endif
/*
* Class: java_security_SystemConfigurator
@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
debugObj = (*env)->NewGlobalRef(env, debugObj);
}
+#ifdef SYSCONF_NSS
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+ if (loadNSS(env) == JNI_FALSE) {
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+ }
+#endif
+
return (*env)->GetVersion(env);
}
@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
return; /* Should not happen */
}
+#ifndef SYSCONF_NSS
+ closeNSS(env);
+#endif
(*env)->DeleteGlobalRef(env, debugObj);
}
}
@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
char msg[MSG_MAX_SIZE];
int msg_bytes;
-#ifdef SYSCONF_NSS
-
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
+ if (getSystemFIPSEnabled != NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = (*getSystemFIPSEnabled)();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
} else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " SECMOD_GetSystemFIPSEnabled return value");
- }
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-
-#else // SYSCONF_NSS
+ FILE *fe;
- FILE *fe;
-
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
- } else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " read character");
- }
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-
-#endif // SYSCONF_NSS
-}
-
-static void throwIOException(JNIEnv *env, const char *msg)
-{
- jclass cls = (*env)->FindClass(env, "java/io/IOException");
- if (cls != 0)
- (*env)->ThrowNew(env, cls, msg);
-}
-
-static void dbgPrint(JNIEnv *env, const char* msg)
-{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
}
}

664
SPECS/java-11-openjdk.spec
View File

File diff suppressed because it is too large Load Diff