32 changed files with 1717 additions and 1274 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,150 @@
-SOURCES/openjdk-jdk11u-jdk-11.0.25+9.tar.xz
-SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
+*.rpm
+/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
+/shenandoah-jdk11-b516c8c7a0a4.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11+22.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11+28.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.1+13.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.1+13-20190101.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.2+7.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.3+6.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.3+7.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.4+2.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.4+3.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.4+4.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.4+5.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.4+6.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.4+7.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.4+8.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.4+9.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.4+10.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.4+11.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.5+1.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.5+2.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.5+2-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.5+9-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.5+9.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.5+10-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.6+1-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.6+2-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.6+9-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.6+10-4curve.tar.xz
+/tapsets-icedtea-3.11.0.tar.xz
+/tapsets-icedtea-3.15.0.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+1-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+2-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+3-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+3.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+4-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+4.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+5-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+5.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+6-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+6.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+7-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+7.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+8-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+8.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+9-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+9.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+10-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.7+10.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.8+1-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.8+2-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.8+3-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.8+4-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.8+5-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.8+6-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.8+7-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.8+8-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.8+9-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.8+10-4curve.tar.xz
+/shenandoah-jdk11-shenandoah-jdk-11.0.9+1-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+2-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+3-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+4-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+5-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+6-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+7-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+8-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+9-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+10-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.10+1-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.10+2-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.10+3-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.10+4-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.10+5-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.10+8-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.10+9-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.11+1-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.11+2-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.11+3-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.11+4-4curve.tar.xz
+/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.11+5-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.11+6-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.11+7-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.11+9-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.12+1-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.12+2-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.12+3-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.12+4-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.12+6-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.12+7-4curve-clean.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.13+1-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.13+7-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.14+1-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.14+8-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.14+9-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.15+1-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.15+8-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.16+7-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.16+8-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.16.1+1-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.17+1-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.17+7-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.17+8-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.18+1-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.18+9-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.18+10-4curve.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.docs.el.aarch64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.docs.el.ppc64le.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.docs.el.s390x.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.docs.el.x86_64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.jdk.el.aarch64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.jdk.el.ppc64le.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.jdk.el.x86_64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.static-libs.el.aarch64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.static-libs.el.ppc64le.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.static-libs.el.x86_64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.misc.el.aarch64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.misc.el.ppc64le.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.misc.el.s390x.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.misc.el.x86_64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.aarch64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.ppc64le.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.s390x.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.x86_64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.aarch64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.ppc64le.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.s390x.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.x86_64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.aarch64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.ppc64le.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.s390x.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.x86_64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.aarch64.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.ppc64le.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.s390x.tar.xz
+/java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.x86_64.tar.xz
+/openjdk-jdk11u-jdk-11.0.19+7-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.20+1-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.20+7-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.20+8-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.20.1+1-4curve.tar.xz
--- a/.java-11-openjdk.metadata
+++ b/.java-11-openjdk.metadata
@ -1,2 +1 @@
-5fd3e49485572a2ac8c350503d872a624c59ddb2 SOURCES/openjdk-jdk11u-jdk-11.0.25+9.tar.xz
-c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
+c8281ee37b77d535c9c1af86609a531958ff7b34 tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
--- a/SOURCES/CheckVendor.java
+++ b/SOURCES/CheckVendor.java
--- a/SOURCES/README.md
+++ b/SOURCES/README.md
--- a/SOURCES/TestCryptoLevel.java
+++ b/SOURCES/TestCryptoLevel.java
--- a/SOURCES/TestECDSA.java
+++ b/SOURCES/TestECDSA.java
--- a/SOURCES/TestSecurityProperties.java
+++ b/SOURCES/TestSecurityProperties.java
--- a/SOURCES/TestTranslations.java
+++ b/SOURCES/TestTranslations.java
--- a/discover_trees.sh
+++ b/discover_trees.sh
@ -0,0 +1,54 @@
+#!/bin/sh
+
+# Copyright (C) 2020 Red Hat, Inc.
+# Written by Andrew John Hughes <gnu.andrew@redhat.com>.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+TREE=${1}
+
+if test "x${TREE}" = "x"; then
+    TREE=${PWD}
+fi
+
+if [ -e ${TREE}/nashorn/.hg -o -e ${TREE}/nashorn/merge.changeset ] ; then
+    NASHORN="nashorn" ;
+fi
+
+if [ -e ${TREE}/corba/.hg -o -e ${TREE}/corba/merge.changeset ] ; then
+    CORBA="corba";
+fi
+
+if [ -e ${TREE}/jaxp/.hg -o -e ${TREE}/jaxp/merge.changeset ] ; then
+    JAXP="jaxp";
+fi
+
+if [ -e ${TREE}/jaxws/.hg -o -e ${TREE}/jaxws/merge.changeset ] ; then
+    JAXWS="jaxws";
+fi
+
+if [ -e ${TREE}/langtools/.hg -o -e ${TREE}/langtools/merge.changeset ] ; then
+    LANGTOOLS="langtools";
+fi
+
+if [ -e ${TREE}/jdk/.hg -o -e ${TREE}/jdk/merge.changeset ] ; then
+    JDK="jdk";
+fi
+
+if [ -e ${TREE}/hotspot/.hg -o -e ${TREE}/hotspot/merge.changeset ] ; then
+    HOTSPOT="hotspot";
+fi
+
+SUBTREES="${CORBA} ${JAXP} ${JAXWS} ${LANGTOOLS} ${NASHORN} ${JDK} ${HOTSPOT}";
+echo ${SUBTREES}
--- a/SOURCES/fips-11u-f93a863b56.patch
+++ b/SOURCES/fips-11u-f93a863b56.patch
@ -89,7 +89,7 @@ index 3787b12600..dab108a82b 100644
 LCMS_CFLAGS:=@LCMS_CFLAGS@
 LCMS_LIBS:=@LCMS_LIBS@
 diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
-index b40d3114b9..0d1d83cf3e 100644
+index 4cd656a086..e1fc94b5b4 100644
 --- a/make/lib/Lib-java.base.gmk
 +++ b/make/lib/Lib-java.base.gmk
@@ -178,6 +178,31 @@ ifeq ($(call isTargetOsType, unix), true)
@ -401,7 +401,7 @@ index 0000000000..8dcb7d9073
 +    }
 +}
 diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
-index 5b9552058b..b46de49211 100644
+index b36510a376..ad5182e1e7 100644
 --- a/src/java.base/share/classes/java/security/Security.java
 +++ b/src/java.base/share/classes/java/security/Security.java
@@ -32,6 +32,7 @@ import java.net.URL;
@ -412,17 +412,16 @@ index 5b9552058b..b46de49211 100644
 import jdk.internal.misc.SharedSecrets;
 import jdk.internal.util.StaticProperty;
 import sun.security.util.Debug;
-@@ -47,6 +48,9 @@ import sun.security.jca.*;
+@@ -47,12 +48,20 @@ import sun.security.jca.*;
  * implementation-specific location, which is typically the properties file
  * {@code conf/security/java.security} in the Java installation directory.
  *
 + * <p>Additional default values of security properties are read from a
 + * system-specific location, if available.</p>
 + *
-  * @implNote If the properties file fails to load, the JDK implementation will
-  * throw an unspecified error when initializing the {@code Security} class.
-  *
-@@ -56,6 +60,11 @@ import sun.security.jca.*;
+  * @author Benjamin Renaud
+  * @since 1.1
+  */
 
 public final class Security {
 
@ -434,7 +433,7 @@ index 5b9552058b..b46de49211 100644
     /* Are we debugging? -- for developers */
     private static final Debug sdebug =
                         Debug.getInstance("properties");
-@@ -70,6 +79,19 @@ public final class Security {
+@@ -67,6 +76,19 @@ public final class Security {
     }
 
     static {
@ -454,19 +453,26 @@ index 5b9552058b..b46de49211 100644
         // doPrivileged here because there are multiple
         // things in initialize that might require privs.
         // (the FileInputStream call and the File.exists call,
-@@ -85,6 +107,7 @@ public final class Security {
-     private static void initialize() {
+@@ -83,6 +105,7 @@ public final class Security {
         props = new Properties();
+         boolean loadedProps = false;
         boolean overrideAll = false;
 +        boolean systemSecPropsEnabled = false;
 
         // first load the system properties file
         // to determine the value of security.overridePropertiesFile
-@@ -105,9 +128,63 @@ public final class Security {
+@@ -98,6 +121,7 @@ public final class Security {
+                 if (sdebug != null) {
+                     sdebug.println("reading security properties file: " +
+                                 propFile);
+                    sdebug.println(props.toString());
+                 }
+             } catch (IOException e) {
+                 if (sdebug != null) {
+@@ -192,6 +216,61 @@ public final class Security {
             }
-             loadProps(null, extraPropFile, overrideAll);
         }
-+
+ 
 +        boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
 +        boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
 +        if (sdebug != null) {
@ -486,7 +492,9 @@ index 5b9552058b..b46de49211 100644
 +            }
 +        }
 +
-+        if (systemSecPropsEnabled) {
+        // FIPS support depends on the contents of java.security so
+        // ensure it has loaded first
+        if (loadedProps && systemSecPropsEnabled) {
 +            boolean shouldEnable;
 +            String sysProp = System.getProperty("com.redhat.fips");
 +            if (sysProp == null) {
@ -522,19 +530,15 @@ index 5b9552058b..b46de49211 100644
 +        }
     }
 
-    private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
-+    static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
-         InputStream is = null;
-         try {
-             if (masterFile != null && masterFile.exists()) {
+     /*
 diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
 new file mode 100644
-index 0000000000..49bf17ea17
+index 0000000000..90f6dd2ebc
 --- /dev/null
 +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,231 @@
+@@ -0,0 +1,248 @@
 +/*
-+ * Copyright (c) 2019, 2023, Red Hat, Inc.
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
 + *
 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 + *
@ -612,9 +616,26 @@ index 0000000000..49bf17ea17
 +     * security.useSystemPropertiesFile is true.
 +     */
 +    static boolean configureSysProps(Properties props) {
-+        // now load the system file, if it exists, so its values
-+        // will win if they conflict with the earlier values
-+        return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false);
+        boolean systemSecPropsLoaded = false;
+
+        try (BufferedInputStream bis =
+                new BufferedInputStream(
+                        new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+            props.load(bis);
+            systemSecPropsLoaded = true;
+            if (sdebug != null) {
+                sdebug.println("reading system security properties file " +
+                        CRYPTO_POLICIES_JAVA_CONFIG);
+                sdebug.println(props.toString());
+            }
+        } catch (IOException e) {
+            if (sdebug != null) {
+                sdebug.println("unable to load security properties from " +
+                        CRYPTO_POLICIES_JAVA_CONFIG);
+                e.printStackTrace();
+            }
+        }
+        return systemSecPropsLoaded;
 +    }
 +
 +    /*
@ -1014,7 +1035,7 @@ index e06b2a588c..315a2ce370 100644
                         candidates = new ProtocolVersion[] {
                             ProtocolVersion.TLS13,
 diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
-index 2a2b5d7568..891796f19b 100644
+index c50ba93ecf..de2a91a478 100644
 --- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
 +++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
@@ -27,6 +27,8 @@ package sun.security.ssl;
@ -1025,7 +1046,7 @@ index 2a2b5d7568..891796f19b 100644
 +import jdk.internal.misc.SharedSecrets;
 import sun.security.rsa.SunRsaSignEntries;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
- import static sun.security.util.SecurityProviderConstants.*;
+ import static sun.security.provider.SunEntries.createAliases;
@@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider {
             "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
         ps("SSLContext", "TLSv1.2",
@ -1041,12 +1062,12 @@ index 2a2b5d7568..891796f19b 100644
 +        }
         ps("SSLContext", "TLS",
             "sun.security.ssl.SSLContextImpl$TLSContext",
-             (isfips? null : List.of("SSL")), null);
+             (isfips? null : createAliases("SSL")), null);
 diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index c0eed3f884..b03bd9f896 100644
+index 9af64321c4..957cd78a55 100644
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
-@@ -88,6 +88,14 @@ security.provider.tbd=Apple
+@@ -85,6 +85,14 @@ security.provider.tbd=Apple
 security.provider.tbd=SunPKCS11
 #endif
 
@ -1061,7 +1082,7 @@ index c0eed3f884..b03bd9f896 100644
 #
 # A list of preferred providers for specific algorithms. These providers will
 # be searched for matching algorithms before the list of registered providers.
-@@ -301,6 +309,11 @@ policy.ignoreIdentityScope=false
+@@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false
 #
 keystore.type=pkcs12
 
@ -1073,7 +1094,7 @@ index c0eed3f884..b03bd9f896 100644
 #
 # Controls compatibility mode for JKS and PKCS12 keystore types.
 #
-@@ -338,6 +351,13 @@ package.definition=sun.misc.,\
+@@ -335,6 +348,13 @@ package.definition=sun.misc.,\
 #
 security.overridePropertiesFile=true
 
@ -1384,7 +1405,7 @@ index 0000000000..b848a1fd78
 +    }
 +}
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index ffbd671246..bdaad67e06 100644
+index cf7cd19b68..69cda46f85 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
@ -1406,7 +1427,7 @@ index ffbd671246..bdaad67e06 100644
 import sun.security.util.Debug;
 import sun.security.util.ResourcesMgr;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
-@@ -61,6 +66,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+@@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
  */
 public final class SunPKCS11 extends AuthProvider {
 
@ -1436,7 +1457,7 @@ index ffbd671246..bdaad67e06 100644
     private static final long serialVersionUID = -1354835039035306505L;
 
     static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -318,10 +346,15 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider {
             // request multithreaded access first
             initArgs.flags = CKF_OS_LOCKING_OK;
             PKCS11 tmpPKCS11;
@ -1453,7 +1474,7 @@ index ffbd671246..bdaad67e06 100644
             } catch (PKCS11Exception e) {
                 if (debug != null) {
                     debug.println("Multi-threaded initialization failed: " + e);
-@@ -337,7 +370,7 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider {
                     initArgs.flags = 0;
                 }
                 tmpPKCS11 = PKCS11.getInstance(library,
@ -1462,7 +1483,7 @@ index ffbd671246..bdaad67e06 100644
             }
             p11 = tmpPKCS11;
 
-@@ -377,6 +410,24 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider {
             if (nssModule != null) {
                 nssModule.setProvider(this);
             }
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,7 @@
+# recipients: java-qa
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/generate_source_tarball.sh
+++ b/generate_source_tarball.sh
@ -0,0 +1,249 @@
+#!/bin/bash
+# Generates the 'source tarball' for JDK projects.
+#
+# Example:
+# When used from local repo set REPO_ROOT pointing to file:// with your repo
+# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL
+# If you want to use a local copy of patch GH001, set the path to it in the GH001 variable
+#
+# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
+# PROJECT_NAME=openjdk
+# REPO_NAME=jdk11u
+# VERSION=HEAD
+# or to eg prepare systemtap:
+# icedtea7's jstack and other tapsets
+# VERSION=6327cf1cea9e
+# REPO_NAME=icedtea7-2.6
+# PROJECT_NAME=release
+# OPENJDK_URL=http://icedtea.classpath.org/hg/
+# TO_COMPRESS="*/tapset"
+#
+# They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set)
+
+# This script creates a single source tarball out of the repository
+# based on the given tag and removes code not allowed in fedora/rhel. For
+# consistency, the source tarball will always contain 'openjdk' as the top
+# level folder, name is created, based on parameter
+#
+
+if [ ! "x$GH001" = "x" ] ; then
+  if [ ! -f "$GH001" ] ; then
+    echo "You have specified GH001 as $GH001 but it does not exist. Exiting"
+    exit 1
+  fi
+fi
+
+if [ ! "x$GH003" = "x" ] ; then
+  if [ ! -f "$GH003" ] ; then
+    echo "You have specified GH003 as $GH003 but it does not exist. Exiting"
+    exit 1
+  fi
+fi
+
+set -e
+
+OPENJDK_URL_DEFAULT=https://github.com
+COMPRESSION_DEFAULT=xz
+# Corresponding IcedTea version
+ICEDTEA_VERSION=6.0
+
+if [ "x$1" = "xhelp" ] ; then
+    echo -e "Behaviour may be specified by setting the following variables:\n"
+    echo "VERSION - the version of the specified OpenJDK project"
+    echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)"
+    echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)"
+    echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})"
+    echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})"
+    echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
+    echo "REPO_ROOT - the location of the Git repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)"
+    echo "TO_COMPRESS - what part of clone to pack (default is openjdk)"
+    echo "GH001 - the path to the ECC code patch, GH001, to apply (optional; downloaded if unavailable)"
+    echo "GH003 - the path to the ECC test patch, GH003, to apply (optional; downloaded if unavailable)"
+    echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run"
+    exit 1;
+fi
+
+
+if [ "x$VERSION" = "x" ] ; then
+    echo "No VERSION specified"
+    exit 2
+fi
+echo "Version: ${VERSION}"
+
+NUM_VER=${VERSION##jdk-}
+RELEASE_VER=${NUM_VER%%+*}
+BUILD_VER=${NUM_VER##*+}
+MAJOR_VER=${RELEASE_VER%%.*}
+echo "Major version is ${MAJOR_VER}, release ${RELEASE_VER}, build ${BUILD_VER}"
+
+if [ "x$BOOT_JDK" = "x" ] ; then
+    echo "No boot JDK specified".
+    BOOT_JDK=/usr/lib/jvm/java-${MAJOR_VER}-openjdk;
+    echo -n "Checking for ${BOOT_JDK}...";
+    if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then
+        echo "Boot JDK found at ${BOOT_JDK}";
+    else
+        echo "Not found";
+        PREV_VER=$((${MAJOR_VER} - 1));
+        BOOT_JDK=/usr/lib/jvm/java-${PREV_VER}-openjdk;
+        echo -n "Checking for ${BOOT_JDK}...";
+        if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then
+            echo "Boot JDK found at ${BOOT_JDK}";
+        else
+            echo "Not found";
+            exit 4;
+        fi
+    fi
+else
+    echo "Boot JDK: ${BOOT_JDK}";
+fi
+
+# REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT
+if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then
+  if [ "x$PROJECT_NAME" = "x" ] ; then
+    echo "No PROJECT_NAME specified"
+    exit 1
+  fi
+  echo "Project name: ${PROJECT_NAME}"
+  if [ "x$REPO_NAME" = "x" ] ; then
+    echo "No REPO_NAME specified"
+    exit 3
+  fi
+  echo "Repository name: ${REPO_NAME}"
+fi
+
+if [ "x$OPENJDK_URL" = "x" ] ; then
+    OPENJDK_URL=${OPENJDK_URL_DEFAULT}
+    echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}"
+else
+    echo "OpenJDK URL: ${OPENJDK_URL}"
+fi
+
+if [ "x$COMPRESSION" = "x" ] ; then
+    # rhel 5 needs tar.gz
+    COMPRESSION=${COMPRESSION_DEFAULT}
+fi
+echo "Creating a tar.${COMPRESSION} archive"
+
+if [ "x$FILE_NAME_ROOT" = "x" ] ; then
+    FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION}
+    echo "No file name root specified; default to ${FILE_NAME_ROOT}"
+fi
+if [ "x$REPO_ROOT" = "x" ] ; then
+    REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}.git"
+    echo "No repository root specified; default to ${REPO_ROOT}"
+fi;
+
+if [ "x$TO_COMPRESS" = "x" ] ; then
+    TO_COMPRESS="openjdk"
+    echo "No targets to be compressed specified, ; default to ${TO_COMPRESS}"
+fi;
+
+echo -e "Settings:"
+echo -e "\tVERSION: ${VERSION}"
+echo -e "\tPROJECT_NAME: ${PROJECT_NAME}"
+echo -e "\tREPO_NAME: ${REPO_NAME}"
+echo -e "\tOPENJDK_URL: ${OPENJDK_URL}"
+echo -e "\tCOMPRESSION: ${COMPRESSION}"
+echo -e "\tFILE_NAME_ROOT: ${FILE_NAME_ROOT}"
+echo -e "\tREPO_ROOT: ${REPO_ROOT}"
+echo -e "\tTO_COMPRESS: ${TO_COMPRESS}"
+echo -e "\tGH001: ${GH001}"
+echo -e "\tGH003: ${GH003}"
+echo -e "\tBOOT_JDK: ${BOOT_JDK}"
+
+if [ -d ${FILE_NAME_ROOT} ] ; then
+  echo "exists exists exists exists exists exists exists "
+  echo "reusing reusing reusing reusing reusing reusing "
+  echo ${FILE_NAME_ROOT}
+else
+  mkdir "${FILE_NAME_ROOT}"
+  pushd "${FILE_NAME_ROOT}"
+    echo "Cloning ${VERSION} root repository from ${REPO_ROOT}"
+    git clone -b ${VERSION} ${REPO_ROOT} openjdk
+  popd
+fi
+pushd "${FILE_NAME_ROOT}"
+# UnderlineTaglet.java has a BSD license with a field-of-use restriction, making it non-Free
+    if [ -d openjdk/test ] ; then
+	echo "Removing langtools test case with non-Free license"
+	rm -vf openjdk/test/langtools/tools/javadoc/api/basic/taglets/UnderlineTaglet.java
+    fi
+    if [ -d openjdk/src ]; then 
+        pushd openjdk
+            echo "Removing EC source code we don't build"
+            CRYPTO_PATH=src/jdk.crypto.ec/share/native/libsunec/impl
+            rm -vf ${CRYPTO_PATH}/ec2.h
+            rm -vf ${CRYPTO_PATH}/ec2_163.c
+            rm -vf ${CRYPTO_PATH}/ec2_193.c
+            rm -vf ${CRYPTO_PATH}/ec2_233.c
+            rm -vf ${CRYPTO_PATH}/ec2_aff.c
+            rm -vf ${CRYPTO_PATH}/ec2_mont.c
+            rm -vf ${CRYPTO_PATH}/ecp_192.c
+            rm -vf ${CRYPTO_PATH}/ecp_224.c
+
+            echo "Syncing EC list with NSS"
+            if [ "x$GH001" = "x" ] ; then
+                # get gh001-4curve.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+                # Do not push it or publish it
+		echo "GH001 not found. Downloading..."
+		wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/gh001-4curve.patch
+	        echo "Applying ${PWD}/gh001-4curve.patch"
+		git apply --stat --apply -v -p1 gh001-4curve.patch
+		rm gh001-4curve.patch
+	    else
+		echo "Applying ${GH001}"
+		git apply --stat --apply -v -p1 $GH001
+            fi;
+            if [ "x$GH003" = "x" ] ; then
+                # get gh001-4curve.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+		echo "GH003 not found. Downloading..."
+		wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/gh003-4curve.patch
+	        echo "Applying ${PWD}/gh003-4curve.patch"
+		git apply --stat --apply -v -p1 gh003-4curve.patch
+		rm gh003-4curve.patch
+	    else
+		echo "Applying ${GH003}"
+		git apply --stat --apply -v -p1 $GH003
+            fi;
+            find . -name '*.orig' -exec rm -vf '{}' ';' || echo "No .orig files found. This is suspicious, but may happen."
+        popd
+    fi
+
+    # Generate .src-rev so build has knowledge of the revision the tarball was created from
+    mkdir build
+    pushd build
+    sh ${PWD}/../openjdk/configure --with-boot-jdk=${BOOT_JDK}
+    make store-source-revision
+    popd
+    rm -rf build
+
+    # Remove commit checks
+    echo "Removing $(find openjdk -name '.jcheck' -print)"
+    find openjdk -name '.jcheck' -print0 | xargs -0 rm -r
+
+    # Remove history and GHA
+    echo "find openjdk -name '.hgtags'"
+    find openjdk -name '.hgtags' -exec rm -v '{}' '+'
+    echo "find openjdk -name '.hgignore'"
+    find openjdk -name '.hgignore' -exec rm -v '{}' '+'
+    echo "find openjdk -name '.gitattributes'"
+    find openjdk -name '.gitattributes' -exec rm -v '{}' '+'
+    echo "find openjdk -name '.gitignore'"
+    find openjdk -name '.gitignore' -exec rm -v '{}' '+'
+    echo "find openjdk -name '.git'"
+    find openjdk -name '.git' -exec rm -rv '{}' '+'
+    echo "find openjdk -name '.github'"
+    find openjdk -name '.github' -exec rm -rv '{}' '+'
+
+    echo "Compressing remaining forest"
+    if [ "X$COMPRESSION" = "Xxz" ] ; then
+        SWITCH=cJf
+    else
+        SWITCH=czf
+    fi
+    TARBALL_NAME=${FILE_NAME_ROOT}-4curve.tar.${COMPRESSION}
+    tar --exclude-vcs -$SWITCH ${TARBALL_NAME} $TO_COMPRESS
+    mv ${TARBALL_NAME} ..
+popd
+echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
--- a/get_sources.sh
+++ b/get_sources.sh
@ -0,0 +1,59 @@
+#!/bin/sh
+
+ID=${1}
+FEATUREVER=11
+
+if [ "x${ID}" = "x" ] ; then
+    echo "$0 <ID>";
+    exit 1;
+fi
+
+if [ "x${TMPDIR}" = "x" ] ; then
+    TMPDIR=/tmp
+fi
+
+downloaddir=${TMPDIR}/download.$$
+mkdir ${downloaddir}
+pushd ${downloaddir}
+echo "Downloading build ${ID} in ${downloaddir}";
+brew download-build ${ID}
+
+versionregexp="[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*-[0-9]*"
+basename=$(ls|grep java-${FEATUREVER}-openjdk-portable-${versionregexp}.el7openjdkportable.x86_64.rpm)
+version=$(echo ${basename}|sed -r "s|^.*-(${versionregexp})\.el7.*$|\1|")
+
+echo "Downloaded version ${version}"
+
+# Remove stripped release builds for portable and JREs
+rm -vf java-${FEATUREVER}-openjdk-portable-${FEATUREVER}*
+rm -vf java-${FEATUREVER}-openjdk-portable-devel-${FEATUREVER}*
+rm -vf java-${FEATUREVER}-openjdk-portable-slowdebug-${FEATUREVER}*
+rm -vf java-${FEATUREVER}-openjdk-portable-fastdebug-${FEATUREVER}*
+
+for file in *.rpm; do
+    rpm2archive ${file};
+done
+
+mkdir unpacked
+for file in *.tgz; do
+    tar -C unpacked -xzf ${file};
+done
+
+mkdir ${HOME}/${version}
+mv unpacked/usr/lib/jvm/* ${HOME}/${version}
+
+pushd ${HOME}/${version}
+for file in *.sha256sum; do
+    if ! sha256sum --check ${file} ; then
+	echo "${file} failed checksum.";
+	exit 2;
+    fi
+done
+popd
+
+rm -rf unpacked
+rm -vf *.tgz
+rm -vf *.rpm
+
+popd
+
--- a/icedtea_sync.sh
+++ b/icedtea_sync.sh
@ -0,0 +1,192 @@
+#!/bin/bash
+
+# Copyright (C) 2019 Red Hat, Inc.
+# Written by Andrew John Hughes <gnu.andrew@redhat.com>.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ICEDTEA_USE_VCS=true
+
+ICEDTEA_VERSION=3.15.0
+ICEDTEA_URL=https://icedtea.classpath.org/download/source
+ICEDTEA_SIGNING_KEY=CFDA0F9B35964222
+
+ICEDTEA_HG_URL=https://icedtea.classpath.org/hg/icedtea11
+
+set -e
+
+RPM_DIR=${PWD}
+if [ ! -f ${RPM_DIR}/jconsole.desktop.in ] ; then
+    echo "Not in RPM source tree.";
+    exit 1;
+fi
+
+if test "x${TMPDIR}" = "x"; then
+    TMPDIR=/tmp;
+fi
+WORKDIR=${TMPDIR}/it.sync
+
+echo "Using working directory ${WORKDIR}"
+mkdir ${WORKDIR}
+pushd ${WORKDIR}
+
+if test "x${WGET}" = "x"; then
+    WGET=$(which wget);
+    if test "x${WGET}" = "x"; then
+	echo "wget not found";
+	exit 1;
+    fi
+fi
+
+if test "x${TAR}" = "x"; then
+    TAR=$(which tar)
+    if test "x${TAR}" = "x"; then
+	echo "tar not found";
+	exit 2;
+    fi
+fi
+
+echo "Dependencies:";
+echo -e "\tWGET: ${WGET}";
+echo -e "\tTAR: ${TAR}\n";
+
+if test "x${ICEDTEA_USE_VCS}" = "xtrue"; then
+    echo "Mode: Using VCS";
+
+    if test "x${GREP}" = "x"; then
+	GREP=$(which grep);
+	if test "x${GREP}" = "x"; then
+	    echo "grep not found";
+	    exit 3;
+	fi
+    fi
+
+    if test "x${CUT}" = "x"; then
+	CUT=$(which cut);
+	if test "x${CUT}" = "x"; then
+	    echo "cut not found";
+	    exit 4;
+	fi
+    fi
+
+    if test "x${TR}" = "x"; then
+	TR=$(which tr);
+	if test "x${TR}" = "x"; then
+	    echo "tr not found";
+	    exit 5;
+	fi
+    fi
+
+    if test "x${HG}" = "x"; then
+	HG=$(which hg);
+	if test "x${HG}" = "x"; then
+	    echo "hg not found";
+	    exit 6;
+	fi
+    fi
+
+    echo "Dependencies:";
+    echo -e "\tGREP: ${GREP}";
+    echo -e "\tCUT: ${CUT}";
+    echo -e "\tTR: ${TR}";
+    echo -e "\tHG: ${HG}";
+
+    echo "Checking out repository from VCS...";
+    ${HG} clone ${ICEDTEA_HG_URL} icedtea
+
+    echo "Obtaining version from configure.ac...";
+    ROOT_VER=$(${GREP} '^AC_INIT' icedtea/configure.ac|${CUT} -d ',' -f 2|${TR} -d '[][:space:]')
+    echo "Root version from configure: ${ROOT_VER}";
+
+    VCS_REV=$(${HG} log -R icedtea --template '{node|short}' -r tip)
+    echo "VCS revision: ${VCS_REV}";
+
+    ICEDTEA_VERSION="${ROOT_VER}-${VCS_REV}"
+    echo "Creating icedtea-${ICEDTEA_VERSION}";
+    mkdir icedtea-${ICEDTEA_VERSION}
+    echo "Copying required files from checkout to icedtea-${ICEDTEA_VERSION}";
+    # Commented out for now as IcedTea 6's jconsole.desktop.in is outdated
+    #cp -a icedtea/jconsole.desktop.in ../icedtea-${ICEDTEA_VERSION}
+    cp -a ${RPM_DIR}/jconsole.desktop.in icedtea-${ICEDTEA_VERSION}
+    cp -a icedtea/tapset icedtea-${ICEDTEA_VERSION}
+
+    rm -rf icedtea
+else
+    echo "Mode: Using tarball";
+
+    if test "x${ICEDTEA_VERSION}" = "x"; then
+	echo "No IcedTea version specified for tarball download.";
+	exit 3;
+    fi
+
+    if test "x${CHECKSUM}" = "x"; then
+	CHECKSUM=$(which sha256sum)
+	if test "x${CHECKSUM}" = "x"; then
+	    echo "sha256sum not found";
+	    exit 4;
+	fi
+    fi
+
+    if test "x${PGP}" = "x"; then
+	PGP=$(which gpg)
+	if test "x${PGP}" = "x"; then
+	    echo "gpg not found";
+	    exit 5;
+	fi
+    fi
+
+    echo "Dependencies:";
+    echo -e "\tCHECKSUM: ${CHECKSUM}";
+    echo -e "\tPGP: ${PGP}\n";
+
+    echo "Checking for IcedTea signing key ${ICEDTEA_SIGNING_KEY}...";
+    if ! gpg --list-keys ${ICEDTEA_SIGNING_KEY}; then
+	echo "IcedTea signing key ${ICEDTEA_SIGNING_KEY} not installed.";
+	exit 6;
+    fi
+
+    echo "Downloading IcedTea release tarball...";
+    ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz
+    echo "Downloading IcedTea tarball signature...";
+    ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz.sig
+    echo "Downloading IcedTea tarball checksums...";
+    ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.sha256
+
+    echo "Verifying checksums...";
+    ${CHECKSUM} --check --ignore-missing icedtea-${ICEDTEA_VERSION}.sha256
+
+    echo "Checking signature...";
+    ${PGP} --verify icedtea-${ICEDTEA_VERSION}.tar.xz.sig
+
+    echo "Extracting files...";
+    ${TAR} xJf icedtea-${ICEDTEA_VERSION}.tar.xz \
+       icedtea-${ICEDTEA_VERSION}/tapset \
+       icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in
+
+    rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz
+    rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz.sig
+    rm -vf icedtea-${ICEDTEA_VERSION}.sha256
+fi
+
+echo "Replacing desktop files...";
+mv -v icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in ${RPM_DIR}
+
+echo "Creating new tapset tarball...";
+mv -v icedtea-${ICEDTEA_VERSION} openjdk
+${TAR} cJf ${RPM_DIR}/tapsets-icedtea-${ICEDTEA_VERSION}.tar.xz openjdk
+
+rm -rvf openjdk
+
+popd
+rm -rf ${WORKDIR}
--- a/SOURCES/java-11-openjdk-portable.specfile
+++ b/SOURCES/java-11-openjdk-portable.specfile
@ -1,4 +1,4 @@
-## debug_package %%{nil} is portable-jdks specific
+# debug_package %%{nil} is portable-jdks specific
 %define  debug_package %{nil}

 # RPM conditionals so as to be able to dynamically produce
@ -25,7 +25,7 @@
 # Enable static library builds by default.
 %bcond_without staticlibs
 # Remove build artifacts by default
-%bcond_without artifacts
+%bcond_with artifacts
 # Build a fresh libjvm.so for use in a copy of the bootstrap JDK
 %bcond_without fresh_libjvm
 # Build with system libraries
@ -147,8 +147,6 @@
 %global zgc_arches x86_64
 # Set of architectures for which alt-java has SSB mitigation
 %global ssbd_arches x86_64
-# Architecture on which we run Java only tests
-%global jdk_test_arch x86_64
 # Set of architectures where we verify backtraces with gdb
 # s390x fails on RHEL 7 so we exclude it there
 %if (0%{?rhel} > 0 && 0%{?rhel} < 8)
@ -341,7 +339,7 @@
 # New Version-String scheme-style defines
 %global featurever 11
 %global interimver 0
-%global updatever 25
+%global updatever 20
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@ -369,7 +367,7 @@
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{component}&version=%{fedora}
 %else
 %if 0%{?rhel}
-%global oj_vendor_bug_url https://access.redhat.com/support/cases/
+%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{component}
 %else
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi
 %endif
@ -380,21 +378,14 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver f93a863b56
-# Define JDK versions
-%global javaver         %{featurever}
-%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
-%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
-# The tag used to create the OpenJDK tarball
-%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+%global fipsver b34fb09a5c

 # Standard JPackage naming and versioning defines
 %global origin          openjdk
 %global origin_nice     OpenJDK
-%global top_level_dir_name   %{vcstag}
+%global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        9
+%global buildver        8
 %global rpmrelease      1
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@ -409,6 +400,15 @@
 # for techpreview, using 1, so slowdebugs can have 0
 %global priority %( printf '%08d' 1 )
 %endif
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
+%global javaver         %{featurever}

 # Define milestone (EA for pre-releases, GA for releases)
 # Release will be (where N is usually a number starting at 1):
@ -568,12 +568,12 @@ URL:      http://openjdk.java.net/

 # to regenerate source0 (jdk) run update_package.sh
 # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
+Source0: openjdk-jdk%{featurever}u-%{vcstag}-4curve.tar.xz

 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
 # Systemtap tapsets. Zipped up to keep it small.
-Source8: tapsets-icedtea-%{icedteaver}.tar.xz
+Source8: tapsets-icedtea-%%{icedteaver}.tar.xz

 # Desktop files. Adapted from IcedTea
 # Disabled in portables
@ -671,14 +671,14 @@ Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1
 # need to be reviewed & pushed to the appropriate
 # updates tree of OpenJDK.
 #############################################
-Patch2002: jdk8242332-rh2108712-sha3-sunpkcs11.patch
+Patch2001: jdk8242332-rh2108712-sha3-sunpkcs11.patch

 #############################################
 #
-# Patches appearing in 11.0.23
+# Patches appearing in 11.0.20
 #
 # This section includes patches which are present
-# in the listed OpenJDK 8u release and should be
+# in the listed OpenJDK 11u release and should be
 # able to be removed once that release is out
 # and used by this RPM.
 #############################################
@ -728,6 +728,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
+# 2023c required as of JDK-8305113
+BuildRequires: tzdata-java >= 2023c
 # cacerts build requirement in portable mode
 BuildRequires: ca-certificates
 # Earlier versions have a bug in tree vectorization on PPC
@ -745,22 +747,19 @@ BuildRequires: harfbuzz-devel
 BuildRequires: lcms2-devel
 BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
-BuildRequires: zlib-devel
 %else
 # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.13.2
+Provides: bundled(freetype) = 2.12.1
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
-Provides: bundled(giflib) = 5.2.2
+Provides: bundled(giflib) = 5.2.1
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 8.2.2
+Provides: bundled(harfbuzz) = 7.0.1
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
-Provides: bundled(lcms2) = 2.16.0
+Provides: bundled(lcms2) = 2.15.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.43
-# Version in src/java.base/share/native/libzip/zlib/zlib.h
-Provides: bundled(zlib) = 1.3.1
+Provides: bundled(libpng) = 1.6.37
 # We link statically against libstdc++ to increase portability
 BuildRequires: libstdc++-static
 %endif
@ -950,20 +949,18 @@ sh %{SOURCE12} %{top_level_dir_name}

 # Patch the JDK
 pushd %{top_level_dir_name}
-%patch -P1 -p1
-%patch -P3 -p1
+%patch1 -p1
+%patch3 -p1
 # Add crypto policy and FIPS support
-%patch -P1001 -p1
+%patch1001 -p1
 # nss.cfg PKCS11 support; must come last as it also alters java.security
-%patch -P1000 -p1
+%patch1000 -p1
 # PKCS11 SHA3 backport
-%patch -P2002 -p1
-# alt-java
-%patch -P600 -p1
-# RSA default
-%patch -P1003 -p1
+%patch2001 -p1
 popd # openjdk

+%patch600
+%patch1003

 # Extract systemtap tapsets
 %if %{with_systemtap}
@ -1065,6 +1062,9 @@ function buildjdk() {
    bash ${top_dir_abs_src_path}/configure \
 %ifarch %{zero_arches}
    --with-jvm-variants=zero \
+%endif
+%ifarch %{ppc64le}
+    --with-jobs=1 \
 %endif
    --with-cacerts-file=`readlink -f %{_sysconfdir}/pki/java/cacerts`  \
    --with-version-build=%{buildver} \
@ -1111,14 +1111,13 @@ function stripjdk() {
    local jreimagepath=${outputdir}/images/%{jreimage}
    local jmodimagepath=${outputdir}/images/jmods
    local supportdir=${outputdir}/support
-    local modulefile=lib/modules

    if [ "x$suffix" = "x" ] ; then
        # Keep the unstripped version for consumption by RHEL RPMs
        cp -a ${jdkimagepath}{,.unstripped}

-        # Strip libraries and executables
-        for file in $(find ${jdkimagepath} ${jreimagepath} ${supportdir} -type f | grep -v '\.o$' | grep -v '\.debuginfo$' | grep -v '\.class$' ) ; do
+        # Strip the files
+        for file in $(find ${jdkimagepath} ${jreimagepath} ${supportdir} -type f) ; do
            if file ${file} | grep -q 'ELF'; then
                noextfile=${file/.so/};
                objcopy --only-keep-debug ${file} ${noextfile}.debuginfo;
@ -1132,8 +1131,7 @@ function stripjdk() {
            echo "Support directory missing.";
            exit 15
        fi
-        echo "Rebuilding jmod files against the stripped binaries"
-        for cmd in $(find ${supportdir}/jmods -name '*.jmod.cmdline') ; do
+        for cmd in $(find ${supportdir} -name '*.jmod.cmdline') ; do
            jmod=$(cat ${cmd} | sed -r 's|.*support/(.*$)|\1|');
            echo "Rebuilding ${jmod} against stripped binaries...";
            echo "Removing old jmod ${jmod}...";
@ -1141,36 +1139,9 @@ function stripjdk() {
            rm -vf ${jdkimagepath}/jmods/$(basename ${jmod});
            echo "Executing $(cat ${cmd})...";
            cat ${cmd} | sh -s ;
-            echo "Moving jmod to image and image/jmods...";
-            cp -v ${supportdir}/${jmod} ${jmodimagepath};
+            echo "Moving jmod to image...";
            mv -v ${supportdir}/${jmod} ${jdkimagepath}/jmods;
        done
-        echo "Rebuilding images with stripped modules..."
-        for image in %{jdkimage} %{jreimage} ; do
-            outdir=${outputdir}/images/${image};
-            jlink=${supportdir}/images/${image}.cmdline;
-            echo "Running ${jlink}..."
-            if [ ! -f ${jlink} ]; then
-                echo "Cannot find JLINK command: ${jlink}"
-                echo "Supportdir images contains:"
-                ls -ali ${supportdir}/images
-                exit 16
-            fi
-            # Backup the existing image as it contains files not generated by jlink
-            mv ${outdir}{,.bak}
-            # Regenerate the image using the command generated using the initial build
-            cat ${jlink} | sh -s;
-            # Move the new jmods and module file from the new image to the old one
-            if [ -e ${outdir}.bak/jmods ]; then
-                rm -rf ${outdir}.bak/jmods;
-                mv -vf ${outdir}/jmods ${outdir}.bak;
-            fi
-            # ... and move the modulefile too...
-            mv -vf ${outdir}/${modulefile} ${outdir}.bak/$(dirname ${modulefile});
-            # Restore the original image
-            rm -rf ${outdir};
-            mv -vf ${outdir}{.bak,};
-        done
    fi
 }

@ -1263,10 +1234,17 @@ function packagejdk() {
    jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"}
    staticname=%{staticlibsportablename -- "$nameSuffix"}
    staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"}
+    debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"}
+    unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"}
+    # We only use docs for the release build
+    docname=%{docportablename}
+    docarchive=${packagesdir}/%{docportablearchive}
+    built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
+    # These are from the source tree so no debug variants
+    miscname=%{miscportablename}
+    miscarchive=${packagesdir}/%{miscportablearchive}

    if [ "x$suffix" = "x" ] ; then
-        unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"}
-
        # Keep the unstripped version for consumption by RHEL RPMs
        mv %{jdkimage}.unstripped ${jdkname}
        tar -cJf ${unstrippedarchive} ${jdkname}
@ -1280,15 +1258,6 @@ function packagejdk() {

    # Release images have external debug symbols
    if [ "x$suffix" = "x" ] ; then
-        debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"}
-        # We only use docs for the release build
-        docname=%{docportablename}
-        docarchive=${packagesdir}/%{docportablearchive}
-        built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
-        # These are from the source tree so no debug variants
-        miscname=%{miscportablename}
-        miscarchive=${packagesdir}/%{miscportablearchive}
-
        tar -cJf ${debugarchive} $(find ${jdkname} -name \*.debuginfo)
        genchecksum ${debugarchive}

@ -1421,58 +1390,48 @@ export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
 $JAVA_HOME//bin/java -XX:+UseShenandoahGC -version
 %endif

-# Only test on one architecture (the fastest) for Java only tests
-%ifarch %{jdk_test_arch}
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel

-  # Check unlimited policy has been used
-  $JAVA_HOME/bin/javac -d . %{SOURCE13}
-  $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")

-  # Check ECC is working
-  $JAVA_HOME/bin/javac -d . %{SOURCE14}
-  $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+#Portable specific: set false whereas its true for upstream
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false

-  # Check system crypto (policy) is active and can be disabled
-  # Test takes a single argument - true or false - to state whether system
-  # security properties are enabled or not.
-  $JAVA_HOME/bin/javac -d . %{SOURCE15}
-  export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
-  export SEC_DEBUG="-Djava.security.debug=properties"
-  #Portable specific: set false whereas its true for upstream
-  $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false
-  $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"

-  # Check correct vendor values have been set
-  $JAVA_HOME/bin/javac -d . %{SOURCE16}
-  $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
-
-  # Check java launcher has no SSB mitigation
-  if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
-
-  # Check alt-java launcher has SSB mitigation on supported architectures
-  %ifarch %{ssbd_arches}
-  nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
-  %else
-  if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
-  %endif
-
-  # Check translations are available for new timezones
-  $JAVA_HOME/bin/javac -d . %{SOURCE18}
-  $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
-  $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
-
-  %if %{include_staticlibs}
-  # Check debug symbols in static libraries (smoke test)
-  export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
-  readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
-  readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
-  %endif
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi

+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
 %else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif

-  # Just run a basic java -version test on other architectures
-  $JAVA_HOME/bin/java -version
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR

+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
 %endif

 # Release builds strip the debug symbols into external .debuginfo files
@ -1574,10 +1533,12 @@ for suffix in %{build_loop} ; do
        nameSuffix=`echo "$suffix"| sed s/-/./`
    fi

-    # These definitions should match those in packagejdk
+    # These definitions should match those in installjdk
    jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"}
    jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"}
    staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"}
+    debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"}
+    unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"}

    mkdir -p $RPM_BUILD_ROOT%{_jvmdir}

@ -1592,23 +1553,23 @@ for suffix in %{build_loop} ; do
 %endif

    if [ "x$suffix" = "x" ] ; then
-        # These definitions should match those in packagejdk
-        debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"}
-        unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"}
-        docarchive=${packagesdir}/%{docportablearchive}
-        miscarchive=${packagesdir}/%{miscportablearchive}
-
        mv ${debugarchive} $RPM_BUILD_ROOT%{_jvmdir}/
        mv ${debugarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
        mv ${unstrippedarchive} $RPM_BUILD_ROOT%{_jvmdir}/
        mv ${unstrippedarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
-        mv ${docarchive} $RPM_BUILD_ROOT%{_jvmdir}/
-        mv ${docarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
-        mv ${miscarchive} $RPM_BUILD_ROOT%{_jvmdir}/
-        mv ${miscarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
    fi
 done

+# These definitions should match those in installjdk
+# Install outside the loop as there are no debug variants
+docarchive=${packagesdir}/%{docportablearchive}
+miscarchive=${packagesdir}/%{miscportablearchive}
+
+mv ${docarchive} $RPM_BUILD_ROOT%{_jvmdir}/
+mv ${docarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+mv ${miscarchive} $RPM_BUILD_ROOT%{_jvmdir}/
+mv ${miscarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+
 # To show sha in the build log
 for file in `ls $RPM_BUILD_ROOT%{_jvmdir}/*.sha256sum` ; do
    ls -l $file ;
@ -1626,8 +1587,6 @@ done
 # placeholder
 %endif

-%if %{include_normal_build}
-
 %files devel
 %{_jvmdir}/%{jdkportablearchive -- %%{nil}}
 %{_jvmdir}/%{jdkportablearchive -- .debuginfo}
@ -1644,16 +1603,6 @@ done
 %{_jvmdir}/%{jdkportablearchive -- .unstripped}
 %{_jvmdir}/%{jdkportablearchive -- .unstripped}.sha256sum

-%files docs
-%{_jvmdir}/%{docportablearchive}
-%{_jvmdir}/%{docportablearchive}.sha256sum
-
-%files misc
-%{_jvmdir}/%{miscportablearchive}
-%{_jvmdir}/%{miscportablearchive}.sha256sum
-
-%endif
-
 %if %{include_debug_build}

 %files slowdebug
@ -1690,146 +1639,15 @@ done

 %endif

+%files docs
+%{_jvmdir}/%{docportablearchive}
+%{_jvmdir}/%{docportablearchive}.sha256sum
+
+%files misc
+%{_jvmdir}/%{miscportablearchive}
+%{_jvmdir}/%{miscportablearchive}.sha256sum
+
 %changelog
-* Thu Oct 10 2024 Antonio Vieiro <avieirov@redhat.com> - 1:11.0.25.0.9-1
- Update to jdk-11.0.25+9 (GA)
- Update release notes to 11.0.25+9
- Switch to GA mode for release
- Resolves: OPENJDK-3090
- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. **
-
-* Mon Oct 07 2024 Antonio Vieiro <avieirov@redhat.com> - 1:11.0.25.0.8-0.2.ea
- Updated NEWS
- Using %bcond_without artifacts
-
-* Wed Oct 02 2024 Antonio Vieiro <avieirov@redhat.com> - 1:11.0.25.0.8-0.1.ea
- Update to jdk-11.0.25+8 (EA)
- Update release notes to 11.0.25+8
-
-* Thu Sep 26 2024 Antonio Vieiro <avieirov@redhat.com> - 1:11.0.25.0.7-0.1.ea
- Update to jdk-11.0.25+7 (EA)
- Update release notes to 11.0.25+7
-
-* Thu Sep 12 2024 Antonio Vieiro <avieirov@redhat.com> - 1:11.0.25.0.6-0.1.ea
- Update to jdk-11.0.25+6 (EA)
- Update release notes to 11.0.25+6
-
-* Thu Sep 05 2024 Antonio Vieiro <avieirov@redhat.com> - 1:11.0.25.0.5-0.1.ea
- Update to jdk-11.0.25+5 (EA)
- Update release notes to 11.0.25+5
- Switch to EA mode
- Bump giflib version to 5.2.2 following JDK-8328999
- Bump libpng version to 1.6.43 following JDK-8329004
-
-* Mon Aug 26 2024 Antonio Vieiro <avieirov@redhat.com> - 1:11.0.24.0.8-6
- Add missing modulefile in stripjdk
- Skip `.o` and others in stripping loop
- Resolves: OPENJDK-3056
-
-* Tue Aug 20 2024 Antonio Vieiro <avieirov@redhat.com> - 1:11.0.24.0.8-5
- Limit Java only tests to one 'jdk_test_arch'
- Resolves: OPENJDK-3184
-
-* Mon Aug 19 2024 Antonio Vieiro <avieirov@redhat.com> - 1:11.0.24.0.8-4
- Rebuild the lib/modules jimage against the updated jmods
- Resolves: OPENJDK-3056
-
-* Fri Jul 26 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.24.0.8-2
- Drop unneeded tzdata-java build dependency following 3e3cf8fa2df7bac2f6a60a0ddd596ec39228a3e1
- Resolves: OPENJDK-3192
-
-* Fri Jul 26 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.24.0.8-2
- Move unstripped, misc and doc tarball handling into normal build / no suffix blocks
- Resolves: OPENJDK-3217
-
-* Wed Jul 10 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.24.0.8-2
- Adjusted DTLS & RPATH NEWS entries to match OpenJDK 17 & 21 release notes
-
-* Wed Jul 10 2024 Anton Bobrov <abobrov@redhat.com> - 1:11.0.24.0.8-1
- Update to jdk-11.0.24+8 (GA)
- Update release notes to 11.0.24+8
- Switch to GA mode for release
- ** This tarball is embargoed until 2024-07-16 @ 1pm PT. **
-
-* Mon Jun 24 2024 Anton Bobrov <abobrov@redhat.com> - 1:11.0.24.0.6-0.2.ea
- Add zlib build required or bundled version (1.3.1), depending on system_libs setting
- Related: OPENJDK-3066
-
-* Thu Jun 06 2024 Anton Bobrov <abobrov@redhat.com> - 1:11.0.24.0.6-0.1.ea
- Update to jdk-11.0.24+6 (EA)
- Update release notes to 11.0.24+6
- Switch to EA mode
- Update LCMS to 2.16 (JDK-8321489)
- Improve VCS exclusion in generate_source_tarball.sh script
- Bring outdated patch macros in the spec file up to date
-
-* Thu Apr 18 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.23.0.9-3
- Sync release notes with upstream version: https://bit.ly/openjdk11023
-
-* Thu Apr 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.23.0.9-2
- Fix 11.0.22 release date in NEWS
-
-* Wed Apr 10 2024 Anton Bobrov <abobrov@redhat.com> - 1:11.0.23.0.9-1
- Update to jdk-11.0.23+9 (GA)
- Update release notes to 11.0.23+9
- Switch to GA mode for release
- Require tzdata 2024a due to upstream inclusion of JDK-8322725
- Only require tzdata 2023d for now as 2024a is unavailable in buildroot
- Speed up PPC build by removing ppc64le --with-jobs=1 workaround
- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. **
-
-* Thu Mar 21 2024 Anton Bobrov <abobrov@redhat.com> - 1:11.0.23.0.1-0.1.ea
- Update to jdk-11.0.23+1 (EA)
- Update release notes to 11.0.23+1
- Switch to EA mode
-
-* Wed Jan 10 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.22.0.7-1
- Update to jdk-11.0.22+7 (GA)
- Update release notes to 11.0.22+7
- Switch to GA mode for release
- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
-
-* Mon Jan 08 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.22.0.6-0.1.ea
- Update to jdk-11.0.22+6 (EA)
- Update release notes to 11.0.22+6
-
-* Thu Jan 04 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.22.0.1-0.1.ea
- Update to jdk-11.0.22+1 (EA)
- Update release notes to 11.0.22+1
- Switch to EA mode
- Drop local copy of JDK-8312489 which is now included upstream
-
-* Wed Oct 11 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.21.0.9-1
- Update to jdk-11.0.21+9 (GA)
- Update release notes to 11.0.21+9
- Switch to GA mode for release
- Drop local backport of JDK-8243210 which is upstream from 11.0.21+2
- Bump freetype version to 2.13.0 following JDK-8306881
- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. **
-
-* Thu Oct 05 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.21.0.1-0.1.ea
- Update to jdk-11.0.21+1 (EA)
- Update release notes to 11.0.21+1
- Switch to EA mode
- Re-generate FIPS patch against 11.0.21+1 following backport of JDK-8155246
- Re-generate SHA3 patch following backport of JDK-8242151
- Bump libpng version to 1.6.39 following JDK-8305815
- Bump HarfBuzz version to 7.2.0 following JDK-8307301
- Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal
- Update bug URL for RHEL to point to the Red Hat customer portal
- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
- Apply all patches using -p1
-
-* Tue Sep 05 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.20.1.1-1
- Update to jdk-11.0.20.1+1 (GA)
- Update release notes to 11.0.20.1+1
- Add backport of JDK-8312489 already upstream in 11.0.22 (see OPENJDK-2095)
- Add backport of JDK-8243210 already upstream in 11.0.21 (see RH2229269)
- Update openjdk_news script to specify subdirectory last
- Add missing discover_trees script required by openjdk_news
- Update README.md to match the version in later RHEL releases
- Resolves: rhbz#2236589
-
 * Fri Jul 14 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.20.0.8-1
 - Update to jdk-11.0.20.0+8 (GA)
 - Update release notes to 11.0.20.0+8
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
--- a/SOURCES/jconsole.desktop.in
+++ b/SOURCES/jconsole.desktop.in
--- a/SOURCES/jdk8242332-rh2108712-sha3-sunpkcs11.patch
+++ b/SOURCES/jdk8242332-rh2108712-sha3-sunpkcs11.patch
@ -1,11 +1,11 @@
-commit b8711800e3cd9132ad2b195c82cf816210feb77d
+commit 81c2107a9188680f7c35ebc7697b292d5972436e
 Author: Andrew Hughes <gnu.andrew@redhat.com>
-Date:   Thu Oct 5 03:13:01 2023 +0100
+Date:   Mon Feb 27 13:22:43 2023 +0000

    Backport 78be334c3817a1b5840922a9bf1339a40dcc5185

 diff --git a/src/java.base/share/classes/sun/security/util/KnownOIDs.java b/src/java.base/share/classes/sun/security/util/KnownOIDs.java
-index b5cc3b05f1..7e235c90dd 100644
+index 92ecb9adc0c..a5848c96aad 100644
 --- a/src/java.base/share/classes/sun/security/util/KnownOIDs.java
 +++ b/src/java.base/share/classes/sun/security/util/KnownOIDs.java
@@ -155,6 +155,14 @@ public enum KnownOIDs {
@ -24,7 +24,7 @@ index b5cc3b05f1..7e235c90dd 100644
     SHA3_256withRSA("2.16.840.1.101.3.4.3.14", "SHA3-256withRSA"),
     SHA3_384withRSA("2.16.840.1.101.3.4.3.15", "SHA3-384withRSA"),
 diff --git a/src/java.base/share/classes/sun/security/util/SignatureUtil.java b/src/java.base/share/classes/sun/security/util/SignatureUtil.java
-index 32c089fd96..7d5c0c7e29 100644
+index 32c089fd96d..7d5c0c7e299 100644
 --- a/src/java.base/share/classes/sun/security/util/SignatureUtil.java
 +++ b/src/java.base/share/classes/sun/security/util/SignatureUtil.java
@@ -168,4 +168,22 @@ public class SignatureUtil {
@ -51,7 +51,7 @@ index 32c089fd96..7d5c0c7e29 100644
 +    }
 }
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
-index 41fe61b8a1..daf0bc9f69 100644
+index 41fe61b8a16..daf0bc9f69c 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
@@ -1,5 +1,5 @@
@ -93,7 +93,7 @@ index 41fe61b8a1..daf0bc9f69 100644
             break;
         default:
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
-index 926414608c..f343e6025e 100644
+index 926414608cb..f343e6025e1 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
@@ -36,7 +36,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
@ -428,7 +428,7 @@ index 926414608c..f343e6025e 100644
 -
 }
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
-index c88e4a6ace..29b26651c3 100644
+index c88e4a6ace5..29b26651c39 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
@@ -39,8 +39,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
@ -465,7 +465,7 @@ index c88e4a6ace..29b26651c3 100644
             break;
         case (int)CKM_SSL3_MD5_MAC:
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
-index 1419be3754..18e00a544b 100644
+index 26eaa4735f1..905b6ea9562 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
@@ -38,6 +38,7 @@ import java.security.spec.MGF1ParameterSpec;
@ -738,7 +738,7 @@ index 1419be3754..18e00a544b 100644
 
     // see JCA spec
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
-index e3af106d05..e49edf32c2 100644
+index e3af106d05a..e49edf32c29 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
@@ -51,8 +51,15 @@ import sun.security.util.KeyUtil;
@ -970,88 +970,111 @@ index e3af106d05..e49edf32c2 100644
 //      return RSASignature.decodeSignature(digestOID, signature);
 //    }
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index ffbd671246..d191831dab 100644
+index cf7cd19b689..7a8bcffb92c 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -546,6 +546,14 @@ public final class SunPKCS11 extends AuthProvider {
-                 m(CKM_SHA512_224));
-         dA(MD, "SHA-512/256",        P11Digest,
+@@ -550,6 +550,18 @@ public final class SunPKCS11 extends AuthProvider {
+         d(MD, "SHA-512/256",        P11Digest,
+                 s("2.16.840.1.101.3.4.2.6", "OID.2.16.840.1.101.3.4.2.6"),
                 m(CKM_SHA512_256));
-+        dA(MD, "SHA3-224",        P11Digest,
+        d(MD, "SHA3-224",        P11Digest,
+	        s("2.16.840.1.101.3.4.2.7", "OID.2.16.840.1.101.3.4.2.7"),
 +                m(CKM_SHA3_224));
-+        dA(MD, "SHA3-256",        P11Digest,
+        d(MD, "SHA3-256",        P11Digest,
+	        s("2.16.840.1.101.3.4.2.8", "OID.2.16.840.1.101.3.4.2.8"),
 +                m(CKM_SHA3_256));
-+        dA(MD, "SHA3-384",        P11Digest,
+        d(MD, "SHA3-384",        P11Digest,
+	        s("2.16.840.1.101.3.4.2.9", "OID.2.16.840.1.101.3.4.2.9"),
 +                m(CKM_SHA3_384));
-+        dA(MD, "SHA3-512",        P11Digest,
+        d(MD, "SHA3-512",        P11Digest,
+	        s("2.16.840.1.101.3.4.2.10", "OID.2.16.840.1.101.3.4.2.10"),
 +                m(CKM_SHA3_512));
 
         d(MAC, "HmacMD5",       P11MAC,
                 m(CKM_MD5_HMAC));
-@@ -563,7 +571,14 @@ public final class SunPKCS11 extends AuthProvider {
-                 m(CKM_SHA512_224_HMAC));
-         dA(MAC, "HmacSHA512/256",    P11MAC,
+@@ -574,7 +586,18 @@ public final class SunPKCS11 extends AuthProvider {
+         d(MAC, "HmacSHA512/256",    P11MAC,
+                 s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"),
                 m(CKM_SHA512_256_HMAC));
 -
-+        dA(MAC, "HmacSHA3-224",    P11MAC,
+        d(MAC, "HmacSHA3-224",    P11MAC,
+                s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"),
 +                m(CKM_SHA3_224_HMAC));
-+        dA(MAC, "HmacSHA3-256",    P11MAC,
+        d(MAC, "HmacSHA3-256",    P11MAC,
+                s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"),
 +                m(CKM_SHA3_256_HMAC));
-+        dA(MAC, "HmacSHA3-384",    P11MAC,
+        d(MAC, "HmacSHA3-384",    P11MAC,
+                s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"),
 +                m(CKM_SHA3_384_HMAC));
-+        dA(MAC, "HmacSHA3-512",    P11MAC,
+        d(MAC, "HmacSHA3-512",    P11MAC,
+                s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"),
 +                m(CKM_SHA3_512_HMAC));
         d(MAC, "SslMacMD5",     P11MAC,
                 m(CKM_SSL3_MD5_MAC));
         d(MAC, "SslMacSHA1",    P11MAC,
-@@ -595,6 +610,30 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -604,6 +627,41 @@ public final class SunPKCS11 extends AuthProvider {
                 m(CKM_BLOWFISH_KEY_GEN));
         d(KG,  "ChaCha20",      P11KeyGenerator,
                 m(CKM_CHACHA20_KEY_GEN));
 +        d(KG,  "HmacMD5",      P11KeyGenerator, // 1.3.6.1.5.5.8.1.1
 +                m(CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA1",      P11KeyGenerator,
+        d(KG,  "HmacSHA1",      P11KeyGenerator,
+                s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"),
 +                m(CKM_SHA_1_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA224",    P11KeyGenerator,
+        d(KG,  "HmacSHA224",    P11KeyGenerator,
+                s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"),
 +                m(CKM_SHA224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA256",    P11KeyGenerator,
+        d(KG,  "HmacSHA256",    P11KeyGenerator,
+                s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"),
 +                m(CKM_SHA256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA384",    P11KeyGenerator,
+        d(KG,  "HmacSHA384",    P11KeyGenerator,
+                s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"),
 +                m(CKM_SHA384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA512",    P11KeyGenerator,
+        d(KG,  "HmacSHA512",    P11KeyGenerator,
+                s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"),
 +                m(CKM_SHA512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA512/224",    P11KeyGenerator,
+        d(KG,  "HmacSHA512/224",    P11KeyGenerator,
+                s("1.2.840.113549.2.12", "OID.1.2.840.113549.2.12"),
 +                m(CKM_SHA512_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA512/256",    P11KeyGenerator,
+        d(KG,  "HmacSHA512/256",    P11KeyGenerator,
+                s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"),
 +                m(CKM_SHA512_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA3-224",    P11KeyGenerator,
+        d(KG,  "HmacSHA3-224",    P11KeyGenerator,
+                s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"),
 +                m(CKM_SHA3_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA3-256",    P11KeyGenerator,
+        d(KG,  "HmacSHA3-256",    P11KeyGenerator,
+                s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"),
 +                m(CKM_SHA3_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA3-384",    P11KeyGenerator,
+        d(KG,  "HmacSHA3-384",    P11KeyGenerator,
+                s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"),
 +                m(CKM_SHA3_384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        dA(KG,  "HmacSHA3-512",    P11KeyGenerator,
+        d(KG,  "HmacSHA3-512",    P11KeyGenerator,
+                s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"),
 +                m(CKM_SHA3_512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
 
         // register (Secret)KeyFactories if there are any mechanisms
         // for a particular algorithm that we support
-@@ -725,37 +764,77 @@ public final class SunPKCS11 extends AuthProvider {
-                 m(CKM_DSA_SHA384));
-         dA(SIG, "SHA512withDSA", P11Signature,
+@@ -747,13 +805,40 @@ public final class SunPKCS11 extends AuthProvider {
+         d(SIG, "SHA512withDSA", P11Signature,
+                 s("2.16.840.1.101.3.4.3.4", "OID.2.16.840.1.101.3.4.3.4"),
                 m(CKM_DSA_SHA512));
-+        dA(SIG, "SHA3-224withDSA", P11Signature,
+        d(SIG, "SHA3-224withDSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.5", "OID.2.16.840.1.101.3.4.3.5"),
 +                m(CKM_DSA_SHA3_224));
-+        dA(SIG, "SHA3-256withDSA", P11Signature,
+        d(SIG, "SHA3-256withDSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.6", "OID.2.16.840.1.101.3.4.3.6"),
 +                m(CKM_DSA_SHA3_256));
-+        dA(SIG, "SHA3-384withDSA", P11Signature,
+        d(SIG, "SHA3-384withDSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.7", "OID.2.16.840.1.101.3.4.3.7"),
 +                m(CKM_DSA_SHA3_384));
-+        dA(SIG, "SHA3-512withDSA", P11Signature,
+        d(SIG, "SHA3-512withDSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.8", "OID.2.16.840.1.101.3.4.3.8"),
 +                m(CKM_DSA_SHA3_512));
         d(SIG, "RawDSAinP1363Format",   P11Signature,
-                 List.of("NONEwithDSAinP1363Format"),
+                 s("NONEwithDSAinP1363Format"),
                 m(CKM_DSA));
         d(SIG, "DSAinP1363Format",      P11Signature,
-                 List.of("SHA1withDSAinP1363Format"),
+                 s("SHA1withDSAinP1363Format"),
                 m(CKM_DSA_SHA1, CKM_DSA));
 -
 +        d(SIG, "SHA224withDSAinP1363Format",      P11Signature,
@ -1072,27 +1095,36 @@ index ffbd671246..d191831dab 100644
 +                m(CKM_DSA_SHA3_512));
         d(SIG, "NONEwithECDSA", P11Signature,
                 m(CKM_ECDSA));
-         dA(SIG, "SHA1withECDSA", P11Signature,
+         d(SIG, "SHA1withECDSA", P11Signature,
+@@ -761,28 +846,49 @@ public final class SunPKCS11 extends AuthProvider {
                 m(CKM_ECDSA_SHA1, CKM_ECDSA));
-         dA(SIG, "SHA224withECDSA",       P11Signature,
+         d(SIG, "SHA224withECDSA",       P11Signature,
+                 s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"),
 -                m(CKM_ECDSA));
 +                m(CKM_ECDSA_SHA224, CKM_ECDSA));
-         dA(SIG, "SHA256withECDSA",       P11Signature,
+         d(SIG, "SHA256withECDSA",       P11Signature,
+                 s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"),
 -                m(CKM_ECDSA));
 +                m(CKM_ECDSA_SHA256, CKM_ECDSA));
-         dA(SIG, "SHA384withECDSA",       P11Signature,
+         d(SIG, "SHA384withECDSA",       P11Signature,
+                 s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"),
 -                m(CKM_ECDSA));
 +                m(CKM_ECDSA_SHA384, CKM_ECDSA));
-         dA(SIG, "SHA512withECDSA",       P11Signature,
+         d(SIG, "SHA512withECDSA",       P11Signature,
+                 s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"),
 -                m(CKM_ECDSA));
 +                m(CKM_ECDSA_SHA512, CKM_ECDSA));
-+        dA(SIG, "SHA3-224withECDSA",       P11Signature,
+        d(SIG, "SHA3-224withECDSA",       P11Signature,
+                s("1.2.840.10045.4.3.9", "OID.1.2.840.10045.4.3.9"),
 +                m(CKM_ECDSA_SHA3_224, CKM_ECDSA));
-+        dA(SIG, "SHA3-256withECDSA",       P11Signature,
+        d(SIG, "SHA3-256withECDSA",       P11Signature,
+                s("1.2.840.10045.4.3.10", "OID.1.2.840.10045.4.3.10"),
 +                m(CKM_ECDSA_SHA3_256, CKM_ECDSA));
-+        dA(SIG, "SHA3-384withECDSA",       P11Signature,
+        d(SIG, "SHA3-384withECDSA",       P11Signature,
+                s("1.2.840.10045.4.3.11", "OID.1.2.840.10045.4.3.11"),
 +                m(CKM_ECDSA_SHA3_384, CKM_ECDSA));
-+        dA(SIG, "SHA3-512withECDSA",       P11Signature,
+        d(SIG, "SHA3-512withECDSA",       P11Signature,
+                s("1.2.840.10045.4.3.12", "OID.1.2.840.10045.4.3.12"),
 +                m(CKM_ECDSA_SHA3_512, CKM_ECDSA));
         d(SIG, "NONEwithECDSAinP1363Format",   P11Signature,
                 m(CKM_ECDSA));
@ -1119,25 +1151,29 @@ index ffbd671246..d191831dab 100644
 +        d(SIG, "SHA3-512withECDSAinP1363Format", P11Signature,
 +                m(CKM_ECDSA_SHA3_512, CKM_ECDSA));
 +
-         dA(SIG, "MD2withRSA",    P11Signature,
+         d(SIG, "MD2withRSA",    P11Signature,
+                 s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"),
                 m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         dA(SIG, "MD5withRSA",    P11Signature,
-@@ -770,6 +849,14 @@ public final class SunPKCS11 extends AuthProvider {
-                 m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         dA(SIG, "SHA512withRSA", P11Signature,
+@@ -805,6 +911,18 @@ public final class SunPKCS11 extends AuthProvider {
+         d(SIG, "SHA512withRSA", P11Signature,
+                 s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
                 m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-+        dA(SIG, "SHA3-224withRSA", P11Signature,
+        d(SIG, "SHA3-224withRSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.13", "OID.2.16.840.1.101.3.4.3.13"),
 +                m(CKM_SHA3_224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-+        dA(SIG, "SHA3-256withRSA", P11Signature,
+        d(SIG, "SHA3-256withRSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.14", "OID.2.16.840.1.101.3.4.3.14"),
 +                m(CKM_SHA3_256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-+        dA(SIG, "SHA3-384withRSA", P11Signature,
+        d(SIG, "SHA3-384withRSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.15", "OID.2.16.840.1.101.3.4.3.15"),
 +                m(CKM_SHA3_384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-+        dA(SIG, "SHA3-512withRSA", P11Signature,
+        d(SIG, "SHA3-512withRSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.16", "OID.2.16.840.1.101.3.4.3.16"),
 +                m(CKM_SHA3_512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         dA(SIG, "RSASSA-PSS", P11PSSSignature,
+         d(SIG, "RSASSA-PSS", P11PSSSignature,
+                 s("1.2.840.113549.1.1.10", "OID.1.2.840.113549.1.1.10"),
                 m(CKM_RSA_PKCS_PSS));
-         d(SIG, "SHA1withRSASSA-PSS", P11PSSSignature,
-@@ -782,6 +869,14 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -818,6 +936,14 @@ public final class SunPKCS11 extends AuthProvider {
                 m(CKM_SHA384_RSA_PKCS_PSS));
         d(SIG, "SHA512withRSASSA-PSS", P11PSSSignature,
                 m(CKM_SHA512_RSA_PKCS_PSS));
@ -1153,7 +1189,7 @@ index ffbd671246..d191831dab 100644
         d(KG, "SunTlsRsaPremasterSecret",
                     "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
-index e077943bbc..cb04b95304 100644
+index e077943bbc2..cb04b95304d 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
@@ -1,5 +1,5 @@
@ -1179,7 +1215,7 @@ index e077943bbc..cb04b95304 100644
 
 diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java
 new file mode 100644
-index 0000000000..d6707028d9
+index 00000000000..d6707028d96
 --- /dev/null
 +++ b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java
@@ -0,0 +1,84 @@
@ -1268,7 +1304,7 @@ index 0000000000..d6707028d9
 +    }
 +}
 diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
-index b61d10beec..78b7d857e8 100644
+index b61d10beece..78b7d857e8e 100644
 --- a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
 +++ b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
@@ -23,7 +23,7 @@
@ -1300,7 +1336,7 @@ index b61d10beec..78b7d857e8 100644
             test("ARCFOUR", 1024, p, TestResult.TBD);
         } else if (p.getName().equals("SunPKCS11-NSS")) {
 diff --git a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
-index 59af327c1f..64c42a6dd0 100644
+index 59af327c1f2..64c42a6dd06 100644
 --- a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
 +++ b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
@@ -23,7 +23,7 @@
@ -1385,7 +1421,7 @@ index 59af327c1f..64c42a6dd0 100644
 
         mac.reset();
 diff --git a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
-index 5cad885984..7e045232e3 100644
+index 5cad8859840..7e045232e3a 100644
 --- a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
 +++ b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
@@ -1,5 +1,5 @@
@ -1478,7 +1514,7 @@ index 5cad885984..7e045232e3 100644
     }
 }
 diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
-index 7ced00630c..a7a72e8ea3 100644
+index 7ced00630cc..a7a72e8ea3d 100644
 --- a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
 +++ b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
@@ -1,5 +1,5 @@
@ -1538,7 +1574,7 @@ index 7ced00630c..a7a72e8ea3 100644
         byte[] d1 = md.digest(data);
 
 diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
-index ea7909bc39..268f698276 100644
+index ea7909bc397..268f698276b 100644
 --- a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
 +++ b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
@@ -1,5 +1,5 @@
@ -1619,7 +1655,7 @@ index ea7909bc39..268f698276 100644
 
     private static void check(byte[] d1, byte[] d2) throws Exception {
 diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
-index b931c8564b..ace601c723 100644
+index b931c8564b2..ace601c7233 100644
 --- a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
 +++ b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
@@ -1,5 +1,5 @@
@ -1708,7 +1744,7 @@ index b931c8564b..ace601c723 100644
         MessageDigest mdCopy0 = (MessageDigest) mdObj.clone();
 
 diff --git a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
-index 26eeacffed..f5de994779 100644
+index 26eeacffed9..f5de994779c 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
@@ -23,7 +23,7 @@
@ -1734,7 +1770,7 @@ index 26eeacffed..f5de994779 100644
         sig.update(t);
         byte[] signature = sig.sign();
 diff --git a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
-index ccd66599fb..a2fa729497 100644
+index ccd66599fb0..a2fa7294977 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
@@ -1,5 +1,5 @@
@ -1780,7 +1816,7 @@ index ccd66599fb..a2fa729497 100644
         PSSParameterSpec params = new PSSParameterSpec("SHA-256", "MGF1",
             new MGF1ParameterSpec("SHA-256"), 32,
 diff --git a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
-index 2e4fedbf1d..f1c0492b5f 100644
+index 2e4fedbf1d5..f1c0492b5fc 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
@@ -1,5 +1,5 @@
@ -1874,7 +1910,7 @@ index 2e4fedbf1d..f1c0492b5f 100644
         System.out.println("test#4: pass");
     }
 diff --git a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
-index 42ca7fa203..8c132ca7e4 100644
+index 42ca7fa203d..8c132ca7e4f 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
@@ -23,312 +23,13 @@
@ -2206,7 +2242,7 @@ index 42ca7fa203..8c132ca7e4 100644
         new Random().nextBytes(data);
         sig.initSign(privateKey);
 diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
-index 3c3edb5aa6..1114702277 100644
+index 3c3edb5aa6a..11147022771 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
@@ -1,5 +1,5 @@
@ -2227,7 +2263,7 @@ index 3c3edb5aa6..1114702277 100644
  * @library /test/lib ..
 diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java
 new file mode 100644
-index 0000000000..b8ea986332
+index 00000000000..b8ea9863327
 --- /dev/null
 +++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java
@@ -0,0 +1,98 @@
@ -2330,7 +2366,7 @@ index 0000000000..b8ea986332
 +    }
 +}
 diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
-index 3a6dbe345e..4c1f7284bb 100644
+index 3a6dbe345e9..4c1f7284bbc 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
@@ -1,5 +1,5 @@
@ -2388,7 +2424,7 @@ index 3a6dbe345e..4c1f7284bb 100644
             hash, "MGF1", new MGF1ParameterSpec(mgfHash), 0, 1);
 diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java
 new file mode 100644
-index 0000000000..516b17972e
+index 00000000000..516b17972e5
 --- /dev/null
 +++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java
@@ -0,0 +1,140 @@
@ -2533,7 +2569,7 @@ index 0000000000..516b17972e
 +    }
 +}
 diff --git a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
-index 222f8a2a5e..3161de6fc5 100644
+index 222f8a2a5ed..3161de6fc50 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
@@ -1,5 +1,5 @@
@ -2628,7 +2664,7 @@ index 222f8a2a5e..3161de6fc5 100644
     }
 }
 diff --git a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
-index f469ca17b6..7e5a012a5e 100644
+index f469ca17b65..7e5a012a5ec 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
@@ -22,8 +22,8 @@
@ -2661,7 +2697,7 @@ index f469ca17b6..7e5a012a5e 100644
         kpg.initialize(512);
         KeyPair kp = kpg.generateKeyPair();
 diff --git a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
-index 49778ea954..576b1dc4d6 100644
+index 49778ea954c..576b1dc4d69 100644
 --- a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
 +++ b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
@@ -11,12 +11,23 @@ library = ${pkcs11test.nss.lib}
--- a/jdk8243210-npe_in_clhsdbscanoops.patch
+++ b/jdk8243210-npe_in_clhsdbscanoops.patch
@ -0,0 +1,23 @@
+commit 9d15f3e6537bf7a5ba081b2a6b7339a601ab7ba5
+Author: Thomas Stuefe <stuefe@openjdk.org>
+Date:   Mon Aug 7 18:13:43 2023 +0000
+
+    8243210: ClhsdbScanOops fails with NullPointerException in FileMapHeader.inCopiedVtableSpace
+    
+    Reviewed-by: clanger
+    Backport-of: 7f634155b5c4b9f07ab73ceb4c6042ac10dad65e
+
+diff --git a/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/memory/FileMapInfo.java b/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/memory/FileMapInfo.java
+index 307598f47f..ef8258525d 100644
+--- a/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/memory/FileMapInfo.java
+++ b/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/memory/FileMapInfo.java
+@@ -121,6 +121,9 @@ public class FileMapInfo {
+     }
+ 
+     public boolean inCopiedVtableSpace(Address vptrAddress) {
+      if (vptrAddress == null) {
+        return false;
+      }
+       if (vptrAddress.greaterThan(mdRegionBaseAddress) &&
+           vptrAddress.lessThanOrEqual(mdRegionEndAddress)) {
+         return true;
--- a/jdk8312489-max_sig_default_increase.patch
+++ b/jdk8312489-max_sig_default_increase.patch
@ -0,0 +1,50 @@
+commit 50074a04e62f91faa080b831d9ce343396ead252
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Tue Sep 5 20:48:42 2023 +0000
+
+    8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+    
+    Backport-of: e47a84f23dd2608c6f5748093eefe301fb5bf750
+
+diff --git a/src/java.base/share/classes/java/util/jar/JarFile.java b/src/java.base/share/classes/java/util/jar/JarFile.java
+index cb7e308e0d..cce897c0d3 100644
+--- a/src/java.base/share/classes/java/util/jar/JarFile.java
+++ b/src/java.base/share/classes/java/util/jar/JarFile.java
+@@ -809,7 +809,9 @@ class JarFile extends ZipFile {
+                 throw new IOException("Unsupported size: " + uncompressedSize +
+                         " for JarEntry " + ze.getName() +
+                         ". Allowed max size: " +
+-                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes");
+                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " +
+                        "You can use the jdk.jar.maxSignatureFileSize " +
+                        "system property to increase the default value.");
+             }
+             int len = (int)uncompressedSize;
+             int bytesRead;
+diff --git a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
+index cb477fc134..a766b8249f 100644
+--- a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
+++ b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
+@@ -852,16 +852,16 @@ public class SignatureFileVerifier {
+          * the maximum allowed number of bytes for the signature-related files
+          * in a JAR file.
+          */
+-        Integer tmp = GetIntegerAction.privilegedGetProperty(
+-                "jdk.jar.maxSignatureFileSize", 8000000);
+        int tmp = GetIntegerAction.privilegedGetProperty(
+                "jdk.jar.maxSignatureFileSize", 16000000);
+         if (tmp < 0 || tmp > MAX_ARRAY_SIZE) {
+             if (debug != null) {
+-                debug.println("Default signature file size 8000000 bytes " +
+-                        "is used as the specified size for the " +
+-                        "jdk.jar.maxSignatureFileSize system property " +
+                debug.println("The default signature file size of 16000000 bytes " +
+                        "will be used for the jdk.jar.maxSignatureFileSize " +
+                        "system property since the specified value " +
+                         "is out of range: " + tmp);
+             }
+-            tmp = 8000000;
+            tmp = 16000000;
+         }
+         return tmp;
+     }
--- a/SOURCES/nss.cfg.in
+++ b/SOURCES/nss.cfg.in
--- a/SOURCES/nss.fips.cfg.in
+++ b/SOURCES/nss.fips.cfg.in
--- a/openjdk_news.sh
+++ b/openjdk_news.sh
@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Copyright (C) 2022 Red Hat, Inc.
+# Written by Andrew John Hughes <gnu.andrew@redhat.com>, 2012-2022
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+OLD_RELEASE=$1
+NEW_RELEASE=$2
+REPO=$3
+SUBDIR=$4
+SCRIPT_DIR=$(dirname ${0})
+
+if test "x${SUBDIR}" = "x"; then
+    echo "No subdirectory specified; using .";
+    SUBDIR=".";
+fi
+
+if test "x$REPO" = "x"; then
+    echo "No repository specified; using ${PWD}"
+    REPO=${PWD}
+fi
+
+if test x${TMPDIR} = x; then
+    TMPDIR=/tmp;
+fi
+
+echo "Repository: ${REPO}"
+
+if [ -e ${REPO}/.git ] ; then
+    TYPE=git;
+elif [ -e ${REPO}/.hg ] ; then
+    TYPE=hg;
+else
+    echo "No Mercurial or Git repository detected.";
+    exit 1;
+fi
+
+if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then
+    echo "ERROR: Need to specify old and new release";
+    exit 2;
+fi
+
+echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO"
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes
+for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO});
+do
+    if test "x$TYPE" = "xhg"; then
+	hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+	    egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])#  - JDK-\1#'| \
+	    sed 's#^[o:| ]*summary:\W*#  - #' >> ${TMPDIR}/fixes2;
+	hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+	    egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})#  - JDK-\1#' >> ${TMPDIR}/fixes3;
+    else
+	git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \
+	    sed -r 's#^([0-9])#  - JDK-\1#' >> ${TMPDIR}/fixes2;
+	touch ${TMPDIR}/fixes3 ; # unused
+    fi
+done
+
+sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3
+
+echo "In ${TMPDIR}/fixes:"
+cat ${TMPDIR}/fixes
--- a/SOURCES/remove-intree-libraries.sh
+++ b/SOURCES/remove-intree-libraries.sh
--- a/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+++ b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
--- a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
--- a/SOURCES/rh1750419-redhat_alt_java.patch
+++ b/SOURCES/rh1750419-redhat_alt_java.patch
--- a/SOURCES/rh1842572-rsa_default_for_keytool.patch
+++ b/SOURCES/rh1842572-rsa_default_for_keytool.patch
--- a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+++ b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
+SHA512 (openjdk-jdk11u-jdk-11.0.20.1+1-4curve.tar.xz) = 99b57227c4a0bdfa3f44ccef653608a71ab2a8c6bfa01975cbcf915a07ffc59785297f72fe6a27ed226bfac2a33a8821ac1cf5d0600c4d6b1d7790cf42608ca7
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,21 @@
+---
+- hosts: localhost
+  roles:
+  - role: standard-test-source
+    tags:
+    - always
+  - role: standard-test-basic
+    tags:
+    - classic
+    - atomic
+    required_packages:
+    - java-11-openjdk-devel
+    tests:
+      - javaVersion1:
+          dir: ~
+          run: set -ex; useradd franta1;  su franta1 -c 'java -version';
+          run: set -ex; useradd franta4;  su franta4 -c 'javac -version';
+          run: ls -l /usr/lib/jvm;
+      - javaVersion2:
+          dir: ~
+          run: set -ex; useradd franta2;  su franta2 -c 'java --version'
--- a/update_package.sh
+++ b/update_package.sh
@ -0,0 +1,42 @@
+#!/bin/bash -x
+#  this file contains defaults for currently generated source tarballs
+
+set -e
+
+# OpenJDK from Shenandoah project
+export PROJECT_NAME="shenandoah"
+export REPO_NAME="jdk11"
+# warning, clonning without shenadnaoh prefix, you will clone pure jdk - thus without shenandaoh GC
+export VERSION="shenandoah-jdk-11.0.3+7"
+export COMPRESSION=xz
+# unset tapsets overrides
+export OPENJDK_URL=""
+export TO_COMPRESS=""
+# warning, filename  and filenameroot creation is duplicated here from generate_source_tarball.sh
+export FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION}
+FILENAME=${FILE_NAME_ROOT}.tar.${COMPRESSION}
+
+if [ ! -f ${FILENAME} ] ; then
+echo "Generating ${FILENAME}"
+  sh ./generate_source_tarball.sh
+else 
+  echo "exists exists exists exists exists exists exists "
+  echo "reusing reusing reusing reusing reusing reusing "
+  echo ${FILENAME}
+fi
+
+set +e
+
+major=`echo $REPO_NAME | sed 's/[a-zA-Z]*//g'`
+build=`echo $VERSION | sed 's/.*+//g'`
+name_helper=`echo $FILENAME | sed s/$major/'%{majorver}'/g `
+name_helper=`echo $name_helper | sed s/$build/'%{buildver}'/g `
+echo "align specfile acordingly:" 
+echo " sed 's/^Source0:.*/Source0: $name_helper/' -i *.spec"
+echo " sed 's/^Source8:.*/Source8: $TAPSET/'   -i *.spec"
+echo " sed 's/^%global buildver.*/%global buildver        $build/'   -i *.spec"
+echo " sed 's/Release:.*/Release: 1%{?dist}/'   -i *.spec"
+echo "and maybe others...."
+echo "you should fedpkg/rhpkg new-sources $TAPSET $FILENAME"
+echo "you should fedpkg/rhpkg prep --arch XXXX on all architectures: x86_64 i386 i586 i686 ppc ppc64 ppc64le s390 s390x aarch64 armv7hl"
+