import java-11-openjdk-11.0.17.0.7-0.2.ea.el8

This commit is contained in:
CentOS Sources 2022-11-08 12:09:45 +00:00 committed by Stepan Oksanichenko
parent 3f3dfc1162
commit f51e275c1d
25 changed files with 2780 additions and 2351 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
SOURCES/openjdk-jdk11u-jdk-11.0.17+7-4curve.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -1,2 +1,2 @@
a3658fc54f198072f4c61090b712bfe6ff222928 SOURCES/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
4cfb9133da3ebd3242c28f83980b3e461ced4553 SOURCES/openjdk-jdk11u-jdk-11.0.17+7-4curve.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -21,8 +21,8 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
public class CheckVendor {
public static void main(String[] args) {
if (args.length < 3) {
System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL>");
if (args.length < 4) {
System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>");
System.exit(1);
}
@ -32,6 +32,8 @@ public class CheckVendor {
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
String vendorVersionString = System.getProperty("java.vendor.version");
String expectedVendorVersionString = args[3];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
@ -46,12 +48,18 @@ public class CheckVendor {
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
System.err.printf("Invalid vendor bug URL%s, expected %s\n",
System.err.printf("Invalid vendor bug URL %s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
System.err.printf("Vendor information verified as %s, %s, %s\n",
vendor, vendorURL, vendorBugURL);
if (!expectedVendorVersionString.equals(vendorVersionString)) {
System.err.printf("Invalid vendor version string %s, expected %s\n",
vendorVersionString, expectedVendorVersionString);
System.exit(5);
}
System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
vendor, vendorURL, vendorBugURL, vendorVersionString);
}
}

View File

@ -3,6 +3,740 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 11.0.17 (2022-10-18):
=============================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk11017
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.17.html
* Other changes
- JDK-6606767: resexhausted00[34] fail assert(!thread->owns_locks(), "must release all locks when leaving VM")
- JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7
- JDK-7131823: bug in GIFImageReader
- JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac
- JDK-8028265: Add legacy tz tests to OpenJDK
- JDK-8069343: Improve gc/g1/TestHumongousCodeCacheRoots.java to use jtreg @requires
- JDK-8139348: Deprecate 3DES and RC4 in Kerberos
- JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java
- JDK-8164804: sun/security/ssl/SSLSocketImpl/CloseSocket.java makes not reliable time assumption
- JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes!
- JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad"
- JDK-8183372: Refactor java/lang/Class shell tests to java
- JDK-8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names
- JDK-8193462: Fix Filer handling of package-info initial elements
- JDK-8203277: preflow visitor used during lambda attribution shouldn't visit class definitions inside the lambda body
- JDK-8208471: nsk/jdb/unwatch/unwatch002/unwatch002.java fails with "Prompt is not received during 300200 milliseconds"
- JDK-8209052: Low contrast in docs/api/constant-values.html
- JDK-8209736: runtime/RedefineTests/ModifyAnonymous.java fails with NullPointerException when running in CDS mode
- JDK-8210107: vmTestbase/nsk/stress/network tests fail with Cannot assign requested address (Bind failed)
- JDK-8210722: JAXP Tests: CatalogSupport2 and CatalogSupport3 generate incorrect messages upon failure
- JDK-8210960: Allow --with-boot-jdk-jvmargs to work during configure
- JDK-8212904: JTextArea line wrapping incorrect when using UI scale
- JDK-8213695: gc/TestAllocateHeapAtMultiple.java is slow in some configs
- JDK-8214078: (fs) SecureDirectoryStream not supported on arm32
- JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount()
- JDK-8215291: Broken links when generating from project without modules
- JDK-8217170: gc/arguments/TestUseCompressedOopsErgo.java timed out
- JDK-8217332: JTREG: Clean up, use generics instead of raw types
- JDK-8218128: vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted003 and 004 use wrong path to test classes
- JDK-8218413: make reconfigure ignores configure-time AUTOCONF environment variable
- JDK-8219074: [TESTBUG] runtime/containers/docker/TestCPUAwareness.java typo of printing parameters (period should be shares)
- JDK-8219149: ProcessTools.ProcessBuilder should print timing info for subprocesses
- JDK-8220744: [TESTBUG] Move RedefineTests from runtime to serviceability
- JDK-8221871: javadoc should not set role=region on <section> elements
- JDK-8221907: make reconfigure breaks when configured with relative paths
- JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues
- JDK-8223575: add subspace transitions to gc+metaspace=info log lines
- JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled.
- JDK-8226976: SessionTimeOutTests uses == operator for String value check
- JDK-8230708: Hotspot fails to build on linux-sparc with gcc-9
- JDK-8233712: Limit default tests jobs based on ulimit -u setting
- JDK-8235870: C2 crashes in IdealLoopTree::est_loop_flow_merge_sz()
- JDK-8236490: Compiler bug relating to @NonNull annotation
- JDK-8236823: Ensure that API documentation uses minified libraries
- JDK-8238196: tests that use SA Attach should not be allowed to run against signed binaries on Mac OS X 10.14.5 and later
- JDK-8238203: Return value of GetUserDefaultUILanguage() should be handled as LANGID
- JDK-8238268: Many SA tests are not running on OSX because they do not attempt to use sudo when available
- JDK-8238586: [TESTBUG] vmTestbase/jit/tiered/Test.java failed when TieredCompilation is disabled
- JDK-8239265: JFR: Test cleanup of jdk.jfr.api.consumer package
- JDK-8239379: ProblemList serviceability/sa/sadebugd/DebugdConnectTest.java on OSX
- JDK-8239423: jdk/jfr/jvm/TestJFRIntrinsic.java failed with -XX:-TieredCompilation
- JDK-8239902: [macos] Remove direct usage of JSlider, JProgressBar classes in CAccessible class
- JDK-8240903: Add test to check that jmod hashes are reproducible
- JDK-8242188: error in jtreg test jdk/jfr/api/consumer/TestRecordedFrame.java on linux-aarch64
- JDK-8247546: Pattern matching does not skip correctly over supplementary characters
- JDK-8247907: XMLDsig logging does not work
- JDK-8247964: All log0() in com/sun/org/slf4j/internal/Logger.java should be private
- JDK-8249623: test @ignore-d due to 7013634 should be returned back to execution
- JDK-8251152: ARM32: jtreg c2 Test8202414 test crash
- JDK-8251551: Use .md filename extension for README
- JDK-8252145: Unify Info.plist files with correct version strings
- JDK-8253829: Wrong length compared in SSPI bridge
- JDK-8253916: ResourceExhausted/resexhausted001 crashes on Linux-x64
- JDK-8254178: Remove .hgignore
- JDK-8254318: Remove .hgtags
- JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline
- JDK-8255729: com.sun.tools.javac.processing.JavacFiler.FilerOutputStream is inefficient
- JDK-8257623: vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted001/TestDescription.java shouldn't use timeout
- JDK-8258946: Fix optimization-unstable code involving signed integer overflow
- JDK-8261160: Add a deserialization JFR event
- JDK-8262085: Hovering Metal HTML Tooltips in different windows cause IllegalArgExc on Linux
- JDK-8264400: (fs) WindowsFileStore equality depends on how the FileStore was constructed
- JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly.
- JDK-8265020: tests must be updated for new TestNG module name
- JDK-8265100: (fs) WindowsFileStore.hashCode() should read cached hash code once
- JDK-8265531: doc/building.md should mention homebrew install freetype
- JDK-8266250: WebSocketTest and WebSocketProxyTest call assertEquals(List<byte[]>, List<byte[]>)
- JDK-8266254: Update to use jtreg 6
- JDK-8266460: java.io tests fail on null stream with upgraded jtreg/TestNG
- JDK-8266461: tools/jmod/hashes/HashesTest.java fails: static @Test methods
- JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups
- JDK-8266675: Optimize IntHashTable for encapsulation and ease of use
- JDK-8266774: System property values for stdout/err on Windows UTF-8
- JDK-8266881: Enable debug log for SSLEngineExplorerMatchedSNI.java
- JDK-8267180: Typo in copyright header for HashesTest
- JDK-8267271: Fix gc/arguments/TestNewRatioFlag.java expectedNewSize calculation
- JDK-8267880: Upgrade the default PKCS12 MAC algorithm
- JDK-8268185: Update GitHub Actions for jtreg 6
- JDK-8269039: Disable SHA-1 Signed JARs
- JDK-8269517: compiler/loopopts/TestPartialPeelingSinkNodes.java crashes with -XX:+VerifyGraphEdges
- JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections
- JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java
- JDK-8271010: vmTestbase/gc/lock/malloc/malloclock04/TestDescription.java crashes intermittently
- JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest
- JDK-8271512: ProblemList serviceability/sa/sadebugd/DebugdConnectTest.java due to 8270326
- JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8
- JDK-8272398: Update DockerTestUtils.buildJdkDockerImage()
- JDK-8273526: Extend the OSContainer API pids controller with pids.current
- JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root
- JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false]
- JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend
- JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11
- JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test
- JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
- JDK-8277893: Arraycopy stress tests
- JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
- JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output
- JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null"
- JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4
- JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344
- JDK-8279622: C2: miscompilation of map pattern as a vector reduction
- JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method
- JDK-8281181: Do not use CPU Shares to compute active processor count
- JDK-8281535: Create a regression test for JDK-4670051
- JDK-8281569: Create tests for Frame.setMinimumSize() method
- JDK-8281628: KeyAgreement : generateSecret intermittently not resetting
- JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button
- JDK-8281745: Create a regression test for JDK-4514331
- JDK-8281988: Create a regression test for JDK-4618767
- JDK-8282214: Upgrade JQuery to version 3.6.0
- JDK-8282234: Create a regression test for JDK-4532513
- JDK-8282280: Update Xerces to Version 2.12.2
- JDK-8282343: Create a regression test for JDK-4518432
- JDK-8282538: PKCS11 tests fail on CentOS Stream 9
- JDK-8282548: Create a regression test for JDK-4330998
- JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc
- JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767
- JDK-8282860: Write a regression test for JDK-4164779
- JDK-8282933: Create a test for JDK-4529616
- JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
- JDK-8283015: Create a test for JDK-4715496
- JDK-8283017: GHA: Workflows break with update release versions
- JDK-8283087: Create a test or JDK-4715503
- JDK-8283245: Create a test for JDK-4670319
- JDK-8283277: ISO 4217 Amendment 171 Update
- JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
- JDK-8283493: Create an automated regression test for RFE 4231298
- JDK-8283507: Create a regression test for RFE 4287690
- JDK-8283621: Write a regression test for CCC4400728
- JDK-8283623: Create an automated regression test for JDK-4525475
- JDK-8283624: Create an automated regression test for RFE-4390885
- JDK-8283712: Create a manual test framework class
- JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test
- JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
- JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
- JDK-8284077: Create an automated test for JDK-4170173
- JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1
- JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception
- JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset
- JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice
- JDK-8284754: print more interesting env variables in hs_err and VM.info
- JDK-8284758: [linux] improve print_container_info
- JDK-8284882: SIGSEGV in Node::verify_edges due to compilation bailout
- JDK-8284898: Enhance PassFailJFrame
- JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization
- JDK-8284950: CgroupV1 detection code should consider memory.swappiness
- JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment
- JDK-8285081: Improve XPath operators count accuracy
- JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java
- JDK-8285380: Fix typos in security
- JDK-8285398: Cache the results of constraint checks
- JDK-8285693: Create an automated test for JDK-4702199
- JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null
- JDK-8285728: Alpine Linux build fails with busybox tar
- JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
- JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java
- JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure
- JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5
- JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache
- JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
- JDK-8287017: Bump update version for OpenJDK: jdk-11.0.17
- JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
- JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
- JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event
- JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver
- JDK-8287336: GHA: Workflows break on patch versions
- JDK-8287366: Improve test failure reporting in GHA
- JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node
- JDK-8287463: JFR: Disable TestDevNull.java on Windows
- JDK-8287663: Add a regression test for JDK-8287073
- JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run
- JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
- JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes
- JDK-8288467: remove memory_operand assert for spilled instructions
- JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp
- JDK-8288763: Pack200 extraction failure with invalid size
- JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small
- JDK-8288865: [aarch64] LDR instructions must use legitimized addresses
- JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041)
- JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java
- JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc
- JDK-8289486: Improve XSLT XPath operators count efficiency
- JDK-8289549: ISO 4217 Amendment 172 Update
- JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl
- JDK-8289799: Build warning in methodData.cpp memset zero-length parameter
- JDK-8289853: Update HarfBuzz to 4.4.1
- JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060
- JDK-8290000: Bump macOS GitHub actions to macOS 11
- JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
- JDK-8290198: Shenandoah: a few Shenandoah tests failure after JDK-8214799 11u backport
- JDK-8290246: test fails "assert(init != __null) failed: initialization not found"
- JDK-8290334: Update FreeType to 2.12.1
- JDK-8290813: jdk/nashorn/api/scripting/test/ScriptObjectMirrorTest.java fails: assertEquals is ambiguous
- JDK-8290886: [11u]: Backport of JDK-8266250 introduced test failures
- JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u
- JDK-8291713: assert(!phase->exceeding_node_budget()) failed: sanity after JDK-8223389
- JDK-8291794: [11u] Corrections after backport of JDK-8212028
- JDK-8292579: (tz) Update Timezone Data to 2022c
- JDK-8292852: [11u] TestMemoryWithCgroupV1 fails after JDK-8292768
Notes on individual issues:
===========================
core-libs/java.net:
JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
===========================================================================
Two system properties have been added which control the keep alive
behavior of HttpURLConnection in the case where the server does not
specify a keep alive time. Two properties are defined for controlling
connections to servers and proxies separately. They are:
* `http.keepAlive.time.server`
* `http.keepAlive.time.proxy`
respectively. More information about them can be found on the
Networking Properties page:
https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html.
hotspot/runtime:
JDK-8281181: CPU Shares Ignored When Computing Active Processor Count
=====================================================================
Previous JDK releases used an incorrect interpretation of the Linux
cgroups parameter "cpu.shares". This might cause the JVM to use fewer
CPUs than available, leading to an under utilization of CPU resources
when the JVM is used inside a container.
Starting from this JDK release, by default, the JVM no longer
considers "cpu.shares" when deciding the number of threads to be used
by the various thread pools. The `-XX:+UseContainerCpuShares`
command-line option can be used to revert to the previous
behavior. This option is deprecated and may be removed in a future JDK
release.
security-libs/java.security:
JDK-8269039: Disabled SHA-1 Signed JARs
=======================================
JARs signed with SHA-1 algorithms are now restricted by default and
treated as if they were unsigned. This applies to the algorithms used
to digest, sign, and optionally timestamp the JAR. It also applies to
the signature and digest algorithms of the certificates in the
certificate chain of the code signer and the Timestamp Authority, and
any CRLs or OCSP responses that are used to verify if those
certificates have been revoked. These restrictions also apply to
signed JCE providers.
To reduce the compatibility risk for JARs that have been previously
timestamped, there is one exception to this policy:
- Any JAR signed with SHA-1 algorithms and timestamped prior to
January 01, 2019 will not be restricted.
This exception may be removed in a future JDK release. To determine if
your signed JARs are affected by this change, run:
$ jarsigner -verify -verbose -certs`
on the signed JAR, and look for instances of "SHA1" or "SHA-1" and
"disabled" and a warning that the JAR will be treated as unsigned in
the output.
For example:
Signed by "CN="Signer""
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
JARs affected by these new restrictions should be replaced or
re-signed with stronger algorithms.
Users can, *at their own risk*, remove these restrictions by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) and removing "SHA1 usage
SignedJAR & denyAfter 2019-01-01" from the
`jdk.certpath.disabledAlgorithms` security property and "SHA1
denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security
property.
JDK-8267880: Upgrade the default PKCS12 MAC algorithm
=====================================================
The default MAC algorithm used in a PKCS #12 keystore has been
updated. The new algorithm is based on SHA-256 and is stronger than
the old one based on SHA-1. See the security properties starting with
`keystore.pkcs12` in the `java.security` file for detailed
information.
The new SHA-256 based MAC algorithms were introduced in the 11.0.12
release. Keystores created using this newer, stronger, MAC algorithm
cannot be opened in versions of OpenJDK 11 earlier than 11.0.12. A
'java.security.NoSuchAlgorithmException' exception will be thrown in
such circumstances.
For compatibility, use the `keystore.pkcs12.legacy` system property,
which will revert the algorithms to use the older, weaker
algorithms. There is no value defined for this property.
core-libs/java.io:serialization:
JDK-8261160: JDK Flight Recorder Event for Deserialization
==========================================================
It is now possible to monitor deserialization of objects using JDK
Flight Recorder (JFR). When JFR is enabled and the JFR configuration
includes deserialization events, JFR will emit an event whenever the
running program attempts to deserialize an object. The deserialization
event is named `jdk.Deserialization`, and it is disabled by
default. The deserialization event contains information that is used
by the serialization filter mechanism; see the ObjectInputFilter API
specification for details.
Additionally, if a filter is enabled, the JFR event indicates whether
the filter accepted or rejected deserialization of the object. For
further information about how to use the JFR deserialization event,
see the article "Monitoring Deserialization to Improve Application
Security"
(https://inside.java/2021/03/02/monitoring-deserialization-activity-in-the-jdk/).
For reference information about using and configuring JFR, see the
"JFR Runtime Guide"
(https://docs.oracle.com/javacomponents/jmc-5-5/jfr-runtime-guide/preface_jfrrt.htm#JFRRT165)
and "JFR Command Reference"
(https://docs.oracle.com/javacomponents/jmc-5-5/jfr-command-reference/command-line-options.htm#JFRCR-GUID-FE61CA60-E1DF-460E-A8E0-F4FF5D58A7A0)
sections of the JDK Mission Control documentation.
security-libs/org.ietf.jgss:krb5:
JDK-8139348: Deprecate 3DES and RC4 in Kerberos
===============================================
The `des3-hmac-sha1` and `rc4-hmac` Kerberos encryption types (etypes)
are now deprecated and disabled by default. Users can set
`allow_weak_crypto = true` in the `krb5.conf` configuration file to
re-enable them (along with other weak etypes including `des-cbc-crc`
and `des-cbc-md5`) at their own risk. To disable a subset of the weak
etypes, users can list preferred etypes explicitly in any of the
`default_tkt_enctypes`, `default_tgs_enctypes`, or
`permitted_enctypes` settings.
New in release OpenJDK 11.0.16.1 (2022-08-12):
=============================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk110161
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.1.txt
* Other changes
- JDK-8292255: Bump update version for OpenJDK: jdk-11.0.16.1
- JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large
Notes on individual issues:
===========================
hotspot/compiler:
JDK-8292396: C2 Compilation Errors Unpredictably Crashes JVM
============================================================
Fixes a regression in the C2 JIT compiler which caused the Java
Runtime to crash unpredictably.
New in release OpenJDK 11.0.16 (2022-07-19):
=============================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk11016
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt
* Security fixes
- JDK-8277608: Address IP Addressing
- JDK-8272243: Improve DER parsing
- JDK-8272249: Better properties of loaded Properties
- JDK-8281859, CVE-2022-21540: Improve class compilation
- JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
- JDK-8283190: Improve MIDI processing
- JDK-8284370: Improve zlib usage
- JDK-8285407, CVE-2022-34169: Improve Xalan supports
* Other changes
- JDK-6986863: ProfileDeferralMgr throwing ConcurrentModificationException
- JDK-7124293: [macosx] VoiceOver reads percentages rather than the actual values for sliders.
- JDK-7124301: [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements.
- JDK-8133713: [macosx] Accessible JTables always reported as empty
- JDK-8139046: Compiler Control: IGVPrintLevel directive should set PrintIdealGraph
- JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
- JDK-8163498: Many long-running security libs tests
- JDK-8166727: javac crashed: [jimage.dll+0x1942] ImageStrings::find+0x28
- JDK-8169004: Fix redundant @requires tags in tests
- JDK-8181571: printing to CUPS fails on mac sandbox app
- JDK-8182404: remove jdk.testlibrary.JDKToolFinder and JDKToolLauncher
- JDK-8186548: move jdk.testlibrary.JcmdBase closer to tests
- JDK-8192057: com/sun/jdi/BadHandshakeTest.java fails with java.net.ConnectException
- JDK-8193682: Infinite loop in ZipOutputStream.close()
- JDK-8199874: [TESTBUG] runtime/Thread/ThreadPriorities.java fails with "expected 0 to equal 10"
- JDK-8202886: [macos] Test java/awt/MenuBar/8007006/bug8007006.java fails on MacOS
- JDK-8203238: [TESTBUG] rewrite MemOptions shell test in Java
- JDK-8203239: [TESTBUG] remove vmTestbase/vm/gc/kind/parOld test
- JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use
- JDK-8206330: Revisit com/sun/jdi/RedefineCrossEvent.java
- JDK-8207364: nsk/jvmti/ResourceExhausted/resexhausted003 fails to start
- JDK-8208207: Test nsk/stress/jni/gclocker/gcl001 fails after co-location
- JDK-8208246: flags duplications in vmTestbase_vm_g1classunloading tests
- JDK-8208249: TriggerUnloadingByFillingMetaspace generates garbage class names
- JDK-8208697: vmTestbase/metaspace/stressHierarchy/stressHierarchy012/TestDescription.java fails with OutOfMemoryError: Metaspace
- JDK-8209150: [TESTBUG] Add logging to verify JDK-8197901 to a different test
- JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test
- JDK-8209883: ZGC: Compile without C1 broken
- JDK-8209920: runtime/logging/RedefineClasses.java fail with OOME with ZGC
- JDK-8210022: remove jdk.testlibrary.ProcessThread, TestThread and XRun
- JDK-8210039: move OSInfo to top level testlibrary
- JDK-8210108: sun/tools/jstatd test build failures after JDK-8210022
- JDK-8210112: remove jdk.testlibrary.ProcessTools
- JDK-8210649: AssertionError @ jdk.compiler/com.sun.tools.javac.comp.Modules.enter(Modules.java:244)
- JDK-8210732: remove jdk.testlibrary.Utils
- JDK-8211795: ArrayIndexOutOfBoundsException in PNGImageReader after JDK-6788458
- JDK-8211822: Some tests fail after JDK-8210039
- JDK-8211962: Implicit narrowing in MacOSX java.desktop jsound
- JDK-8212151: jdi/ExclusiveBind.java times out due to "bind failed: Address already in use" on Solaris-X64
- JDK-8213440: Lingering INCLUDE_ALL_GCS in test_oopStorage_parperf.cpp
- JDK-8214275: CondyRepeatFailedResolution asserts "Dynamic constant has no fixed basic type"
- JDK-8214799: Add package declaration to each JTREG test case in the gc folder
- JDK-8215544: SA: Modify ClhsdbLauncher to add sudo privileges to enable MacOS tests on Mach5
- JDK-8216137: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
- JDK-8216265: [testbug] Introduce Platform.sharedLibraryPathVariableName() and adapt all tests.
- JDK-8216366: Add rationale to PER_CPU_SHARES define
- JDK-8217017: [TESTBUG] Tests fail to compile after JDK-8216265
- JDK-8217233: Update build settings for AIX/xlc
- JDK-8217340: Compilation failed: tools/launcher/Test7029048.java
- JDK-8217473: SA: Tests using ClhsdbLauncher fail on SAP docker containers
- JDK-8218136: minor hotspot adjustments for xlclang++ from xlc16 on AIX
- JDK-8218751: Do not store original classfiles inside the CDS archive
- JDK-8218965: aix: support xlclang++ in the compiler detection
- JDK-8220658: Improve the readability of container information in the error log
- JDK-8220813: update hotspot tier1_gc tests depending on GC to use @requires vm.gc.X
- JDK-8222799: java.beans.Introspector uses an obsolete methods cache
- JDK-8222926: Shenandoah build fails with --with-jvm-features=-compiler1
- JDK-8223143: Restructure/clean-up for 'loopexit_or_null()'.
- JDK-8223363: Bad node estimate assertion failure
- JDK-8223389: Shenandoah optimizations fail with assert(!phase->exceeding_node_budget())
- JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp
- JDK-8223502: Node estimate for loop unswitching is not correct: assert(delta <= 2 * required) failed: Bad node estimate
- JDK-8224648: assert(!exceeding_node_budget()) failed: Too many NODES required! failure with ctw
- JDK-8225475: Node budget asserts on x86_32/64
- JDK-8227171: provide function names in native stack trace on aix with xlc16
- JDK-8227389: Remove unsupported xlc16 compile options on aix
- JDK-8229202: Docker reporting causes secondary crashes in error handling
- JDK-8229210: [TESTBUG] Move gc stress tests from JFR directory tree to gc/stress
- JDK-8229486: Replace wildcard address with loopback or local host in tests - part 21
- JDK-8229499: Node budget assert in fuzzed test
- JDK-8230305: Cgroups v2: Container awareness
- JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target
- JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy
- JDK-8231454: File lock in Windows on a loaded jar due to a leak in Introspector::getBeanInfo
- JDK-8231489: GC watermark_0_1 failed due to "metaspace.gc.Fault: GC has happened too rare"
- JDK-8231565: More node budget asserts in fuzzed tests
- JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS
- JDK-8234382: Test tools/javac/processing/model/testgetallmembers/Main.java using too small heap
- JDK-8234605: C2 failed "assert(C->live_nodes() - live_at_begin <= 2 * _nodes_required) failed: Bad node estimate: actual = 208 >> request = 101"
- JDK-8234608: [TESTBUG] Fix G1 redefineClasses tests and a memory leak
- JDK-8235220: ClhsdbScanOops.java fails with sun.jvm.hotspot.types.WrongTypeException
- JDK-8235385: Crash on aarch64 JDK due to long offset
- JDK-8237479: 8230305 causes slowdebug build failure
- JDK-8239559: Cgroups: Incorrect detection logic on some systems
- JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot
- JDK-8240132: ProblemList com/sun/jdi/InvokeHangTest.java
- JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111
- JDK-8240335: C2: assert(found_sfpt) failed: no node in loop that's not input to safepoint
- JDK-8240734: ModuleHashes attribute not reproducible between builds
- JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
- JDK-8241707: introduce randomness k/w to hotspot test suite
- JDK-8242310: use reproducible random in hotspot compiler tests
- JDK-8242311: use reproducible random in hotspot runtime tests
- JDK-8242312: use reproducible random in hotspot gc tests
- JDK-8242313: use reproducible random in hotspot svc tests
- JDK-8242538: java/security/SecureRandom/ThreadSafe.java failed on windows
- JDK-8243429: use reproducible random in :vmTestbase_nsk_stress
- JDK-8243666: ModuleHashes attribute generated for JMOD and JAR files depends on timestamps
- JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java
- JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
- JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible)
- JDK-8245938: Remove unused print_stack(void) method from XToolkit.c
- JDK-8246494: introduce vm.flagless at-requires property
- JDK-8246741: NetworkInterface/UniqueMacAddressesTest: mac address uniqueness test failed
- JDK-8247589: Implementation of Alpine Linux/x64 Port
- JDK-8247591: Document Alpine Linux build steps in OpenJDK build guide
- JDK-8247592: refactor test/jdk/tools/launcher/Test7029048.java
- JDK-8247614: java/nio/channels/DatagramChannel/Connect.java timed out
- JDK-8248876: LoadObject with bad base address created for exec file on linux
- JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
- JDK-8252117: com/sun/jdi/BadHandshakeTest.java failed with "ConnectException: Connection refused: connect"
- JDK-8252248: __SIGRTMAX is not declared in musl libc
- JDK-8252250: isnanf is obsolete
- JDK-8252359: HotSpot Not Identifying it is Running in a Container
- JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota
- JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
- JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
- JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
- JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems
- JDK-8253872: ArgumentHandler must use the same delimiters as in jvmti_tools.cpp
- JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code
- JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection
- JDK-8254887: C2: assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop
- JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes
- JDK-8255266: Update Public Suffix List to 3c213aa
- JDK-8255604: java/nio/channels/DatagramChannel/Connect.java fails with java.net.BindException: Cannot assign requested address: connect
- JDK-8255787: Tag container tests that use cGroups with cgroups keyword
- JDK-8256146: Cleanup test/jdk/java/nio/channels/DatagramChannel/Connect.java
- JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
- JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
- JDK-8258795: Update IANA Language Subtag Registry to Version 2021-05-11
- JDK-8258956: Memory Leak in StringCoding on ThreadLocal resultCached StringCoding.Result
- JDK-8259517: Incorrect test path in test cases
- JDK-8260518: Change default -mmacosx-version-min to 10.12
- JDK-8261169: Upgrade HarfBuzz to the latest 2.8.0
- JDK-8262379: Add regression test for JDK-8257746
- JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
- JDK-8263718: unused-result warning happens at os_linux.cpp
- JDK-8263856: Github Actions for macos/aarch64 cross-build
- JDK-8264179: [TESTBUG] Some compiler tests fail when running without C2
- JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
- JDK-8265297: javax/net/ssl/SSLSession/TestEnabledProtocols.java failed with "RuntimeException: java.net.SocketException: Connection reset"
- JDK-8265343: Update Debian-based cross-compilation recipes
- JDK-8266251: compiler.inlining.InlineAccessors shouldn't do testing in driver VM
- JDK-8266318: Switch to macos prefix for macOS bundles
- JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics
- JDK-8266545: 8261169 broke Harfbuzz build with gcc 7 and 8
- JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN)
- JDK-8269772: [macos-aarch64] test compilation failed with "SocketException: No buffer space available"
- JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support
- JDK-8270797: ShortECDSA.java test is not complete
- JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
- JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
- JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
- JDK-8272358: Some tests may fail when executed with other locales than the US
- JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
- JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
- JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
- JDK-8273176: handle latest VS2019 in abstract_vm_version
- JDK-8273655: content-types.properties files are missing some common types
- JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches
- JDK-8274233: Minor cleanup for ToolBox
- JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
- JDK-8274751: Drag And Drop hangs on Windows
- JDK-8275082: Update XML Security for Java to 2.3.0
- JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
- JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
- JDK-8276657: XSLT compiler tries to define a class with empty name
- JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations
- JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
- JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
- JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread
- JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch
- JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge
- JDK-8278065: Refactor subclassAudits to use ClassValue
- JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
- JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine
- JDK-8278472: Invalid value set to CANDIDATEFORM structure
- JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
- JDK-8278851: Correct signer logic for jars signed with multiple digestalgs
- JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
- JDK-8279219: [REDO] C2 crash when allocating array of size too large
- JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
- JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
- JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism
- JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64
- JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
- JDK-8279668: x86: AVX2 versions of vpxor should be asserted
- JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region
- JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
- JDK-8279958: Provide configure hints for Alpine/apk package managers
- JDK-8280041: Retry loop issues in java.io.ClassCache
- JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
- JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
- JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
- JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
- JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
- JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly
- JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
- JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
- JDK-8281615: Deadlock caused by jdwp agent
- JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
- JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder
- JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
- JDK-8282225: GHA: Allow one concurrent run per PR only
- JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
- JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive
- JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
- JDK-8282382: Report glibc malloc tunables in error reports
- JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale
- JDK-8282501: Bump update version for OpenJDK: jdk-11.0.16
- JDK-8282583: Update BCEL md to include the copyright notice
- JDK-8282588: [11] set harfbuzz compilation flag to -std=c++11
- JDK-8282589: runtime/ErrorHandling/ErrorHandler.java fails on MacOS aarch64 in jdk 11
- JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
- JDK-8283018: 11u GHA: Update GCC 9 minor versions
- JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
- JDK-8283323: libharfbuzz optimization level results in extreme build times
- JDK-8283350: (tz) Update Timezone Data to 2022a
- JDK-8283408: Fix a C2 crash when filling arrays with unsafe
- JDK-8283420: [AOT] Exclude TrackedFlagTest/NotTrackedFlagTest in 11u because of intermittent java.lang.AssertionError: duplicate classes for name Ljava/lang/Boolean;
- JDK-8283424: compiler/loopopts/LoopUnswitchingBadNodeBudget.java fails with release VMs due to lack of -XX:+UnlockDiagnosticVMOptions
- JDK-8283451: C2: assert(_base == Long) failed: Not a Long
- JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
- JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
- JDK-8283614: [11] Repair compiler versions handling after 8233787
- JDK-8283641: Large value for CompileThresholdScaling causes assert
- JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
- JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
- JDK-8284094: Memory leak in invoker_completeInvokeRequest()
- JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124
- JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
- JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
- JDK-8284458: CodeHeapState::aggregate() leaks blob_name
- JDK-8284507: GHA: Only check test results if testing was not skipped
- JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
- JDK-8284573: [11u] ProblemList TestBubbleUpRef.java and TestGCOldWithCMS.java because of 8272195
- JDK-8284604: [11u] Update Boot JDK used in GHA to 11.0.14.1
- JDK-8284620: CodeBuffer may leak _overflow_arena
- JDK-8284622: Update versions of some Github Actions used in JDK workflow
- JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
- JDK-8285395: [JVMCI] [11u] Partial backport of JDK-8220623: InstalledCode
- JDK-8285397: JNI exception pending in CUPSfuncs.c:250
- JDK-8285445: cannot open file "NUL:"
- JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
- JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
- JDK-8285591: [11] add signum checks in DSA.java engineVerify
- JDK-8285686: Update FreeType to 2.12.0
- JDK-8285720: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails to compile after backport of 8273655
- JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head
- JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
- JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
- JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
- JDK-8286198: [linux] Fix process-memory information
- JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources
- JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
- JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
- JDK-8286630: [11] avoid -std=c++11 CXX harfbuzz buildflag on Windows
- JDK-8286855: javac error on invalid jar should only print filename
- JDK-8287109: Distrust.java failed with CertificateExpiredException
- JDK-8287119: Add Distrust.java to ProblemList
- JDK-8287362: FieldAccessWatch testcase failed on AIX platform
- JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
- JDK-8287739: [11u] ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
Notes on individual issues:
===========================
core-libs/java.io:serialization:
JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
=========================================================================================
`java.util.Vector` is updated to correctly report
`ClassNotFoundException that occurs during deserialization using
`java.io.ObjectInputStream.GetField.get(name, object)` when the class
of an element of the Vector is not found. Without this fix, a
`StreamCorruptedException` is thrown that does not provide information
about the missing class.
core-libs/java.net:
JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos
================================================================
Support has been added for TLS channel binding tokens for
Negotiate/Kerberos authentication over HTTPS through
javax.net.HttpsURLConnection.
Channel binding tokens are increasingly required as an enhanced form
of security which can mitigate certain kinds of socially engineered,
man in the middle (MITM) attacks. They work by communicating from a
client to a server the client's understanding of the binding between
connection security (as represented by a TLS server cert) and higher
level authentication credentials (such as a username and
password). The server can then detect if the client has been fooled by
a MITM and shutdown the session/connection.
The feature is controlled through a new system property
`jdk.https.negotiate.cbt` which is described fully at the following
page:
https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt
core-libs/java.lang:
JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder
=====================================================================
ProcessBuilder on Windows is restored to address a regression caused
by JDK-8250568. Previously, an argument to ProcessBuilder that
started with a double-quote and ended with a backslash followed by a
double-quote was passed to a command incorrectly and may cause the
command to fail. For example the argument `"C:\\Program Files\"`,
would be seen by the command with extra double-quotes. This update
restores the long standing behavior that does not treat the backslash
before the final double-quote specially.
core-libs/java.util.jar:
JDK-8278386: Default JDK compressor will be closed when IOException is encountered
==================================================================================
`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods
have been modified to close out the associated default JDK compressor
before propagating a Throwable up the
stack. `ZIPOutputStream.closeEntry()` method has been modified to
close out the associated default JDK compressor before propagating an
IOException, not of type ZipException, up the stack.
core-libs/java.io:
JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File
=================================================================================================
The Windows implementation of `java.io.File` allows access to NTFS
Alternate Data Streams (ADS) by default. Such streams have a structure
like “filename:streamname”. A system property `jdk.io.File.enableADS`
has been added to control this behavior. To disable ADS support in
`java.io.File`, the system property `jdk.io.File.enableADS` should be
set to `false` (case ignored). Stricter path checking however prevents
the use of special devices such as `NUL:`
New in release OpenJDK 11.0.15 (2022-04-19):
=============================================
Live versions of these release notes can be found at:

View File

@ -1,3 +1,20 @@
/* TestSecurityProperties -- Ensure system security properties can be used to
enable the crypto policies.
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
@ -9,35 +26,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
private static final String MSG_PREFIX = "DEBUG: ";
public static void main(String[] args) {
if (args.length == 0) {
System.err.println("TestSecurityProperties <true|false>");
System.err.println("Invoke with 'true' if system security properties should be enabled.");
System.err.println("Invoke with 'false' if system security properties should be disabled.");
System.exit(1);
}
boolean enabled = Boolean.valueOf(args[0]);
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
if (enabled) {
loadPolicy(jdkProps);
}
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
String msg = "Expected value '" + jdkSecVal + "' for key '" +
String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
System.out.println("Debug: Java version is " + javaVersion);
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
private static void loadPolicy(Properties props) {
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
}

View File

@ -0,0 +1,35 @@
/* TestTranslations -- Ensure translations are available for new timezones
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.util.Arrays;
import java.util.Locale;
import java.util.ResourceBundle;
import sun.util.resources.LocaleData;
import sun.util.locale.provider.LocaleProviderAdapter;
public class TestTranslations {
public static void main(String[] args) {
for (String zone : args) {
System.out.printf("Translations for %s\n", zone);
for (Locale l : Locale.getAvailableLocales()) {
ResourceBundle bundle = new LocaleData(LocaleProviderAdapter.Type.JRE).getTimeZoneNames(l);
System.out.printf("Locale: %s, language: %s, translations: %s\n", l, l.getDisplayLanguage(), Arrays.toString(bundle.getStringArray(zone)));
}
}
}
}

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +0,0 @@
diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
index d18d70b5f9..30ab380e40 100644
--- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
+++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) {
#ifdef ASSERT
if (istate->_msg != initialize) {
assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit");
- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
}
// Verify linkages.
interpreterState l = istate;

View File

@ -0,0 +1,132 @@
diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
index 8759aab3995..11ccbf73839 100644
--- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
+++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
@@ -847,6 +847,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
{"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00",
"Kirov Daylight Time", "GMT+03:00",
"Kirov Time", "GMT+03:00"}},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
index f007c1a8d3b..617268e4cf3 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
index 386414e16e6..14c5d89b9c5 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
index d23f5fd49e6..44117125619 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
index b4f57d4568c..efa818f3865 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
index 1a10a9f96dc..7c0565461ad 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
index 9a2d9e5c57c..8a2c805997f 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
index de5e5c82daa..e3c06417f09 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
index b53de4d8c89..3e46b6a063e 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
index 7797cda19d5..590908409a8 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
index 2cd10554853..23c5f180b6d 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
@@ -827,6 +827,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},

View File

@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }

View File

@ -1,88 +0,0 @@
# HG changeset patch
# User andrew
# Date 1478057514 0
# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
PR3694: Support Fedora/RHEL system crypto policy
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
+++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
@@ -43,6 +43,9 @@
* implementation-specific location, which is typically the properties file
* {@code conf/security/java.security} in the Java installation directory.
*
+ * <p>Additional default values of security properties are read from a
+ * system-specific location, if available.</p>
+ *
* @author Benjamin Renaud
* @since 1.1
*/
@@ -52,6 +55,10 @@
private static final Debug sdebug =
Debug.getInstance("properties");
+ /* System property file*/
+ private static final String SYSTEM_PROPERTIES =
+ "/etc/crypto-policies/back-ends/java.config";
+
/* The java.security properties */
private static Properties props;
@@ -93,6 +100,7 @@
if (sdebug != null) {
sdebug.println("reading security properties file: " +
propFile);
+ sdebug.println(props.toString());
}
} catch (IOException e) {
if (sdebug != null) {
@@ -114,6 +122,31 @@
}
if ("true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
("security.overridePropertiesFile"))) {
String extraPropFile = System.getProperty
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
+++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
@@ -276,6 +276,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=true
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#

View File

@ -1,78 +0,0 @@
# HG changeset patch
# User andrew
# Date 1545198926 0
# Wed Dec 19 05:55:26 2018 +0000
# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
PR3695: Allow use of system crypto policy to be disabled by the user
Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
@@ -125,31 +125,6 @@
}
if ("true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
- loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
- }
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
("security.overridePropertiesFile"))) {
String extraPropFile = System.getProperty
@@ -215,6 +190,33 @@
}
}
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
+
if (!loadedProps) {
initializeStatic();
if (sdebug != null) {

View File

@ -1,11 +1,12 @@
diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
--- openjdk/src/java.base/share/conf/security/java.security Tue May 16 13:29:05 2017 -0700
+++ openjdk/src/java.base/share/conf/security/java.security Tue Jun 06 14:05:12 2017 +0200
@@ -83,6 +83,7 @@
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 474fe6f401f..7e94ae32023 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -84,6 +84,7 @@ security.provider.tbd=Apple
#ifndef solaris
security.provider.tbd=SunPKCS11
#endif
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# A list of preferred providers for specific algorithms. These providers will
# Security providers used when FIPS mode support is active

View File

@ -1,205 +0,0 @@
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -196,26 +196,8 @@
if (disableSystemProps == null &&
"true".equalsIgnoreCase(props.getProperty
("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
+ if (SystemConfigurator.configure(props)) {
loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
}
}
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
new file mode 100644
--- /dev/null
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.security;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import java.util.Iterator;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.function.Consumer;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import sun.security.util.Debug;
+
+/**
+ * Internal class to align OpenJDK with global crypto-policies.
+ * Called from java.security.Security class initialization,
+ * during startup.
+ *
+ */
+
+class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
+ private static final String CRYPTO_POLICIES_BASE_DIR =
+ "/etc/crypto-policies";
+
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+ private static final String CRYPTO_POLICIES_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/config";
+
+ private static final class SecurityProviderInfo {
+ int number;
+ String key;
+ String value;
+ SecurityProviderInfo(int number, String key, String value) {
+ this.number = number;
+ this.key = key;
+ this.value = value;
+ }
+ }
+
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
+ * security.useSystemPropertiesFile is true.
+ */
+ static boolean configure(Properties props) {
+ boolean loadedProps = false;
+
+ try (BufferedInputStream bis =
+ new BufferedInputStream(
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+ props.load(bis);
+ loadedProps = true;
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties from " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ e.printStackTrace();
+ }
+ }
+
+ try {
+ if (enableFips()) {
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+ loadedProps = false;
+ // Remove all security providers
+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+ while (i.hasNext()) {
+ Entry<Object, Object> e = i.next();
+ if (((String) e.getKey()).startsWith("security.provider")) {
+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
+ i.remove();
+ }
+ }
+ // Add FIPS security providers
+ String fipsProviderValue = null;
+ for (int n = 1;
+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
+ String fipsProviderKey = "security.provider." + n;
+ if (sdebug != null) {
+ sdebug.println("Adding provider " + n + ": " +
+ fipsProviderKey + "=" + fipsProviderValue);
+ }
+ props.put(fipsProviderKey, fipsProviderValue);
+ }
+ loadedProps = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load FIPS configuration");
+ e.printStackTrace();
+ }
+ }
+ return loadedProps;
+ }
+
+ /*
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (fipsEnabled) {
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+ return pattern.matcher(cryptoPoliciesConfig).find();
+ } else {
+ return false;
+ }
+ }
+}
diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
--- openjdk.orig/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
@@ -87,6 +87,14 @@
#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
+# Security providers used when global crypto-policies are set to FIPS.
+#
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
+fips.provider.2=SUN
+fips.provider.3=SunEC
+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
+
+#
# A list of preferred providers for specific algorithms. These providers will
# be searched for matching algorithms before the list of registered providers.
# Entries containing errors (parsing, etc) will be ignored. Use the

View File

@ -1,52 +0,0 @@
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
@@ -123,6 +123,33 @@
}
props.put(fipsProviderKey, fipsProviderValue);
}
+ // Add other security properties
+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
+ if (keystoreTypeValue != null) {
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+ // previous keystore.type under FIPS mode. In
+ // a default configuration, the Trust Store will
+ // be 'cacerts' (JKS type).
+ System.setProperty("javax.net.ssl.trustStoreType",
+ nonFipsKeystoreType);
+ }
+ if (sdebug != null) {
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
loadedProps = true;
}
} catch (Exception e) {
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
@@ -299,6 +299,11 @@
keystore.type=pkcs12
#
+# Default keystore type used when global crypto-policies are set to FIPS.
+#
+fips.keystore.type=PKCS11
+
+#
# Controls compatibility mode for JKS and PKCS12 keystore types.
#
# When set to 'true', both JKS and PKCS12 keystore types support loading

View File

@ -1,311 +0,0 @@
diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
@@ -1,11 +1,13 @@
/*
- * Copyright (c) 2019, Red Hat, Inc.
+ * Copyright (c) 2019, 2020, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
@@ -34,10 +36,10 @@
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.function.Consumer;
-import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import jdk.internal.misc.SharedSecrets;
+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
/**
@@ -47,7 +49,7 @@
*
*/
-class SystemConfigurator {
+final class SystemConfigurator {
private static final Debug sdebug =
Debug.getInstance("properties");
@@ -61,15 +63,16 @@
private static final String CRYPTO_POLICIES_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/config";
- private static final class SecurityProviderInfo {
- int number;
- String key;
- String value;
- SecurityProviderInfo(int number, String key, String value) {
- this.number = number;
- this.key = key;
- this.value = value;
- }
+ private static boolean systemFipsEnabled = false;
+
+ static {
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
}
/*
@@ -128,9 +131,9 @@
String nonFipsKeystoreType = props.getProperty("keystore.type");
props.put("keystore.type", keystoreTypeValue);
if (keystoreTypeValue.equals("PKCS11")) {
- // If keystore.type is PKCS11, javax.net.ssl.keyStore
- // must be "NONE". See JDK-8238264.
- System.setProperty("javax.net.ssl.keyStore", "NONE");
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
}
if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
// If no trustStoreType has been set, use the
@@ -144,12 +147,13 @@
sdebug.println("FIPS mode default keystore.type = " +
keystoreTypeValue);
sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
- System.getProperty("javax.net.ssl.keyStore", ""));
+ System.getProperty("javax.net.ssl.keyStore", ""));
sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
System.getProperty("javax.net.ssl.trustStoreType", ""));
}
}
loadedProps = true;
+ systemFipsEnabled = true;
}
} catch (Exception e) {
if (sdebug != null) {
@@ -160,13 +164,30 @@
return loadedProps;
}
+ /**
+ * Returns whether or not global system FIPS alignment is enabled.
+ *
+ * Value is always 'false' before java.security.Security class is
+ * initialized.
+ *
+ * Call from out of this package through SharedSecrets:
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ * .isSystemFipsEnabled();
+ *
+ * @return a boolean value indicating whether or not global
+ * system FIPS alignment is enabled.
+ */
+ static boolean isSystemFipsEnabled() {
+ return systemFipsEnabled;
+ }
+
/*
* FIPS is enabled only if crypto-policies are set to "FIPS"
* and the com.redhat.fips property is true.
*/
private static boolean enableFips() throws Exception {
- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (fipsEnabled) {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2020, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.internal.misc;
+
+public interface JavaSecuritySystemConfiguratorAccess {
+ boolean isSystemFipsEnabled();
+}
diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
--- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300
@@ -76,6 +76,7 @@
private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
public static JavaUtilJarAccess javaUtilJarAccess() {
if (javaUtilJarAccess == null) {
@@ -361,4 +362,12 @@
}
return javaxCryptoSealedObjectAccess;
}
+
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
+ javaSecuritySystemConfiguratorAccess = jssca;
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ return javaSecuritySystemConfiguratorAccess;
+ }
}
diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300
@@ -31,6 +31,7 @@
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
+import jdk.internal.misc.SharedSecrets;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
@@ -542,20 +543,38 @@
static {
if (SunJSSE.isFIPS()) {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- );
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
- serverDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ }
} else {
supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
@@ -620,6 +639,16 @@
static ProtocolVersion[] getSupportedProtocols() {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
@@ -949,6 +978,16 @@
static ProtocolVersion[] getProtocols() {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[]{
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300
@@ -27,6 +27,8 @@
import java.security.*;
import java.util.*;
+
+import jdk.internal.misc.SharedSecrets;
import sun.security.rsa.SunRsaSignEntries;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
import static sun.security.provider.SunEntries.createAliases;
@@ -195,8 +197,13 @@
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
ps("SSLContext", "TLSv1.2",
"sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
- ps("SSLContext", "TLSv1.3",
- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ ps("SSLContext", "TLSv1.3",
+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ }
ps("SSLContext", "TLS",
"sun.security.ssl.SSLContextImpl$TLSContext",
(isfips? null : createAliases("SSL")), null);

View File

@ -1,68 +0,0 @@
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -32,6 +32,7 @@
import jdk.internal.event.EventHelper;
import jdk.internal.event.SecurityPropertyModificationEvent;
+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
import jdk.internal.misc.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.util.Debug;
@@ -74,6 +75,15 @@
}
static {
+ // Initialise here as used by code with system properties disabled
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
+
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
@@ -193,9 +203,8 @@
}
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if (disableSystemProps == null &&
- "true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
if (SystemConfigurator.configure(props)) {
loadedProps = true;
}
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -38,8 +38,6 @@
import java.util.Properties;
import java.util.regex.Pattern;
-import jdk.internal.misc.SharedSecrets;
-import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
/**
@@ -65,16 +63,6 @@
private static boolean systemFipsEnabled = false;
- static {
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
- new JavaSecuritySystemConfiguratorAccess() {
- @Override
- public boolean isSystemFipsEnabled() {
- return SystemConfigurator.isSystemFipsEnabled();
- }
- });
- }
-
/*
* Invoked when java.security.Security class is initialized, if
* java.security.disableSystemPropertiesFile property is not set and

View File

@ -1,430 +0,0 @@
diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
--- openjdk.orig/make/autoconf/libraries.m4
+++ openjdk/make/autoconf/libraries.m4
@@ -101,6 +101,7 @@
LIB_SETUP_LIBFFI
LIB_SETUP_BUNDLED_LIBS
LIB_SETUP_MISC_LIBS
+ LIB_SETUP_SYSCONF_LIBS
LIB_SETUP_SOLARIS_STLPORT
LIB_TESTS_SETUP_GRAALUNIT
@@ -223,3 +224,62 @@
fi
])
+################################################################################
+# Setup system configuration libraries
+################################################################################
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
+[
+ ###############################################################################
+ #
+ # Check for the NSS library
+ #
+
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
+
+ # default is not available
+ DEFAULT_SYSCONF_NSS=no
+
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
+ [
+ case "${enableval}" in
+ yes)
+ sysconf_nss=yes
+ ;;
+ *)
+ sysconf_nss=no
+ ;;
+ esac
+ ],
+ [
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
+ ])
+ AC_MSG_RESULT([$sysconf_nss])
+
+ USE_SYSCONF_NSS=false
+ if test "x${sysconf_nss}" = "xyes"; then
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
+ if test "x${NSS_FOUND}" = "xyes"; then
+ AC_MSG_CHECKING([for system FIPS support in NSS])
+ saved_libs="${LIBS}"
+ saved_cflags="${CFLAGS}"
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
+ LIBS="${LIBS} ${NSS_LIBS}"
+ AC_LANG_PUSH([C])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
+ [[SECMOD_GetSystemFIPSEnabled()]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
+ AC_LANG_POP([C])
+ CFLAGS="${saved_cflags}"
+ LIBS="${saved_libs}"
+ USE_SYSCONF_NSS=true
+ else
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
+ dnl in nss3/pk11pub.h.
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
+ fi
+ fi
+ AC_SUBST(USE_SYSCONF_NSS)
+])
diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
--- openjdk.orig/make/autoconf/spec.gmk.in
+++ openjdk/make/autoconf/spec.gmk.in
@@ -828,6 +828,10 @@
# Libraries
#
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
+NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@
+
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
LCMS_CFLAGS:=@LCMS_CFLAGS@
LCMS_LIBS:=@LCMS_LIBS@
diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk
--- openjdk.orig/make/lib/Lib-java.base.gmk
+++ openjdk/make/lib/Lib-java.base.gmk
@@ -179,6 +179,31 @@
endif
################################################################################
+# Create the systemconf library
+
+LIBSYSTEMCONF_CFLAGS :=
+LIBSYSTEMCONF_CXXFLAGS :=
+
+ifeq ($(USE_SYSCONF_NSS), true)
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+endif
+
+ifeq ($(OPENJDK_BUILD_OS), linux)
+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
+ NAME := systemconf, \
+ OPTIMIZATION := LOW, \
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
+ ))
+
+ TARGETS += $(BUILD_LIBSYSTEMCONF)
+endif
+
+################################################################################
# Create the symbols file for static builds.
ifeq ($(STATIC_BUILD), true)
diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml
--- openjdk.orig/make/nb_native/nbproject/configurations.xml
+++ openjdk/make/nb_native/nbproject/configurations.xml
@@ -2950,6 +2950,9 @@
<in>LinuxWatchService.c</in>
</df>
</df>
+ <df name="libsystemconf">
+ <in>systemconf.c</in>
+ </df>
</df>
</df>
<df name="macosx">
@@ -29301,6 +29304,11 @@
tool="0"
flavor2="0">
</item>
+ <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
+ ex="false"
+ tool="0"
+ flavor2="0">
+ </item>
<item path="../../src/java.base/macosx/native/include/jni_md.h"
ex="false"
tool="3"
diff --git openjdk.orig/make/scripts/compare_exceptions.sh.incl openjdk/make/scripts/compare_exceptions.sh.incl
--- openjdk.orig/make/scripts/compare_exceptions.sh.incl
+++ openjdk/make/scripts/compare_exceptions.sh.incl
@@ -179,6 +179,7 @@
./lib/libsplashscreen.so
./lib/libsunec.so
./lib/libsunwjdga.so
+ ./lib/libsystemconf.so
./lib/libunpack.so
./lib/libverify.so
./lib/libzip.so
@@ -289,6 +290,7 @@
./lib/libsplashscreen.so
./lib/libsunec.so
./lib/libsunwjdga.so
+ ./lib/libsystemconf.so
./lib/libunpack.so
./lib/libverify.so
./lib/libzip.so
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
new file mode 100644
--- /dev/null
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <dlfcn.h>
+#include <jni.h>
+#include <jni_util.h>
+#include <stdio.h>
+
+#ifdef SYSCONF_NSS
+#include <nss3/pk11pub.h>
+#endif //SYSCONF_NSS
+
+#include "java_security_SystemConfigurator.h"
+
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+#define MSG_MAX_SIZE 96
+
+static jmethodID debugPrintlnMethodID = NULL;
+static jobject debugObj = NULL;
+
+static void throwIOException(JNIEnv *env, const char *msg);
+static void dbgPrint(JNIEnv *env, const char* msg);
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnLoad
+ */
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+ jclass sysConfCls, debugCls;
+ jfieldID sdebugFld;
+
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return JNI_EVERSION; /* JNI version not supported */
+ }
+
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
+ if (sysConfCls == NULL) {
+ printf("libsystemconf: SystemConfigurator class not found\n");
+ return JNI_ERR;
+ }
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
+ "sdebug", "Lsun/security/util/Debug;");
+ if (sdebugFld == NULL) {
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
+ if (debugObj != NULL) {
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
+ if (debugCls == NULL) {
+ printf("libsystemconf: Debug class not found\n");
+ return JNI_ERR;
+ }
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
+ "println", "(Ljava/lang/String;)V");
+ if (debugPrintlnMethodID == NULL) {
+ printf("libsystemconf: Debug::println(String) method not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
+ return (*env)->GetVersion(env);
+}
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnUnload
+ */
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+
+ if (debugObj != NULL) {
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+}
+
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
+ (JNIEnv *env, jclass cls)
+{
+ int fips_enabled;
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+#ifdef SYSCONF_NSS
+
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " SECMOD_GetSystemFIPSEnabled return value");
+ }
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+
+#else // SYSCONF_NSS
+
+ FILE *fe;
+
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " read character");
+ }
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+
+#endif // SYSCONF_NSS
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, 2020, Red Hat, Inc.
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
@@ -30,13 +30,9 @@
import java.io.FileInputStream;
import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.regex.Pattern;
import sun.security.util.Debug;
@@ -58,10 +54,21 @@
private static final String CRYPTO_POLICIES_JAVA_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
- private static final String CRYPTO_POLICIES_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/config";
+ private static boolean systemFipsEnabled = false;
+
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
+
+ private static native boolean getSystemFIPSEnabled()
+ throws IOException;
- private static boolean systemFipsEnabled = false;
+ static {
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
+ return null;
+ }
+ });
+ }
/*
* Invoked when java.security.Security class is initialized, if
@@ -170,16 +177,34 @@
}
/*
- * FIPS is enabled only if crypto-policies are set to "FIPS"
- * and the com.redhat.fips property is true.
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
+ * system property is true (default) and the system is in FIPS mode.
+ *
+ * There are 2 possible ways in which OpenJDK detects that the system
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
+ * /proc/sys/crypto/fips_enabled file is read.
*/
private static boolean enableFips() throws Exception {
boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
if (shouldEnable) {
- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
- return pattern.matcher(cryptoPoliciesConfig).find();
+ if (sdebug != null) {
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
+ }
+ try {
+ shouldEnable = getSystemFIPSEnabled();
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
+ + shouldEnable);
+ }
+ return shouldEnable;
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
+ sdebug.println(e.getMessage());
+ }
+ throw e;
+ }
} else {
return false;
}

View File

@ -1,590 +0,0 @@
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 53f32d12cc..28ab184617 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -82,6 +82,10 @@ public final class Security {
public boolean isSystemFipsEnabled() {
return SystemConfigurator.isSystemFipsEnabled();
}
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
});
// doPrivileged here because there are multiple
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 5565acb7c6..874c6221eb 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -55,6 +55,7 @@ final class SystemConfigurator {
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
@@ -149,6 +150,16 @@ final class SystemConfigurator {
}
loadedProps = true;
systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
}
} catch (Exception e) {
if (sdebug != null) {
@@ -176,6 +187,19 @@ final class SystemConfigurator {
return systemFipsEnabled;
}
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
/*
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
* system property is true (default) and the system is in FIPS mode.
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
index d8caa5640c..21bc6d0b59 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
@@ -27,4 +27,5 @@ package jdk.internal.misc;
public interface JavaSecuritySystemConfiguratorAccess {
boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
}
diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
index ffee2c1603..ff3d5e0e4a 100644
--- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
import javax.net.ssl.*;
+import jdk.internal.misc.SharedSecrets;
+
abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
X509ExtendedKeyManager keyManager;
boolean isInitialized;
@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException {
if ((ks != null) && SunJSSE.isFIPS()) {
- if (ks.getProvider() != SunJSSE.cryptoProvider) {
+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
+ !plainKeySupportEnabled) {
throw new KeyStoreException("FIPS mode: KeyStore must be "
+ "from provider " + SunJSSE.cryptoProvider.getName());
}
@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
keyManager = new X509KeyManagerImpl(
Collections.<Builder>emptyList());
} else {
- if (SunJSSE.isFIPS() &&
- (ks.getProvider() != SunJSSE.cryptoProvider)) {
+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
+ && !plainKeySupportEnabled) {
throw new KeyStoreException(
"FIPS mode: KeyStore must be " +
"from provider " + SunJSSE.cryptoProvider.getName());
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
index 0000000000..b848a1fd78
--- /dev/null
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,290 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 1eca1f8f0a..72674a7330 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider {
private static final boolean systemFipsEnabled = SharedSecrets
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider {
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
index 04a369f453..8d2081abaa 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -150,16 +151,28 @@ public class PKCS11 {
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
} else {
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
}

View File

@ -1,60 +0,0 @@
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 5460efcf8c..f08dc2fafc 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java
@@ -182,6 +182,7 @@ module java.base {
java.security.jgss,
java.sql,
java.xml,
+ jdk.crypto.cryptoki,
jdk.jartool,
jdk.attach,
jdk.charsets,
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 099caac605..ffadb43eb1 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -43,6 +43,8 @@ import javax.security.auth.callback.PasswordCallback;
import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
import jdk.internal.misc.InnocuousThread;
+import jdk.internal.misc.SharedSecrets;
+
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
@@ -60,6 +62,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -376,6 +381,24 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException

View File

@ -1,28 +0,0 @@
commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:00:55 2022 +0000
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
index 2ec51d57806..8489b940c43 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
@@ -36,6 +36,7 @@ import java.io.FilePermission;
import java.io.ObjectInputStream;
import java.io.RandomAccessFile;
import java.security.ProtectionDomain;
+import java.security.Security;
import java.security.Signature;
/** A repository of "shared secrets", which are a mechanism for
@@ -368,6 +369,9 @@ public class SharedSecrets {
}
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ if (javaSecuritySystemConfiguratorAccess == null) {
+ unsafe.ensureClassInitialized(Security.class);
+ }
return javaSecuritySystemConfiguratorAccess;
}
}

View File

@ -1,24 +0,0 @@
commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
Author: Fridrich Strba <fstrba@suse.com>
Date: Mon Jan 17 19:44:03 2022 +0000
RH2021263: Return in C code after having generated Java exception
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 6f4656bfcb6..34d0ff0ce91 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
fips_enabled = fgetc(fe);
fclose(fe);
if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
" read character is '%c'", fips_enabled);

View File

@ -1,99 +0,0 @@
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:09:27 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 28ab1846173..f9726741afd 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
}
}
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties " +
+ "-- using defaults");
+ }
+ }
+
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
}
}
- if (!loadedProps) {
- initializeStatic();
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
if (sdebug != null) {
- sdebug.println("unable to load security properties " +
- "-- using defaults");
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
}
}
-
}
/*
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 874c6221ebe..b7ed41acf0f 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {

View File

@ -1,220 +0,0 @@
commit e2be09f982af1cc05f5e6556d51900bca4757416
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Feb 28 05:30:32 2022 +0000
RH2051605: Detect NSS at Runtime for FIPS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 34d0ff0ce91..8dcb7d9073f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,25 +23,99 @@
* questions.
*/
-#include <dlfcn.h>
#include <jni.h>
#include <jni_util.h>
+#include "jvm_md.h"
#include <stdio.h>
#ifdef SYSCONF_NSS
#include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
#endif //SYSCONF_NSS
#include "java_security_SystemConfigurator.h"
+#define MSG_MAX_SIZE 256
#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-#define MSG_MAX_SIZE 96
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-static void throwIOException(JNIEnv *env, const char *msg);
-static void dbgPrint(JNIEnv *env, const char* msg);
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "systemconf: cannot render message");
+ }
+}
+
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+ if (nss_handle == NULL) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ dlerror(); /* Clear errors */
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+ if ((errmsg = dlerror()) != NULL) {
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ if (dlclose(nss_handle) != 0) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ }
+}
+
+#endif
/*
* Class: java_security_SystemConfigurator
@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
debugObj = (*env)->NewGlobalRef(env, debugObj);
}
+#ifdef SYSCONF_NSS
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+ if (loadNSS(env) == JNI_FALSE) {
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+ }
+#endif
+
return (*env)->GetVersion(env);
}
@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
return; /* Should not happen */
}
+#ifndef SYSCONF_NSS
+ closeNSS(env);
+#endif
(*env)->DeleteGlobalRef(env, debugObj);
}
}
@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
char msg[MSG_MAX_SIZE];
int msg_bytes;
-#ifdef SYSCONF_NSS
-
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
+ if (getSystemFIPSEnabled != NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = (*getSystemFIPSEnabled)();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
} else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " SECMOD_GetSystemFIPSEnabled return value");
- }
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-
-#else // SYSCONF_NSS
+ FILE *fe;
- FILE *fe;
-
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
- } else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " read character");
- }
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-
-#endif // SYSCONF_NSS
-}
-
-static void throwIOException(JNIEnv *env, const char *msg)
-{
- jclass cls = (*env)->FindClass(env, "java/io/IOException");
- if (cls != 0)
- (*env)->ThrowNew(env, cls, msg);
-}
-
-static void dbgPrint(JNIEnv *env, const char* msg)
-{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
}
}

View File

@ -25,6 +25,8 @@
%bcond_with artifacts
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
# Build with system libraries
%bcond_with system_libs
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@ -41,6 +43,16 @@
%global build_hotspot_first 0
%endif
%if %{with system_libs}
%global system_libs 1
%global link_type system
%global freetype_lib %{nil}
%else
%global system_libs 0
%global link_type bundled
%global freetype_lib |libfreetype[.]so.*
%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -197,11 +209,15 @@
%global staticlibs_loop %{nil}
%endif
%if 0%{?flatpak}
%global bootstrap_build false
%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
@ -315,12 +331,8 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
%global updatever 15
%global updatever 17
%global patchver 0
# If you bump featurever, you must bump also vendor_version_string
# Used via new version scheme. JDK 11 was
# GA'ed in September 2018 => 18.9
%global vendor_version_string 18.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@ -353,17 +365,20 @@
%endif
%endif
%endif
%global oj_vendor_version (Red_Hat-%{version}-%{release})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
%global fipsver 9087e80d0ab
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
%global rpmrelease 3
%global buildver 7
%global rpmrelease 2
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@ -379,12 +394,11 @@
%endif
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
# Omit trailing 0 in filenames when the patch version is 0
%if 0%{?patchver} > 0
%global filever %{newjavaver}
%else
%global filever %{featurever}.%{interimver}.%{updatever}
%endif
# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
# The tag used to create the OpenJDK tarball
%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
%global javaver %{featurever}
@ -392,7 +406,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
%global is_ga 1
%global is_ga 0
%if %{is_ga}
%global ea_designator ""
%global ea_designator_zip ""
@ -423,7 +437,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*%{freetype_lib}
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$
@ -847,6 +861,9 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
%if ! %{system_libs}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@ -1127,8 +1144,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
# 2021e required as of JDK-8275766 in January 2022 CPU
Requires: tzdata-java >= 2021e
# 2022a required as of JDK-8283350 in 11.0.16
Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@ -1141,6 +1158,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
# for system security properties
Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@ -1286,7 +1305,7 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz
Source0: openjdk-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@ -1320,6 +1339,9 @@ Source16: CheckVendor.java
# nss fips configuration file
Source17: nss.fips.cfg.in
# Ensure translations are available for new timezones
Source18: TestTranslations.java
############################################
#
# RPM/distribution specific patches
@ -1336,29 +1358,31 @@ Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
Patch600: rh1750419-redhat_alt_java.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1842572-rsa_default_for_keytool.patch
# Add translations for Europe/Kyiv locally until upstream is fully updated for tzdata2022b
Patch4: jdk8292223-tzdata2022b-kyiv.patch
# FIPS support patches
# Crypto policy and FIPS support patches
# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips
# as follows: git diff %%{vcstag} src make > fips-11u-$(git show -s --format=%h HEAD).patch
# Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included:
# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
# PR3695: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
Patch1001: rh1655466-global_crypto_and_fips.patch
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
Patch1002: rh1818909-fips_default_keystore_type.patch
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
Patch1008: rh1929465-improve_system_FIPS_detection.patch
# RH1996182: Login to the NSS software token in FIPS mode
Patch1009: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
Patch1011: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch
# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
# RH2021263: Return in C code after having generated Java exception
# RH2052819: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
# RH2051605: Detect NSS at Runtime for FIPS detection
# RH2052819: Fix FIPS reliance on crypto policies
Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
# RH2052829: Detect NSS at Runtime for FIPS detection
Patch1017: rh2052829-fips_runtime_nss_detection.patch
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
# RH2090378: Revert to disabling system security properties and FIPS mode support together
Patch1001: fips-11u-%{fipsver}.patch
#############################################
#
@ -1378,10 +1402,6 @@ Patch1017: rh2052829-fips_runtime_nss_detection.patch
#############################################
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# PR3695: Allow use of system crypto policy to be disabled by the user
Patch7: pr3695-toggle_system_crypto_policy.patch
# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
Patch8: jdk8275535-rh2053256-ldap_auth.patch
@ -1394,8 +1414,6 @@ Patch8: jdk8275535-rh2053256-ldap_auth.patch
# need to be reviewed & pushed to the appropriate
# updates tree of OpenJDK.
#############################################
# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
Patch101: jdk8257794-remove_broken_assert.patch
#############################################
#
@ -1416,14 +1434,8 @@ BuildRequires: desktop-file-utils
# elfutils only are OK for build without AOT
BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
BuildRequires: harfbuzz-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXi-devel
@ -1434,6 +1446,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
# Requirement for system security property test
BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@ -1444,8 +1458,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
# 2021e required as of JDK-8275766 in January 2022 CPU
BuildRequires: tzdata-java >= 2021e
# 2022a required as of JDK-8283350 in 11.0.16
BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@ -1454,6 +1468,30 @@ BuildRequires: systemtap-sdt-devel
%endif
BuildRequires: make
%if %{system_libs}
BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: harfbuzz-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
%else
# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
Provides: bundled(freetype) = 2.12.1
# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
Provides: bundled(giflib) = 5.2.1
# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
Provides: bundled(harfbuzz) = 4.4.1
# Version in src/java.desktop/share/native/liblcms/lcms2.h
Provides: bundled(lcms2) = 2.12.0
# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
Provides: bundled(libjpeg) = 6b
# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
Provides: bundled(libpng) = 1.6.37
# We link statically against libstdc++ to increase portability
BuildRequires: libstdc++-static
%endif
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}}
@ -1749,6 +1787,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
echo "Preparing %{oj_vendor_version}"
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@ -1787,8 +1827,11 @@ if [ $prioritylength -ne 8 ] ; then
fi
# OpenJDK patches
%if %{system_libs}
# Remove libraries that are linked by both static and dynamic builds
sh %{SOURCE12} %{top_level_dir_name}
%endif
# Patch the JDK
pushd %{top_level_dir_name}
@ -1796,25 +1839,14 @@ pushd %{top_level_dir_name}
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch7 -p1
# Add crypto policy and FIPS support
%patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security
%patch1000 -p1
popd # openjdk
%patch101
%patch1000
%patch600
%patch1001
%patch1002
%patch1003
%patch1004
%patch1007
%patch1008
%patch1009
%patch1011
%patch1014
%patch1015
%patch1016
%patch1017
%patch8
@ -1914,6 +1946,12 @@ function buildjdk() {
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
if [ "x${link_opt}" = "xbundled" ] ; then
libc_link_opt="static";
else
libc_link_opt="dynamic";
fi
echo "Using output directory: ${outputdir}";
echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version
@ -1935,7 +1973,7 @@ function buildjdk() {
--with-version-build=%{buildver} \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
--with-vendor-version-string="%{vendor_version_string}" \
--with-vendor-version-string="%{oj_vendor_version}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
@ -1945,13 +1983,14 @@ function buildjdk() {
--with-native-debug-symbols="%{debug_symbols}" \
--disable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-zlib=${link_opt} \
--with-freetype=${link_opt} \
--with-libjpeg=${link_opt} \
--with-giflib=${link_opt} \
--with-libpng=${link_opt} \
--with-lcms=${link_opt} \
--with-harfbuzz=${link_opt} \
--with-stdc++lib=dynamic \
--with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-asflags="$EXTRA_ASFLAGS" \
@ -2013,6 +2052,10 @@ function installjdk() {
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Turn on system security properties
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
${imagepath}/conf/security/java.security
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
@ -2023,6 +2066,10 @@ function installjdk() {
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
# Print release information
cat ${imagepath}/release
fi
}
@ -2054,12 +2101,13 @@ for suffix in %{build_loop} ; do
bootinstalldir=boot${installdir}
if test "x${loop}" = "x%{main_suffix}" ; then
link_opt="%{link_type}"
%if %{system_libs}
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
# Use system libraries
link_opt="system"
%endif
# Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these
# slower builds.
@ -2080,9 +2128,11 @@ for suffix in %{build_loop} ; do
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
fi
%if %{system_libs}
# Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name}
%endif
else
# Use bundled libraries for building statically
link_opt="bundled"
@ -2123,13 +2173,18 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
# Check system crypto (policy) can be disabled
# Check system crypto (policy) is active and can be disabled
# Test takes a single argument - true or false - to state whether system
# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
export SEC_DEBUG="-Djava.security.debug=properties"
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@ -2141,6 +2196,14 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
# Check translations are available for new timezones
$JAVA_HOME/bin/javac --add-exports java.base/sun.util.resources=ALL-UNNAMED \
--add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
-d . %{SOURCE18}
$JAVA_HOME/bin/java --add-exports java.base/sun.util.resources=ALL-UNNAMED \
--add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
$(echo $(basename %{SOURCE18})|sed "s|\.java||") "Europe/Kiev" "Europe/Kyiv"
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
@ -2618,6 +2681,74 @@ end
%endif
%changelog
* Wed Oct 05 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.17.0.7-0.2.ea
- Update to jdk-11.0.17+7
- Update release notes to 11.0.17+7
- Resolves: rhbz#2130374
* Tue Sep 06 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.17.0.1-0.2.ea
- Update to jdk-11.0.17+1
- Update release notes to 11.0.17+1
- Switch to EA mode for 11.0.17 pre-release builds.
- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
- Bump FreeType bundled version to 2.12.1 following JDK-8290334
- Related: rhbz#2130374
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.16.1.1-3
- Switch to static builds, reducing system dependencies and making build more portable
- Resolves: rhbz#2121266
* Wed Aug 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.16.1.1-2
- Update to jdk-11.0.16.1+1
- Update release notes to 11.0.16.1+1
- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
- Add test to ensure timezones can be translated
- Resolves: rhbz#2119527
* Fri Jul 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.16.0.8-2
- Update to jdk-11.0.16+8
- Update release notes to 11.0.16+8
- Switch to GA mode for release
- Resolves: rhbz#2106515
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.16.0.7-0.1.ea
- Update to jdk-11.0.16+7
- Update release notes to 11.0.16+7
- Switch to EA mode for 11.0.16 pre-release builds.
- Use same tarball naming style as java-17-openjdk and java-latest-openjdk
- Drop JDK-8257794 patch now upstreamed
- Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation
- Use "git apply" with patches in the tarball script to allow binary diffs
- Include script to generate bug list for release notes
- Update tzdata requirement to 2022a to match JDK-8283350
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Explicitly require crypto-policies during build and runtime for system security properties
- Resolves: rhbz#2083298
* Thu Jul 14 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.16.0.7-0.1.ea
- Add additional patch during tarball generation to align tests with ECC changes
- Related: rhbz#2083298
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.15.0.10-6
- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
- Resolves: rhbz#2099838
- Resolves: rhbz#2090378
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:11.0.15.0.10-5
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
- Resolves: rhbz#2102430
* Thu Jun 30 2022 Stephan Bergmann <sbergman@redhat.com> - 1:11.0.15.0.10-4
- Fix flatpak builds by exempting them from bootstrap
- Resolves: rhbz#2102731
* Sun Apr 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.15.0.10-3
- Update to jdk-11.0.15.0+10
- Update release notes to 11.0.15.0+10