10 changed files with 4770 additions and 5754 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/openjdk-jdk11u-jdk-11.0.23+9.tar.xz
+SOURCES/openjdk-jdk11u-jdk-11.0.18+9-4curve.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
--- a/.java-11-openjdk.metadata
+++ b/.java-11-openjdk.metadata
@ -1,2 +1,2 @@
-db99bc0a0912f824db1043d18b199c154d57bb5b SOURCES/openjdk-jdk11u-jdk-11.0.23+9.tar.xz
+99b83c6bd4a99a9763594c4e3f661b983af6e031 SOURCES/openjdk-jdk11u-jdk-11.0.18+9-4curve.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
--- a/SOURCES/README.md
+++ b/SOURCES/README.md
@ -1,39 +0,0 @@
-OpenJDK 11 is a Long-Term Support (LTS) release of the Java platform.
-
-For a list of major changes from OpenJDK 8 (java-1.8.0-openjdk), see
-the upstream release page for OpenJDK 11 and the preceding interim
-releases:
-
-* 9: https://openjdk.org/projects/jdk9/
-* 10: https://openjdk.java.net/projects/jdk/10/
-* 11: https://openjdk.java.net/projects/jdk/11/
-
-# Rebuilding the OpenJDK package
-
-The OpenJDK packages are now created from a single build which is then
-packaged for different major versions of Red Hat Enterprise Linux
-(RHEL). This allows the OpenJDK team to focus their efforts on the
-development and testing of this single build, rather than having
-multiple builds which only differ by the platform they were built on.
-
-This does make rebuilding the package slightly more complicated than a
-normal package. Modifications should be made to the
-`java-11-openjdk-portable.specfile` file, which can be found with this
-README file in the source RPM or installed in the documentation tree
-by the `java-11-openjdk-headless` RPM.
-
-Once the modified `java-11-openjdk-portable` RPMs are built, they
-should be installed and will produce a number of tarballs in the
-`/usr/lib/jvm` directory. The `java-11-openjdk` RPMs can then be
-built, which will use these tarballs to create the usual RPMs found in
-RHEL. The `java-11-openjdk-portable` RPMs can be uninstalled once the
-desired final RPMs are produced.
-
-Note that the `java-11-openjdk.spec` file has a hard requirement on
-the exact version of java-11-openjdk-portable to use, so this will
-need to be modified if the version or rpmrelease values are changed in
-`java-11-openjdk-portable.specfile`.
-
-To reduce the number of RPMs involved, the `fastdebug` and `slowdebug`
-builds may be disabled using `--without fastdebug` and `--without
-slowdebug`.
--- a/SOURCES/fips-11u-9087e80d0ab.patch
+++ b/SOURCES/fips-11u-9087e80d0ab.patch
@ -1,5 +1,5 @@
 diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
-index 16e906bdc6..1a352e5a32 100644
+index a73c0f38181..80710886ed8 100644
 --- a/make/autoconf/libraries.m4
 +++ b/make/autoconf/libraries.m4
@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
@ -74,10 +74,10 @@ index 16e906bdc6..1a352e5a32 100644
 +  AC_SUBST(USE_SYSCONF_NSS)
 +])
 diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
-index 3787b12600..dab108a82b 100644
+index 0ae23b93167..a242acc1234 100644
 --- a/make/autoconf/spec.gmk.in
 +++ b/make/autoconf/spec.gmk.in
-@@ -848,6 +848,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+@@ -826,6 +826,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
 # Libraries
 #
 
@ -89,10 +89,10 @@ index 3787b12600..dab108a82b 100644
 LCMS_CFLAGS:=@LCMS_CFLAGS@
 LCMS_LIBS:=@LCMS_LIBS@
 diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
-index b40d3114b9..0d1d83cf3e 100644
+index a529768f39e..daf9c947172 100644
 --- a/make/lib/Lib-java.base.gmk
 +++ b/make/lib/Lib-java.base.gmk
-@@ -178,6 +178,31 @@ ifeq ($(call isTargetOsType, unix), true)
+@@ -178,6 +178,31 @@ ifeq ($(OPENJDK_TARGET_OS_TYPE), unix)
   endif
 endif
 
@ -125,7 +125,7 @@ index b40d3114b9..0d1d83cf3e 100644
 # Create the symbols file for static builds.
 
 diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml
-index fb07d54c1f..c5813e2b7a 100644
+index fb07d54c1f0..c5813e2b7aa 100644
 --- a/make/nb_native/nbproject/configurations.xml
 +++ b/make/nb_native/nbproject/configurations.xml
@@ -2950,6 +2950,9 @@
@ -151,7 +151,7 @@ index fb07d54c1f..c5813e2b7a 100644
             ex="false"
             tool="3"
 diff --git a/make/scripts/compare_exceptions.sh.incl b/make/scripts/compare_exceptions.sh.incl
-index 6327040964..6b3780123b 100644
+index 6327040964d..6b3780123b6 100644
 --- a/make/scripts/compare_exceptions.sh.incl
 +++ b/make/scripts/compare_exceptions.sh.incl
@@ -179,6 +179,7 @@ if [ "$OPENJDK_TARGET_OS" = "solaris" ] && [ "$OPENJDK_TARGET_CPU" = "x86_64" ];
@ -172,7 +172,7 @@ index 6327040964..6b3780123b 100644
       ./lib/libzip.so
 diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c
 new file mode 100644
-index 0000000000..8dcb7d9073
+index 00000000000..8dcb7d9073f
 --- /dev/null
 +++ b/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -0,0 +1,224 @@
@ -401,7 +401,7 @@ index 0000000000..8dcb7d9073
 +    }
 +}
 diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
-index 5b9552058b..b46de49211 100644
+index b36510a376b..ad5182e1e7c 100644
 --- a/src/java.base/share/classes/java/security/Security.java
 +++ b/src/java.base/share/classes/java/security/Security.java
@@ -32,6 +32,7 @@ import java.net.URL;
@ -412,17 +412,16 @@ index 5b9552058b..b46de49211 100644
 import jdk.internal.misc.SharedSecrets;
 import jdk.internal.util.StaticProperty;
 import sun.security.util.Debug;
-@@ -47,6 +48,9 @@ import sun.security.jca.*;
+@@ -47,12 +48,20 @@ import sun.security.jca.*;
  * implementation-specific location, which is typically the properties file
  * {@code conf/security/java.security} in the Java installation directory.
  *
 + * <p>Additional default values of security properties are read from a
 + * system-specific location, if available.</p>
 + *
-  * @implNote If the properties file fails to load, the JDK implementation will
-  * throw an unspecified error when initializing the {@code Security} class.
-  *
-@@ -56,6 +60,11 @@ import sun.security.jca.*;
+  * @author Benjamin Renaud
+  * @since 1.1
+  */
 
 public final class Security {
 
@ -434,7 +433,7 @@ index 5b9552058b..b46de49211 100644
     /* Are we debugging? -- for developers */
     private static final Debug sdebug =
                         Debug.getInstance("properties");
-@@ -70,6 +79,19 @@ public final class Security {
+@@ -67,6 +76,19 @@ public final class Security {
     }
 
     static {
@ -454,19 +453,26 @@ index 5b9552058b..b46de49211 100644
         // doPrivileged here because there are multiple
         // things in initialize that might require privs.
         // (the FileInputStream call and the File.exists call,
-@@ -85,6 +107,7 @@ public final class Security {
-     private static void initialize() {
+@@ -83,6 +105,7 @@ public final class Security {
         props = new Properties();
+         boolean loadedProps = false;
         boolean overrideAll = false;
 +        boolean systemSecPropsEnabled = false;
 
         // first load the system properties file
         // to determine the value of security.overridePropertiesFile
-@@ -105,9 +128,63 @@ public final class Security {
+@@ -98,6 +121,7 @@ public final class Security {
+                 if (sdebug != null) {
+                     sdebug.println("reading security properties file: " +
+                                 propFile);
+                    sdebug.println(props.toString());
+                 }
+             } catch (IOException e) {
+                 if (sdebug != null) {
+@@ -192,6 +216,61 @@ public final class Security {
             }
-             loadProps(null, extraPropFile, overrideAll);
         }
-+
+ 
 +        boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
 +        boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
 +        if (sdebug != null) {
@ -486,7 +492,9 @@ index 5b9552058b..b46de49211 100644
 +            }
 +        }
 +
-+        if (systemSecPropsEnabled) {
+        // FIPS support depends on the contents of java.security so
+        // ensure it has loaded first
+        if (loadedProps && systemSecPropsEnabled) {
 +            boolean shouldEnable;
 +            String sysProp = System.getProperty("com.redhat.fips");
 +            if (sysProp == null) {
@ -522,19 +530,15 @@ index 5b9552058b..b46de49211 100644
 +        }
     }
 
-    private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
-+    static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
-         InputStream is = null;
-         try {
-             if (masterFile != null && masterFile.exists()) {
+     /*
 diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
 new file mode 100644
-index 0000000000..49bf17ea17
+index 00000000000..90f6dd2ebc0
 --- /dev/null
 +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,231 @@
+@@ -0,0 +1,248 @@
 +/*
-+ * Copyright (c) 2019, 2023, Red Hat, Inc.
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
 + *
 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 + *
@ -612,9 +616,26 @@ index 0000000000..49bf17ea17
 +     * security.useSystemPropertiesFile is true.
 +     */
 +    static boolean configureSysProps(Properties props) {
-+        // now load the system file, if it exists, so its values
-+        // will win if they conflict with the earlier values
-+        return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false);
+        boolean systemSecPropsLoaded = false;
+
+        try (BufferedInputStream bis =
+                new BufferedInputStream(
+                        new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+            props.load(bis);
+            systemSecPropsLoaded = true;
+            if (sdebug != null) {
+                sdebug.println("reading system security properties file " +
+                        CRYPTO_POLICIES_JAVA_CONFIG);
+                sdebug.println(props.toString());
+            }
+        } catch (IOException e) {
+            if (sdebug != null) {
+                sdebug.println("unable to load security properties from " +
+                        CRYPTO_POLICIES_JAVA_CONFIG);
+                e.printStackTrace();
+            }
+        }
+        return systemSecPropsLoaded;
 +    }
 +
 +    /*
@ -766,7 +787,7 @@ index 0000000000..49bf17ea17
 +}
 diff --git a/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
 new file mode 100644
-index 0000000000..21bc6d0b59
+index 00000000000..21bc6d0b591
 --- /dev/null
 +++ b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
@@ -0,0 +1,31 @@
@ -802,7 +823,7 @@ index 0000000000..21bc6d0b59
 +    boolean isPlainKeySupportEnabled();
 +}
 diff --git a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-index 688ec9f091..8489b940c4 100644
+index 688ec9f0915..8489b940c43 100644
 --- a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
 +++ b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
@@ -36,6 +36,7 @@ import java.io.FilePermission;
@ -838,7 +859,7 @@ index 688ec9f091..8489b940c4 100644
 +    }
 }
 diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
-index 7351627db3..859591890d 100644
+index 5460efcf8c5..f08dc2fafc5 100644
 --- a/src/java.base/share/classes/module-info.java
 +++ b/src/java.base/share/classes/module-info.java
@@ -182,6 +182,7 @@ module java.base {
@ -850,7 +871,7 @@ index 7351627db3..859591890d 100644
         jdk.attach,
         jdk.charsets,
 diff --git a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-index ffee2c1603..ff3d5e0e4a 100644
+index ffee2c1603b..ff3d5e0e4ab 100644
 --- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
 +++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
@ -889,7 +910,7 @@ index ffee2c1603..ff3d5e0e4a 100644
                         "FIPS mode: KeyStore must be " +
                         "from provider " + SunJSSE.cryptoProvider.getName());
 diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
-index e06b2a588c..315a2ce370 100644
+index de7da5c3379..5c3813dda7b 100644
 --- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
 +++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -31,6 +31,7 @@ import java.security.*;
@ -910,14 +931,6 @@ index e06b2a588c..315a2ce370 100644
 -                    ProtocolVersion.TLS11,
 -                    ProtocolVersion.TLS10
 -                );
-
-                serverDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS13,
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10
-                });
 +                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
 +                        .isSystemFipsEnabled()) {
 +                    // RH1860986: TLSv1.3 key derivation not supported with
@ -927,7 +940,14 @@ index e06b2a588c..315a2ce370 100644
 +                        ProtocolVersion.TLS11,
 +                        ProtocolVersion.TLS10
 +                    );
-+
+ 
+-                serverDefaultProtocols = getAvailableProtocols(
+-                        new ProtocolVersion[] {
+-                    ProtocolVersion.TLS13,
+-                    ProtocolVersion.TLS12,
+-                    ProtocolVersion.TLS11,
+-                    ProtocolVersion.TLS10
+-                });
 +                    serverDefaultProtocols = getAvailableProtocols(
 +                            new ProtocolVersion[] {
 +                        ProtocolVersion.TLS12,
@ -953,68 +973,42 @@ index e06b2a588c..315a2ce370 100644
             } else {
                 supportedProtocols = Arrays.asList(
                     ProtocolVersion.TLS13,
-@@ -910,12 +929,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
-                 if (client) {
-                     // default client protocols
-                     if (SunJSSE.isFIPS()) {
-                        candidates = new ProtocolVersion[] {
-                            ProtocolVersion.TLS13,
-                            ProtocolVersion.TLS12,
-                            ProtocolVersion.TLS11,
-                            ProtocolVersion.TLS10
-                        };
-+                        if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+                            .isSystemFipsEnabled()) {
-+                            // RH1860986: TLSv1.3 key derivation not supported with
-+                            // the Security Providers available in system FIPS mode.
-+                            candidates = new ProtocolVersion[] {
-+                                ProtocolVersion.TLS12,
-+                                ProtocolVersion.TLS11,
-+                                ProtocolVersion.TLS10
-+                            };
-+                        } else {
-+                            candidates = new ProtocolVersion[] {
-+                                ProtocolVersion.TLS13,
-+                                ProtocolVersion.TLS12,
-+                                ProtocolVersion.TLS11,
-+                                ProtocolVersion.TLS10
-+                            };
-+                        }
-                     } else {
-                         candidates = new ProtocolVersion[] {
-                             ProtocolVersion.TLS13,
-@@ -927,12 +957,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
-                 } else {
-                     // default server protocols
-                     if (SunJSSE.isFIPS()) {
-                        candidates = new ProtocolVersion[] {
-                            ProtocolVersion.TLS13,
-                            ProtocolVersion.TLS12,
-                            ProtocolVersion.TLS11,
-                            ProtocolVersion.TLS10
-                        };
-+                        if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+                            .isSystemFipsEnabled()) {
-+                            // RH1860986: TLSv1.3 key derivation not supported with
-+                            // the Security Providers available in system FIPS mode.
-+                            candidates = new ProtocolVersion[] {
-+                                ProtocolVersion.TLS12,
-+                                ProtocolVersion.TLS11,
-+                                ProtocolVersion.TLS10
-+                            };
-+                        } else {
-+                            candidates = new ProtocolVersion[] {
-+                                ProtocolVersion.TLS13,
-+                                ProtocolVersion.TLS12,
-+                                ProtocolVersion.TLS11,
-+                                ProtocolVersion.TLS10
-+                            };
-+                        }
-                     } else {
-                         candidates = new ProtocolVersion[] {
-                             ProtocolVersion.TLS13,
+@@ -620,6 +639,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+ 
+         static ProtocolVersion[] getSupportedProtocols() {
+             if (SunJSSE.isFIPS()) {
+                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+                        .isSystemFipsEnabled()) {
+                    // RH1860986: TLSv1.3 key derivation not supported with
+                    // the Security Providers available in system FIPS mode.
+                    return new ProtocolVersion[] {
+                            ProtocolVersion.TLS12,
+                            ProtocolVersion.TLS11,
+                            ProtocolVersion.TLS10
+                    };
+                }
+                 return new ProtocolVersion[] {
+                         ProtocolVersion.TLS13,
+                         ProtocolVersion.TLS12,
+@@ -949,6 +978,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+ 
+         static ProtocolVersion[] getProtocols() {
+             if (SunJSSE.isFIPS()) {
+                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+                        .isSystemFipsEnabled()) {
+                    // RH1860986: TLSv1.3 key derivation not supported with
+                    // the Security Providers available in system FIPS mode.
+                    return new ProtocolVersion[] {
+                            ProtocolVersion.TLS12,
+                            ProtocolVersion.TLS11,
+                            ProtocolVersion.TLS10
+                    };
+                }
+                 return new ProtocolVersion[]{
+                         ProtocolVersion.TLS13,
+                         ProtocolVersion.TLS12,
 diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
-index 2a2b5d7568..891796f19b 100644
+index c50ba93ecfc..de2a91a478c 100644
 --- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
 +++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
@@ -27,6 +27,8 @@ package sun.security.ssl;
@ -1025,7 +1019,7 @@ index 2a2b5d7568..891796f19b 100644
 +import jdk.internal.misc.SharedSecrets;
 import sun.security.rsa.SunRsaSignEntries;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
- import static sun.security.util.SecurityProviderConstants.*;
+ import static sun.security.provider.SunEntries.createAliases;
@@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider {
             "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
         ps("SSLContext", "TLSv1.2",
@ -1041,12 +1035,12 @@ index 2a2b5d7568..891796f19b 100644
 +        }
         ps("SSLContext", "TLS",
             "sun.security.ssl.SSLContextImpl$TLSContext",
-             (isfips? null : List.of("SSL")), null);
+             (isfips? null : createAliases("SSL")), null);
 diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index c0eed3f884..b03bd9f896 100644
+index 097517926d1..474fe6f401f 100644
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
-@@ -88,6 +88,14 @@ security.provider.tbd=Apple
+@@ -85,6 +85,14 @@ security.provider.tbd=Apple
 security.provider.tbd=SunPKCS11
 #endif
 
@ -1061,7 +1055,7 @@ index c0eed3f884..b03bd9f896 100644
 #
 # A list of preferred providers for specific algorithms. These providers will
 # be searched for matching algorithms before the list of registered providers.
-@@ -301,6 +309,11 @@ policy.ignoreIdentityScope=false
+@@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false
 #
 keystore.type=pkcs12
 
@ -1073,7 +1067,7 @@ index c0eed3f884..b03bd9f896 100644
 #
 # Controls compatibility mode for JKS and PKCS12 keystore types.
 #
-@@ -338,6 +351,13 @@ package.definition=sun.misc.,\
+@@ -335,6 +348,13 @@ package.definition=sun.misc.,\
 #
 security.overridePropertiesFile=true
 
@ -1089,7 +1083,7 @@ index c0eed3f884..b03bd9f896 100644
 # the javax.net.ssl package.
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
 new file mode 100644
-index 0000000000..b848a1fd78
+index 00000000000..b848a1fd783
 --- /dev/null
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,290 @@
@ -1384,7 +1378,7 @@ index 0000000000..b848a1fd78
 +    }
 +}
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index ffbd671246..bdaad67e06 100644
+index 099caac605f..977e5332bd1 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
@ -1406,7 +1400,7 @@ index ffbd671246..bdaad67e06 100644
 import sun.security.util.Debug;
 import sun.security.util.ResourcesMgr;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
-@@ -61,6 +66,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+@@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
  */
 public final class SunPKCS11 extends AuthProvider {
 
@ -1436,7 +1430,7 @@ index ffbd671246..bdaad67e06 100644
     private static final long serialVersionUID = -1354835039035306505L;
 
     static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -318,10 +346,15 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider {
             // request multithreaded access first
             initArgs.flags = CKF_OS_LOCKING_OK;
             PKCS11 tmpPKCS11;
@ -1453,7 +1447,7 @@ index ffbd671246..bdaad67e06 100644
             } catch (PKCS11Exception e) {
                 if (debug != null) {
                     debug.println("Multi-threaded initialization failed: " + e);
-@@ -337,7 +370,7 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider {
                     initArgs.flags = 0;
                 }
                 tmpPKCS11 = PKCS11.getInstance(library,
@ -1462,7 +1456,7 @@ index ffbd671246..bdaad67e06 100644
             }
             p11 = tmpPKCS11;
 
-@@ -377,6 +410,24 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider {
             if (nssModule != null) {
                 nssModule.setProvider(this);
             }
@ -1488,7 +1482,7 @@ index ffbd671246..bdaad67e06 100644
             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
                 throw new UnsupportedOperationException
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 04a369f453..f033fe4759 100644
+index 04a369f453c..f033fe47593 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
--- a/SOURCES/java-11-openjdk-portable.specfile
+++ b/SOURCES/java-11-openjdk-portable.specfile
--- a/SOURCES/jdk8242332-rh2108712-sha3-sunpkcs11.patch
+++ b/SOURCES/jdk8242332-rh2108712-sha3-sunpkcs11.patch
--- a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
+++ b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+                sun.reflect.,\
+               org.GNOME.Accessibility.,\
+               org.GNOME.Bonobo.,\
+ 
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+                    sun.reflect.,\
+                   org.GNOME.Accessibility.,\
+                   org.GNOME.Bonobo.,\
+ 
+ #
+ # Determines whether this properties file can be appended to
--- a/SOURCES/rh1750419-redhat_alt_java.patch
+++ b/SOURCES/rh1750419-redhat_alt_java.patch
@ -1,8 +1,7 @@
-diff --git openjdk.orig/make/launcher/Launcher-java.base.gmk openjdk/make/launcher/Launcher-java.base.gmk
-index a8990dd0ef..320fec6e51 100644
--- openjdk.orig/make/launcher/Launcher-java.base.gmk
-+++ openjdk/make/launcher/Launcher-java.base.gmk
-@@ -41,6 +41,16 @@ $(eval $(call SetupBuildLauncher, java, \
+diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk
+--- openjdk/make/launcher/Launcher-java.base.gmk      Wed Nov 25 08:27:15 2020 +0100
+++ openjdk/make/launcher/Launcher-java.base.gmk      Tue Dec 01 12:29:30 2020 +0100
+@@ -41,6 +41,16 @@
     OPTIMIZATION := HIGH, \
 ))
 
@ -16,14 +15,13 @@ index a8990dd0ef..320fec6e51 100644
 +    OPTIMIZATION := HIGH, \
 +))
 +
- ifeq ($(call isTargetOs, windows), true)
+ ifeq ($(OPENJDK_TARGET_OS), windows)
   $(eval $(call SetupBuildLauncher, javaw, \
       CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
-diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
-new file mode 100644
-index 0000000000..697df2898a
--- /dev/null
-+++ openjdk/src/java.base/share/native/launcher/alt_main.h
+
+diff -r 25e94aa812b2 src/share/bin/alt_main.h
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ openjdk/src/java.base/share/native/launcher/alt_main.h	Tue Jun 02 17:15:28 2020 +0100
@@ -0,0 +1,73 @@
 +/*
 + * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
@ -98,10 +96,9 @@ index 0000000000..697df2898a
 +}
 +
 +#endif // REDHAT_ALT_JAVA
-diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
-index b734fe2ba7..79dc830765 100644
--- openjdk.orig/src/java.base/share/native/launcher/main.c
-+++ openjdk/src/java.base/share/native/launcher/main.c
+diff -r 25e94aa812b2 src/share/bin/main.c
+--- openjdk/src/java.base/share/native/launcher/main.c	Wed Feb 05 12:20:36 2020 -0300
+++ openjdk/src/java.base/share/native/launcher/main.c	Tue Jun 02 17:15:28 2020 +0100
@@ -34,6 +34,14 @@
 #include "jli_util.h"
 #include "jni.h"
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec