import UBI java-11-openjdk-11.0.23.0.9-3.el8

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/openjdk-jdk11u-jdk-11.0.20+8-4curve.tar.xz
+SOURCES/openjdk-jdk11u-jdk-11.0.23+9.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

.java-11-openjdk.metadata

@@ -1,2 +1,2 @@
-27b1851203504050481d9a2c7b07a3bc39f23908 SOURCES/openjdk-jdk11u-jdk-11.0.20+8-4curve.tar.xz
+db99bc0a0912f824db1043d18b199c154d57bb5b SOURCES/openjdk-jdk11u-jdk-11.0.23+9.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

SOURCES/fips-11u-f93a863b56.patch

@@ -89,7 +89,7 @@ index 3787b12600..dab108a82b 100644
  LCMS_CFLAGS:=@LCMS_CFLAGS@
  LCMS_LIBS:=@LCMS_LIBS@
 diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
-index 4cd656a086..e1fc94b5b4 100644
+index b40d3114b9..0d1d83cf3e 100644
 --- a/make/lib/Lib-java.base.gmk
 +++ b/make/lib/Lib-java.base.gmk
 @@ -178,6 +178,31 @@ ifeq ($(call isTargetOsType, unix), true)
@@ -401,7 +401,7 @@ index 0000000000..8dcb7d9073
 +    }
 +}
 diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
-index b36510a376..ad5182e1e7 100644
+index 5b9552058b..b46de49211 100644
 --- a/src/java.base/share/classes/java/security/Security.java
 +++ b/src/java.base/share/classes/java/security/Security.java
 @@ -32,6 +32,7 @@ import java.net.URL;
@@ -412,16 +412,17 @@ index b36510a376..ad5182e1e7 100644
  import jdk.internal.misc.SharedSecrets;
  import jdk.internal.util.StaticProperty;
  import sun.security.util.Debug;
-@@ -47,12 +48,20 @@ import sun.security.jca.*;
+@@ -47,6 +48,9 @@ import sun.security.jca.*;
   * implementation-specific location, which is typically the properties file
   * {@code conf/security/java.security} in the Java installation directory.
   *
 + * <p>Additional default values of security properties are read from a
 + * system-specific location, if available.</p>
 + *
-  * @author Benjamin Renaud
-  * @since 1.1
-  */
+  * @implNote If the properties file fails to load, the JDK implementation will
+  * throw an unspecified error when initializing the {@code Security} class.
+  *
+@@ -56,6 +60,11 @@ import sun.security.jca.*;
  
  public final class Security {
  
@@ -433,7 +434,7 @@ index b36510a376..ad5182e1e7 100644
      /* Are we debugging? -- for developers */
      private static final Debug sdebug =
                          Debug.getInstance("properties");
-@@ -67,6 +76,19 @@ public final class Security {
+@@ -70,6 +79,19 @@ public final class Security {
      }
  
      static {
@@ -453,26 +454,19 @@ index b36510a376..ad5182e1e7 100644
          // doPrivileged here because there are multiple
          // things in initialize that might require privs.
          // (the FileInputStream call and the File.exists call,
-@@ -83,6 +105,7 @@ public final class Security {
+@@ -85,6 +107,7 @@ public final class Security {
+     private static void initialize() {
          props = new Properties();
-         boolean loadedProps = false;
          boolean overrideAll = false;
 +        boolean systemSecPropsEnabled = false;
  
          // first load the system properties file
          // to determine the value of security.overridePropertiesFile
-@@ -98,6 +121,7 @@ public final class Security {
-                 if (sdebug != null) {
-                     sdebug.println("reading security properties file: " +
-                                 propFile);
-+                    sdebug.println(props.toString());
-                 }
-             } catch (IOException e) {
-                 if (sdebug != null) {
-@@ -192,6 +216,61 @@ public final class Security {
+@@ -105,9 +128,63 @@ public final class Security {
              }
+             loadProps(null, extraPropFile, overrideAll);
          }
- 
++
 +        boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
 +        boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
 +        if (sdebug != null) {
@@ -492,9 +486,7 @@ index b36510a376..ad5182e1e7 100644
 +            }
 +        }
 +
-+        // FIPS support depends on the contents of java.security so
-+        // ensure it has loaded first
-+        if (loadedProps && systemSecPropsEnabled) {
++        if (systemSecPropsEnabled) {
 +            boolean shouldEnable;
 +            String sysProp = System.getProperty("com.redhat.fips");
 +            if (sysProp == null) {
@@ -530,15 +522,19 @@ index b36510a376..ad5182e1e7 100644
 +        }
      }
  
-     /*
+-    private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
++    static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
+         InputStream is = null;
+         try {
+             if (masterFile != null && masterFile.exists()) {
 diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
 new file mode 100644
-index 0000000000..90f6dd2ebc
+index 0000000000..49bf17ea17
 --- /dev/null
 +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,248 @@
+@@ -0,0 +1,231 @@
 +/*
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ * Copyright (c) 2019, 2023, Red Hat, Inc.
 + *
 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 + *
@@ -616,26 +612,9 @@ index 0000000000..90f6dd2ebc
 +     * security.useSystemPropertiesFile is true.
 +     */
 +    static boolean configureSysProps(Properties props) {
-+        boolean systemSecPropsLoaded = false;
-+
-+        try (BufferedInputStream bis =
-+                new BufferedInputStream(
-+                        new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
-+            props.load(bis);
-+            systemSecPropsLoaded = true;
-+            if (sdebug != null) {
-+                sdebug.println("reading system security properties file " +
-+                        CRYPTO_POLICIES_JAVA_CONFIG);
-+                sdebug.println(props.toString());
-+            }
-+        } catch (IOException e) {
-+            if (sdebug != null) {
-+                sdebug.println("unable to load security properties from " +
-+                        CRYPTO_POLICIES_JAVA_CONFIG);
-+                e.printStackTrace();
-+            }
-+        }
-+        return systemSecPropsLoaded;
++        // now load the system file, if it exists, so its values
++        // will win if they conflict with the earlier values
++        return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false);
 +    }
 +
 +    /*
@@ -1035,7 +1014,7 @@ index e06b2a588c..315a2ce370 100644
                          candidates = new ProtocolVersion[] {
                              ProtocolVersion.TLS13,
 diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
-index c50ba93ecf..de2a91a478 100644
+index 2a2b5d7568..891796f19b 100644
 --- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
 +++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
 @@ -27,6 +27,8 @@ package sun.security.ssl;
@@ -1046,7 +1025,7 @@ index c50ba93ecf..de2a91a478 100644
 +import jdk.internal.misc.SharedSecrets;
  import sun.security.rsa.SunRsaSignEntries;
  import static sun.security.util.SecurityConstants.PROVIDER_VER;
- import static sun.security.provider.SunEntries.createAliases;
+ import static sun.security.util.SecurityProviderConstants.*;
 @@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider {
              "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
          ps("SSLContext", "TLSv1.2",
@@ -1062,12 +1041,12 @@ index c50ba93ecf..de2a91a478 100644
 +        }
          ps("SSLContext", "TLS",
              "sun.security.ssl.SSLContextImpl$TLSContext",
-             (isfips? null : createAliases("SSL")), null);
+             (isfips? null : List.of("SSL")), null);
 diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index 9af64321c4..957cd78a55 100644
+index c0eed3f884..b03bd9f896 100644
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
-@@ -85,6 +85,14 @@ security.provider.tbd=Apple
+@@ -88,6 +88,14 @@ security.provider.tbd=Apple
  security.provider.tbd=SunPKCS11
  #endif
  
@@ -1082,7 +1061,7 @@ index 9af64321c4..957cd78a55 100644
  #
  # A list of preferred providers for specific algorithms. These providers will
  # be searched for matching algorithms before the list of registered providers.
-@@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false
+@@ -301,6 +309,11 @@ policy.ignoreIdentityScope=false
  #
  keystore.type=pkcs12
  
@@ -1094,7 +1073,7 @@ index 9af64321c4..957cd78a55 100644
  #
  # Controls compatibility mode for JKS and PKCS12 keystore types.
  #
-@@ -335,6 +348,13 @@ package.definition=sun.misc.,\
+@@ -338,6 +351,13 @@ package.definition=sun.misc.,\
  #
  security.overridePropertiesFile=true
  
@@ -1405,7 +1384,7 @@ index 0000000000..b848a1fd78
 +    }
 +}
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index cf7cd19b68..69cda46f85 100644
+index ffbd671246..bdaad67e06 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 @@ -26,6 +26,9 @@
@@ -1427,7 +1406,7 @@ index cf7cd19b68..69cda46f85 100644
  import sun.security.util.Debug;
  import sun.security.util.ResourcesMgr;
  import static sun.security.util.SecurityConstants.PROVIDER_VER;
-@@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+@@ -61,6 +66,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
   */
  public final class SunPKCS11 extends AuthProvider {
  
@@ -1457,7 +1436,7 @@ index cf7cd19b68..69cda46f85 100644
      private static final long serialVersionUID = -1354835039035306505L;
  
      static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -318,10 +346,15 @@ public final class SunPKCS11 extends AuthProvider {
              // request multithreaded access first
              initArgs.flags = CKF_OS_LOCKING_OK;
              PKCS11 tmpPKCS11;
@@ -1474,7 +1453,7 @@ index cf7cd19b68..69cda46f85 100644
              } catch (PKCS11Exception e) {
                  if (debug != null) {
                      debug.println("Multi-threaded initialization failed: " + e);
-@@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -337,7 +370,7 @@ public final class SunPKCS11 extends AuthProvider {
                      initArgs.flags = 0;
                  }
                  tmpPKCS11 = PKCS11.getInstance(library,
@@ -1483,7 +1462,7 @@ index cf7cd19b68..69cda46f85 100644
              }
              p11 = tmpPKCS11;
  
-@@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -377,6 +410,24 @@ public final class SunPKCS11 extends AuthProvider {
              if (nssModule != null) {
                  nssModule.setProvider(this);
              }

SOURCES/java-11-openjdk-portable.specfile

@@ -339,7 +339,7 @@
 # New Version-String scheme-style defines
 %global featurever 11
 %global interimver 0
-%global updatever 20
+%global updatever 23
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@@ -367,7 +367,7 @@
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{component}&version=%{fedora}
 %else
 %if 0%{?rhel}
-%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{component}
+%global oj_vendor_bug_url https://access.redhat.com/support/cases/
 %else
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi
 %endif
@@ -378,15 +378,22 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver b34fb09a5c
+%global fipsver f93a863b56
+# Define JDK versions
+%global javaver         %{featurever}
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
 
 # Standard JPackage naming and versioning defines
 %global origin          openjdk
 %global origin_nice     OpenJDK
-%global top_level_dir_name   %{origin}
+%global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        8
-%global rpmrelease      1
+%global buildver        9
+%global rpmrelease      2
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -400,15 +407,6 @@
 # for techpreview, using 1, so slowdebugs can have 0
 %global priority %( printf '%08d' 1 )
 %endif
-%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-
-# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
-%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
-
-# The tag used to create the OpenJDK tarball
-%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
-
-%global javaver         %{featurever}
 
 # Define milestone (EA for pre-releases, GA for releases)
 # Release will be (where N is usually a number starting at 1):
@@ -568,12 +566,12 @@ URL:      http://openjdk.java.net/
 
 # to regenerate source0 (jdk) run update_package.sh
 # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: openjdk-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
+Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
 
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
 # Systemtap tapsets. Zipped up to keep it small.
-Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
+Source8: tapsets-icedtea-%{icedteaver}.tar.xz
 
 # Desktop files. Adapted from IcedTea
 # Disabled in portables
@@ -671,14 +669,14 @@ Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1
 # need to be reviewed & pushed to the appropriate
 # updates tree of OpenJDK.
 #############################################
-Patch2001: jdk8242332-rh2108712-sha3-sunpkcs11.patch
+Patch2002: jdk8242332-rh2108712-sha3-sunpkcs11.patch
 
 #############################################
 #
-# Patches appearing in 11.0.20
+# Patches appearing in 11.0.23
 #
 # This section includes patches which are present
-# in the listed OpenJDK 11u release and should be
+# in the listed OpenJDK 8u release and should be
 # able to be removed once that release is out
 # and used by this RPM.
 #############################################
@@ -728,8 +726,9 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2023c required as of JDK-8305113
-BuildRequires: tzdata-java >= 2023c
+# 2024a required as of JDK-8325150
+# Use 2023d until 2024a is in the buildroot
+BuildRequires: tzdata-java >= 2023d
 # cacerts build requirement in portable mode
 BuildRequires: ca-certificates
 # Earlier versions have a bug in tree vectorization on PPC
@@ -749,17 +748,17 @@ BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
 %else
 # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.12.1
+Provides: bundled(freetype) = 2.13.2
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
 Provides: bundled(giflib) = 5.2.1
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 7.0.1
+Provides: bundled(harfbuzz) = 8.2.2
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
 Provides: bundled(lcms2) = 2.15.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.37
+Provides: bundled(libpng) = 1.6.40
 # We link statically against libstdc++ to increase portability
 BuildRequires: libstdc++-static
 %endif
@@ -956,11 +955,13 @@ pushd %{top_level_dir_name}
 # nss.cfg PKCS11 support; must come last as it also alters java.security
 %patch1000 -p1
 # PKCS11 SHA3 backport
-%patch2001 -p1
+%patch2002 -p1
+# alt-java
+%patch600 -p1
+# RSA default
+%patch1003 -p1
 popd # openjdk
 
-%patch600
-%patch1003
 
 # Extract systemtap tapsets
 %if %{with_systemtap}
@@ -1062,9 +1063,6 @@ function buildjdk() {
     bash ${top_dir_abs_src_path}/configure \
 %ifarch %{zero_arches}
     --with-jvm-variants=zero \
-%endif
-%ifarch %{ppc64le}
-    --with-jobs=1 \
 %endif
     --with-cacerts-file=`readlink -f %{_sysconfdir}/pki/java/cacerts`  \
     --with-version-build=%{buildver} \
@@ -1648,6 +1646,70 @@ done
 %{_jvmdir}/%{miscportablearchive}.sha256sum
 
 %changelog
+* Thu Apr 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.23.0.9-2
+- Fix 11.0.22 release date in NEWS
+
+* Wed Apr 10 2024 Anton Bobrov <abobrov@redhat.com> - 1:11.0.23.0.9-1
+- Update to jdk-11.0.23+9 (GA)
+- Update release notes to 11.0.23+9
+- Switch to GA mode for release
+- Require tzdata 2024a due to upstream inclusion of JDK-8322725
+- Only require tzdata 2023d for now as 2024a is unavailable in buildroot
+- Speed up PPC build by removing ppc64le --with-jobs=1 workaround
+- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. **
+
+* Thu Mar 21 2024 Anton Bobrov <abobrov@redhat.com> - 1:11.0.23.0.1-0.1.ea
+- Update to jdk-11.0.23+1 (EA)
+- Update release notes to 11.0.23+1
+- Switch to EA mode
+
+* Wed Jan 10 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.22.0.7-1
+- Update to jdk-11.0.22+7 (GA)
+- Update release notes to 11.0.22+7
+- Switch to GA mode for release
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+
+* Mon Jan 08 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.22.0.6-0.1.ea
+- Update to jdk-11.0.22+6 (EA)
+- Update release notes to 11.0.22+6
+
+* Thu Jan 04 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.22.0.1-0.1.ea
+- Update to jdk-11.0.22+1 (EA)
+- Update release notes to 11.0.22+1
+- Switch to EA mode
+- Drop local copy of JDK-8312489 which is now included upstream
+
+* Wed Oct 11 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.21.0.9-1
+- Update to jdk-11.0.21+9 (GA)
+- Update release notes to 11.0.21+9
+- Switch to GA mode for release
+- Drop local backport of JDK-8243210 which is upstream from 11.0.21+2
+- Bump freetype version to 2.13.0 following JDK-8306881
+- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. **
+
+* Thu Oct 05 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.21.0.1-0.1.ea
+- Update to jdk-11.0.21+1 (EA)
+- Update release notes to 11.0.21+1
+- Switch to EA mode
+- Re-generate FIPS patch against 11.0.21+1 following backport of JDK-8155246
+- Re-generate SHA3 patch following backport of JDK-8242151
+- Bump libpng version to 1.6.39 following JDK-8305815
+- Bump HarfBuzz version to 7.2.0 following JDK-8307301
+- Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal
+- Update bug URL for RHEL to point to the Red Hat customer portal
+- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
+- Apply all patches using -p1
+
+* Tue Sep 05 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.20.1.1-1
+- Update to jdk-11.0.20.1+1 (GA)
+- Update release notes to 11.0.20.1+1
+- Add backport of JDK-8312489 already upstream in 11.0.22 (see OPENJDK-2095)
+- Add backport of JDK-8243210 already upstream in 11.0.21 (see RH2229269)
+- Update openjdk_news script to specify subdirectory last
+- Add missing discover_trees script required by openjdk_news
+- Update README.md to match the version in later RHEL releases
+- Resolves: rhbz#2236589
+
 * Fri Jul 14 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.20.0.8-1
 - Update to jdk-11.0.20.0+8 (GA)
 - Update release notes to 11.0.20.0+8

SOURCES/jdk8242332-rh2108712-sha3-sunpkcs11.patch

@@ -1,11 +1,11 @@
-commit 81c2107a9188680f7c35ebc7697b292d5972436e
+commit b8711800e3cd9132ad2b195c82cf816210feb77d
 Author: Andrew Hughes <gnu.andrew@redhat.com>
-Date:   Mon Feb 27 13:22:43 2023 +0000
+Date:   Thu Oct 5 03:13:01 2023 +0100
 
     Backport 78be334c3817a1b5840922a9bf1339a40dcc5185
 
 diff --git a/src/java.base/share/classes/sun/security/util/KnownOIDs.java b/src/java.base/share/classes/sun/security/util/KnownOIDs.java
-index 92ecb9adc0c..a5848c96aad 100644
+index b5cc3b05f1..7e235c90dd 100644
 --- a/src/java.base/share/classes/sun/security/util/KnownOIDs.java
 +++ b/src/java.base/share/classes/sun/security/util/KnownOIDs.java
 @@ -155,6 +155,14 @@ public enum KnownOIDs {
@@ -24,7 +24,7 @@ index 92ecb9adc0c..a5848c96aad 100644
      SHA3_256withRSA("2.16.840.1.101.3.4.3.14", "SHA3-256withRSA"),
      SHA3_384withRSA("2.16.840.1.101.3.4.3.15", "SHA3-384withRSA"),
 diff --git a/src/java.base/share/classes/sun/security/util/SignatureUtil.java b/src/java.base/share/classes/sun/security/util/SignatureUtil.java
-index 32c089fd96d..7d5c0c7e299 100644
+index 32c089fd96..7d5c0c7e29 100644
 --- a/src/java.base/share/classes/sun/security/util/SignatureUtil.java
 +++ b/src/java.base/share/classes/sun/security/util/SignatureUtil.java
 @@ -168,4 +168,22 @@ public class SignatureUtil {
@@ -51,7 +51,7 @@ index 32c089fd96d..7d5c0c7e299 100644
 +    }
  }
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
-index 41fe61b8a16..daf0bc9f69c 100644
+index 41fe61b8a1..daf0bc9f69 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
 @@ -1,5 +1,5 @@
@@ -93,7 +93,7 @@ index 41fe61b8a16..daf0bc9f69c 100644
              break;
          default:
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
-index 926414608cb..f343e6025e1 100644
+index 926414608c..f343e6025e 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
 @@ -36,7 +36,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
@@ -428,7 +428,7 @@ index 926414608cb..f343e6025e1 100644
 -
  }
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
-index c88e4a6ace5..29b26651c39 100644
+index c88e4a6ace..29b26651c3 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
 @@ -39,8 +39,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
@@ -465,7 +465,7 @@ index c88e4a6ace5..29b26651c39 100644
              break;
          case (int)CKM_SSL3_MD5_MAC:
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
-index 26eaa4735f1..905b6ea9562 100644
+index 1419be3754..18e00a544b 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
 @@ -38,6 +38,7 @@ import java.security.spec.MGF1ParameterSpec;
@@ -738,7 +738,7 @@ index 26eaa4735f1..905b6ea9562 100644
  
      // see JCA spec
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
-index e3af106d05a..e49edf32c29 100644
+index e3af106d05..e49edf32c2 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
 @@ -51,8 +51,15 @@ import sun.security.util.KeyUtil;
@@ -970,111 +970,88 @@ index e3af106d05a..e49edf32c29 100644
  //      return RSASignature.decodeSignature(digestOID, signature);
  //    }
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index cf7cd19b689..7a8bcffb92c 100644
+index ffbd671246..d191831dab 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -550,6 +550,18 @@ public final class SunPKCS11 extends AuthProvider {
-         d(MD, "SHA-512/256",        P11Digest,
-                 s("2.16.840.1.101.3.4.2.6", "OID.2.16.840.1.101.3.4.2.6"),
+@@ -546,6 +546,14 @@ public final class SunPKCS11 extends AuthProvider {
+                 m(CKM_SHA512_224));
+         dA(MD, "SHA-512/256",        P11Digest,
                  m(CKM_SHA512_256));
-+        d(MD, "SHA3-224",        P11Digest,
-+	        s("2.16.840.1.101.3.4.2.7", "OID.2.16.840.1.101.3.4.2.7"),
++        dA(MD, "SHA3-224",        P11Digest,
 +                m(CKM_SHA3_224));
-+        d(MD, "SHA3-256",        P11Digest,
-+	        s("2.16.840.1.101.3.4.2.8", "OID.2.16.840.1.101.3.4.2.8"),
++        dA(MD, "SHA3-256",        P11Digest,
 +                m(CKM_SHA3_256));
-+        d(MD, "SHA3-384",        P11Digest,
-+	        s("2.16.840.1.101.3.4.2.9", "OID.2.16.840.1.101.3.4.2.9"),
++        dA(MD, "SHA3-384",        P11Digest,
 +                m(CKM_SHA3_384));
-+        d(MD, "SHA3-512",        P11Digest,
-+	        s("2.16.840.1.101.3.4.2.10", "OID.2.16.840.1.101.3.4.2.10"),
++        dA(MD, "SHA3-512",        P11Digest,
 +                m(CKM_SHA3_512));
  
          d(MAC, "HmacMD5",       P11MAC,
                  m(CKM_MD5_HMAC));
-@@ -574,7 +586,18 @@ public final class SunPKCS11 extends AuthProvider {
-         d(MAC, "HmacSHA512/256",    P11MAC,
-                 s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"),
+@@ -563,7 +571,14 @@ public final class SunPKCS11 extends AuthProvider {
+                 m(CKM_SHA512_224_HMAC));
+         dA(MAC, "HmacSHA512/256",    P11MAC,
                  m(CKM_SHA512_256_HMAC));
 -
-+        d(MAC, "HmacSHA3-224",    P11MAC,
-+                s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"),
++        dA(MAC, "HmacSHA3-224",    P11MAC,
 +                m(CKM_SHA3_224_HMAC));
-+        d(MAC, "HmacSHA3-256",    P11MAC,
-+                s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"),
++        dA(MAC, "HmacSHA3-256",    P11MAC,
 +                m(CKM_SHA3_256_HMAC));
-+        d(MAC, "HmacSHA3-384",    P11MAC,
-+                s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"),
++        dA(MAC, "HmacSHA3-384",    P11MAC,
 +                m(CKM_SHA3_384_HMAC));
-+        d(MAC, "HmacSHA3-512",    P11MAC,
-+                s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"),
++        dA(MAC, "HmacSHA3-512",    P11MAC,
 +                m(CKM_SHA3_512_HMAC));
          d(MAC, "SslMacMD5",     P11MAC,
                  m(CKM_SSL3_MD5_MAC));
          d(MAC, "SslMacSHA1",    P11MAC,
-@@ -604,6 +627,41 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -595,6 +610,30 @@ public final class SunPKCS11 extends AuthProvider {
                  m(CKM_BLOWFISH_KEY_GEN));
          d(KG,  "ChaCha20",      P11KeyGenerator,
                  m(CKM_CHACHA20_KEY_GEN));
 +        d(KG,  "HmacMD5",      P11KeyGenerator, // 1.3.6.1.5.5.8.1.1
 +                m(CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA1",      P11KeyGenerator,
-+                s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"),
++        dA(KG,  "HmacSHA1",      P11KeyGenerator,
 +                m(CKM_SHA_1_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA224",    P11KeyGenerator,
-+                s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"),
++        dA(KG,  "HmacSHA224",    P11KeyGenerator,
 +                m(CKM_SHA224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA256",    P11KeyGenerator,
-+                s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"),
++        dA(KG,  "HmacSHA256",    P11KeyGenerator,
 +                m(CKM_SHA256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA384",    P11KeyGenerator,
-+                s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"),
++        dA(KG,  "HmacSHA384",    P11KeyGenerator,
 +                m(CKM_SHA384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA512",    P11KeyGenerator,
-+                s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"),
++        dA(KG,  "HmacSHA512",    P11KeyGenerator,
 +                m(CKM_SHA512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA512/224",    P11KeyGenerator,
-+                s("1.2.840.113549.2.12", "OID.1.2.840.113549.2.12"),
++        dA(KG,  "HmacSHA512/224",    P11KeyGenerator,
 +                m(CKM_SHA512_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA512/256",    P11KeyGenerator,
-+                s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"),
++        dA(KG,  "HmacSHA512/256",    P11KeyGenerator,
 +                m(CKM_SHA512_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA3-224",    P11KeyGenerator,
-+                s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"),
++        dA(KG,  "HmacSHA3-224",    P11KeyGenerator,
 +                m(CKM_SHA3_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA3-256",    P11KeyGenerator,
-+                s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"),
++        dA(KG,  "HmacSHA3-256",    P11KeyGenerator,
 +                m(CKM_SHA3_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA3-384",    P11KeyGenerator,
-+                s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"),
++        dA(KG,  "HmacSHA3-384",    P11KeyGenerator,
 +                m(CKM_SHA3_384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
-+        d(KG,  "HmacSHA3-512",    P11KeyGenerator,
-+                s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"),
++        dA(KG,  "HmacSHA3-512",    P11KeyGenerator,
 +                m(CKM_SHA3_512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
  
          // register (Secret)KeyFactories if there are any mechanisms
          // for a particular algorithm that we support
-@@ -747,13 +805,40 @@ public final class SunPKCS11 extends AuthProvider {
-         d(SIG, "SHA512withDSA", P11Signature,
-                 s("2.16.840.1.101.3.4.3.4", "OID.2.16.840.1.101.3.4.3.4"),
+@@ -725,37 +764,77 @@ public final class SunPKCS11 extends AuthProvider {
+                 m(CKM_DSA_SHA384));
+         dA(SIG, "SHA512withDSA", P11Signature,
                  m(CKM_DSA_SHA512));
-+        d(SIG, "SHA3-224withDSA", P11Signature,
-+                s("2.16.840.1.101.3.4.3.5", "OID.2.16.840.1.101.3.4.3.5"),
++        dA(SIG, "SHA3-224withDSA", P11Signature,
 +                m(CKM_DSA_SHA3_224));
-+        d(SIG, "SHA3-256withDSA", P11Signature,
-+                s("2.16.840.1.101.3.4.3.6", "OID.2.16.840.1.101.3.4.3.6"),
++        dA(SIG, "SHA3-256withDSA", P11Signature,
 +                m(CKM_DSA_SHA3_256));
-+        d(SIG, "SHA3-384withDSA", P11Signature,
-+                s("2.16.840.1.101.3.4.3.7", "OID.2.16.840.1.101.3.4.3.7"),
++        dA(SIG, "SHA3-384withDSA", P11Signature,
 +                m(CKM_DSA_SHA3_384));
-+        d(SIG, "SHA3-512withDSA", P11Signature,
-+                s("2.16.840.1.101.3.4.3.8", "OID.2.16.840.1.101.3.4.3.8"),
++        dA(SIG, "SHA3-512withDSA", P11Signature,
 +                m(CKM_DSA_SHA3_512));
          d(SIG, "RawDSAinP1363Format",   P11Signature,
-                 s("NONEwithDSAinP1363Format"),
+                 List.of("NONEwithDSAinP1363Format"),
                  m(CKM_DSA));
          d(SIG, "DSAinP1363Format",      P11Signature,
-                 s("SHA1withDSAinP1363Format"),
+                 List.of("SHA1withDSAinP1363Format"),
                  m(CKM_DSA_SHA1, CKM_DSA));
 -
 +        d(SIG, "SHA224withDSAinP1363Format",      P11Signature,
@@ -1095,36 +1072,27 @@ index cf7cd19b689..7a8bcffb92c 100644
 +                m(CKM_DSA_SHA3_512));
          d(SIG, "NONEwithECDSA", P11Signature,
                  m(CKM_ECDSA));
-         d(SIG, "SHA1withECDSA", P11Signature,
-@@ -761,28 +846,49 @@ public final class SunPKCS11 extends AuthProvider {
+         dA(SIG, "SHA1withECDSA", P11Signature,
                  m(CKM_ECDSA_SHA1, CKM_ECDSA));
-         d(SIG, "SHA224withECDSA",       P11Signature,
-                 s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"),
+         dA(SIG, "SHA224withECDSA",       P11Signature,
 -                m(CKM_ECDSA));
 +                m(CKM_ECDSA_SHA224, CKM_ECDSA));
-         d(SIG, "SHA256withECDSA",       P11Signature,
-                 s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"),
+         dA(SIG, "SHA256withECDSA",       P11Signature,
 -                m(CKM_ECDSA));
 +                m(CKM_ECDSA_SHA256, CKM_ECDSA));
-         d(SIG, "SHA384withECDSA",       P11Signature,
-                 s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"),
+         dA(SIG, "SHA384withECDSA",       P11Signature,
 -                m(CKM_ECDSA));
 +                m(CKM_ECDSA_SHA384, CKM_ECDSA));
-         d(SIG, "SHA512withECDSA",       P11Signature,
-                 s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"),
+         dA(SIG, "SHA512withECDSA",       P11Signature,
 -                m(CKM_ECDSA));
 +                m(CKM_ECDSA_SHA512, CKM_ECDSA));
-+        d(SIG, "SHA3-224withECDSA",       P11Signature,
-+                s("1.2.840.10045.4.3.9", "OID.1.2.840.10045.4.3.9"),
++        dA(SIG, "SHA3-224withECDSA",       P11Signature,
 +                m(CKM_ECDSA_SHA3_224, CKM_ECDSA));
-+        d(SIG, "SHA3-256withECDSA",       P11Signature,
-+                s("1.2.840.10045.4.3.10", "OID.1.2.840.10045.4.3.10"),
++        dA(SIG, "SHA3-256withECDSA",       P11Signature,
 +                m(CKM_ECDSA_SHA3_256, CKM_ECDSA));
-+        d(SIG, "SHA3-384withECDSA",       P11Signature,
-+                s("1.2.840.10045.4.3.11", "OID.1.2.840.10045.4.3.11"),
++        dA(SIG, "SHA3-384withECDSA",       P11Signature,
 +                m(CKM_ECDSA_SHA3_384, CKM_ECDSA));
-+        d(SIG, "SHA3-512withECDSA",       P11Signature,
-+                s("1.2.840.10045.4.3.12", "OID.1.2.840.10045.4.3.12"),
++        dA(SIG, "SHA3-512withECDSA",       P11Signature,
 +                m(CKM_ECDSA_SHA3_512, CKM_ECDSA));
          d(SIG, "NONEwithECDSAinP1363Format",   P11Signature,
                  m(CKM_ECDSA));
@@ -1151,29 +1119,25 @@ index cf7cd19b689..7a8bcffb92c 100644
 +        d(SIG, "SHA3-512withECDSAinP1363Format", P11Signature,
 +                m(CKM_ECDSA_SHA3_512, CKM_ECDSA));
 +
-         d(SIG, "MD2withRSA",    P11Signature,
-                 s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"),
+         dA(SIG, "MD2withRSA",    P11Signature,
                  m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-@@ -805,6 +911,18 @@ public final class SunPKCS11 extends AuthProvider {
-         d(SIG, "SHA512withRSA", P11Signature,
-                 s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
+         dA(SIG, "MD5withRSA",    P11Signature,
+@@ -770,6 +849,14 @@ public final class SunPKCS11 extends AuthProvider {
+                 m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
+         dA(SIG, "SHA512withRSA", P11Signature,
                  m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-+        d(SIG, "SHA3-224withRSA", P11Signature,
-+                s("2.16.840.1.101.3.4.3.13", "OID.2.16.840.1.101.3.4.3.13"),
++        dA(SIG, "SHA3-224withRSA", P11Signature,
 +                m(CKM_SHA3_224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-+        d(SIG, "SHA3-256withRSA", P11Signature,
-+                s("2.16.840.1.101.3.4.3.14", "OID.2.16.840.1.101.3.4.3.14"),
++        dA(SIG, "SHA3-256withRSA", P11Signature,
 +                m(CKM_SHA3_256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-+        d(SIG, "SHA3-384withRSA", P11Signature,
-+                s("2.16.840.1.101.3.4.3.15", "OID.2.16.840.1.101.3.4.3.15"),
++        dA(SIG, "SHA3-384withRSA", P11Signature,
 +                m(CKM_SHA3_384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-+        d(SIG, "SHA3-512withRSA", P11Signature,
-+                s("2.16.840.1.101.3.4.3.16", "OID.2.16.840.1.101.3.4.3.16"),
++        dA(SIG, "SHA3-512withRSA", P11Signature,
 +                m(CKM_SHA3_512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         d(SIG, "RSASSA-PSS", P11PSSSignature,
-                 s("1.2.840.113549.1.1.10", "OID.1.2.840.113549.1.1.10"),
+         dA(SIG, "RSASSA-PSS", P11PSSSignature,
                  m(CKM_RSA_PKCS_PSS));
-@@ -818,6 +936,14 @@ public final class SunPKCS11 extends AuthProvider {
+         d(SIG, "SHA1withRSASSA-PSS", P11PSSSignature,
+@@ -782,6 +869,14 @@ public final class SunPKCS11 extends AuthProvider {
                  m(CKM_SHA384_RSA_PKCS_PSS));
          d(SIG, "SHA512withRSASSA-PSS", P11PSSSignature,
                  m(CKM_SHA512_RSA_PKCS_PSS));
@@ -1189,7 +1153,7 @@ index cf7cd19b689..7a8bcffb92c 100644
          d(KG, "SunTlsRsaPremasterSecret",
                      "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
-index e077943bbc2..cb04b95304d 100644
+index e077943bbc..cb04b95304 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
 @@ -1,5 +1,5 @@
@@ -1215,7 +1179,7 @@ index e077943bbc2..cb04b95304d 100644
  
 diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java
 new file mode 100644
-index 00000000000..d6707028d96
+index 0000000000..d6707028d9
 --- /dev/null
 +++ b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java
 @@ -0,0 +1,84 @@
@@ -1304,7 +1268,7 @@ index 00000000000..d6707028d96
 +    }
 +}
 diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
-index b61d10beece..78b7d857e8e 100644
+index b61d10beec..78b7d857e8 100644
 --- a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
 +++ b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
 @@ -23,7 +23,7 @@
@@ -1336,7 +1300,7 @@ index b61d10beece..78b7d857e8e 100644
              test("ARCFOUR", 1024, p, TestResult.TBD);
          } else if (p.getName().equals("SunPKCS11-NSS")) {
 diff --git a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
-index 59af327c1f2..64c42a6dd06 100644
+index 59af327c1f..64c42a6dd0 100644
 --- a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
 +++ b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
 @@ -23,7 +23,7 @@
@@ -1421,7 +1385,7 @@ index 59af327c1f2..64c42a6dd06 100644
  
          mac.reset();
 diff --git a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
-index 5cad8859840..7e045232e3a 100644
+index 5cad885984..7e045232e3 100644
 --- a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
 +++ b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
 @@ -1,5 +1,5 @@
@@ -1514,7 +1478,7 @@ index 5cad8859840..7e045232e3a 100644
      }
  }
 diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
-index 7ced00630cc..a7a72e8ea3d 100644
+index 7ced00630c..a7a72e8ea3 100644
 --- a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
 +++ b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
 @@ -1,5 +1,5 @@
@@ -1574,7 +1538,7 @@ index 7ced00630cc..a7a72e8ea3d 100644
          byte[] d1 = md.digest(data);
  
 diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
-index ea7909bc397..268f698276b 100644
+index ea7909bc39..268f698276 100644
 --- a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
 +++ b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
 @@ -1,5 +1,5 @@
@@ -1655,7 +1619,7 @@ index ea7909bc397..268f698276b 100644
  
      private static void check(byte[] d1, byte[] d2) throws Exception {
 diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
-index b931c8564b2..ace601c7233 100644
+index b931c8564b..ace601c723 100644
 --- a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
 +++ b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
 @@ -1,5 +1,5 @@
@@ -1744,7 +1708,7 @@ index b931c8564b2..ace601c7233 100644
          MessageDigest mdCopy0 = (MessageDigest) mdObj.clone();
  
 diff --git a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
-index 26eeacffed9..f5de994779c 100644
+index 26eeacffed..f5de994779 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
 @@ -23,7 +23,7 @@
@@ -1770,7 +1734,7 @@ index 26eeacffed9..f5de994779c 100644
          sig.update(t);
          byte[] signature = sig.sign();
 diff --git a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
-index ccd66599fb0..a2fa7294977 100644
+index ccd66599fb..a2fa729497 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
 @@ -1,5 +1,5 @@
@@ -1816,7 +1780,7 @@ index ccd66599fb0..a2fa7294977 100644
          PSSParameterSpec params = new PSSParameterSpec("SHA-256", "MGF1",
              new MGF1ParameterSpec("SHA-256"), 32,
 diff --git a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
-index 2e4fedbf1d5..f1c0492b5fc 100644
+index 2e4fedbf1d..f1c0492b5f 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
 @@ -1,5 +1,5 @@
@@ -1910,7 +1874,7 @@ index 2e4fedbf1d5..f1c0492b5fc 100644
          System.out.println("test#4: pass");
      }
 diff --git a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
-index 42ca7fa203d..8c132ca7e4f 100644
+index 42ca7fa203..8c132ca7e4 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
 @@ -23,312 +23,13 @@
@@ -2242,7 +2206,7 @@ index 42ca7fa203d..8c132ca7e4f 100644
          new Random().nextBytes(data);
          sig.initSign(privateKey);
 diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
-index 3c3edb5aa6a..11147022771 100644
+index 3c3edb5aa6..1114702277 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
 @@ -1,5 +1,5 @@
@@ -2263,7 +2227,7 @@ index 3c3edb5aa6a..11147022771 100644
   * @library /test/lib ..
 diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java
 new file mode 100644
-index 00000000000..b8ea9863327
+index 0000000000..b8ea986332
 --- /dev/null
 +++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java
 @@ -0,0 +1,98 @@
@@ -2366,7 +2330,7 @@ index 00000000000..b8ea9863327
 +    }
 +}
 diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
-index 3a6dbe345e9..4c1f7284bbc 100644
+index 3a6dbe345e..4c1f7284bb 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
 @@ -1,5 +1,5 @@
@@ -2424,7 +2388,7 @@ index 3a6dbe345e9..4c1f7284bbc 100644
              hash, "MGF1", new MGF1ParameterSpec(mgfHash), 0, 1);
 diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java
 new file mode 100644
-index 00000000000..516b17972e5
+index 0000000000..516b17972e
 --- /dev/null
 +++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java
 @@ -0,0 +1,140 @@
@@ -2569,7 +2533,7 @@ index 00000000000..516b17972e5
 +    }
 +}
 diff --git a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
-index 222f8a2a5ed..3161de6fc50 100644
+index 222f8a2a5e..3161de6fc5 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
 @@ -1,5 +1,5 @@
@@ -2664,7 +2628,7 @@ index 222f8a2a5ed..3161de6fc50 100644
      }
  }
 diff --git a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
-index f469ca17b65..7e5a012a5ec 100644
+index f469ca17b6..7e5a012a5e 100644
 --- a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
 +++ b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
 @@ -22,8 +22,8 @@
@@ -2697,7 +2661,7 @@ index f469ca17b65..7e5a012a5ec 100644
          kpg.initialize(512);
          KeyPair kp = kpg.generateKeyPair();
 diff --git a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
-index 49778ea954c..576b1dc4d69 100644
+index 49778ea954..576b1dc4d6 100644
 --- a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
 +++ b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
 @@ -11,12 +11,23 @@ library = ${pkcs11test.nss.lib}

SPECS/java-11-openjdk.spec

@@ -109,8 +109,7 @@
 # similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
 %define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
 
-# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
-# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+# Indicates whether this is the default JDK on this version of RHEL
 %global is_system_jdk 0
 
 %global aarch64         aarch64 arm64 armv8
@@ -331,7 +330,7 @@
 # New Version-String scheme-style defines
 %global featurever 11
 %global interimver 0
-%global updatever 20
+%global updatever 23
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@@ -359,7 +358,7 @@
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
 %else
 %if 0%{?rhel}
-%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%global oj_vendor_bug_url https://access.redhat.com/support/cases/
 %else
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi
 %endif
@@ -370,17 +369,25 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver b34fb09a5c
+%global fipsver f93a863b56
+# Define JDK versions
+%global javaver         %{featurever}
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
 
 # Standard JPackage naming and versioning defines
 %global origin          openjdk
 %global origin_nice     OpenJDK
-%global top_level_dir_name   %{origin}
+%global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        8
-%global rpmrelease      2
+%global buildver        9
+# rpmrelease numbering must start at 2 to be later than the 8.6 RPM
+%global rpmrelease      3
 # Settings used by the portable build
-%global portablerelease 1
+%global portablerelease 2
 %global portablesuffix el8
 %global portablebuilddir /builddir/build/BUILD
 
@@ -394,18 +401,9 @@
 %global combiver $( expr 20 '*' %{patchver} + %{buildver} )
 %global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
 %else
-# for techpreview, using 1, so slowdebugs can have 0
+# for non-default, using 1, so slowdebugs can have 0
 %global priority %( printf '%08d' 1 )
 %endif
-%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-
-# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
-%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
-
-# The tag used to create the OpenJDK tarball
-%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
-
-%global javaver         %{featurever}
 
 # Define milestone (EA for pre-releases, GA for releases)
 # Release will be (where N is usually a number starting at 1):
@@ -564,6 +562,7 @@ alternatives \\
   --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY  --family %{family} \\
   --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
   --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+  --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
   --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\
   --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
   --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{?1}}/pack200 \\
@@ -574,6 +573,8 @@ alternatives \\
   %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
   %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
+  %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/jjs.1$ext jjs.1$ext \\
   %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
@@ -673,7 +674,6 @@ alternatives \\
   --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
   --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
   --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
-  --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
   --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
   --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
   --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
@@ -700,8 +700,6 @@ alternatives \\
   %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
   %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
-  %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
   %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
@@ -839,6 +837,7 @@ exit 0
 %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jjs
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/pack200
@@ -905,6 +904,7 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
 %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1*
@@ -950,10 +950,11 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security
 %if %is_system_jdk
 %if %{is_release_build -- %{?1}}
+# RHEL-11313; alternatives not owned by packages
 %ghost %{_bindir}/java
-%ghost %{_bindir}/%{alt_java_name}
 %ghost %{_jvmdir}/jre
-# https://bugzilla.redhat.com/show_bug.cgi?id=1312019
+%ghost %{_bindir}/%{alt_java_name}
+%ghost %{_bindir}/jcmd
 %ghost %{_bindir}/jjs
 %ghost %{_bindir}/keytool
 %ghost %{_bindir}/pack200
@@ -979,7 +980,6 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan
@@ -1018,7 +1018,6 @@ exit 0
 %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
@@ -1038,9 +1037,9 @@ exit 0
 %endif
 %if %is_system_jdk
 %if %{is_release_build -- %{?1}}
+# RHEL-11313; alternatives not owned by packages
 %ghost %{_bindir}/javac
 %ghost %{_jvmdir}/java
-%ghost %{_jvmdir}/%{alt_java_name}
 %ghost %{_bindir}/jaotc
 %ghost %{_bindir}/jlink
 %ghost %{_bindir}/jmod
@@ -1049,11 +1048,11 @@ exit 0
 %ghost %{_bindir}/jarsigner
 %ghost %{_bindir}/javadoc
 %ghost %{_bindir}/javap
-%ghost %{_bindir}/jcmd
 %ghost %{_bindir}/jconsole
 %ghost %{_bindir}/jdb
 %ghost %{_bindir}/jdeps
 %ghost %{_bindir}/jdeprscan
+%ghost %{_bindir}/jfr
 %ghost %{_bindir}/jimage
 %ghost %{_bindir}/jinfo
 %ghost %{_bindir}/jmap
@@ -1148,8 +1147,9 @@ Provides: jre%{?1} = %{epoch}:%{version}-%{release}
 Requires: ca-certificates
 # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
 Requires: javapackages-filesystem
-# 2023c required as of JDK-8305113
-BuildRequires: tzdata-java >= 2023c
+# 2024a required as of JDK-8325150
+# Use 2023d until 2024a is in the buildroot
+Requires: tzdata-java >= 2023d
 # for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
 Requires: lksctp-tools%{?_isa}
@@ -1311,7 +1311,7 @@ URL:      http://openjdk.java.net/
 
 # to regenerate source0 (jdk) run update_package.sh
 # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: openjdk-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
+Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
 
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
@@ -1424,14 +1424,14 @@ Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1
 # need to be reviewed & pushed to the appropriate
 # updates tree of OpenJDK.
 #############################################
-Patch2001: jdk8242332-rh2108712-sha3-sunpkcs11.patch
+Patch2002: jdk8242332-rh2108712-sha3-sunpkcs11.patch
 
 #############################################
 #
-# Patches appearing in 11.0.20
+# Patches appearing in 11.0.23
 #
 # This section includes patches which are present
-# in the listed OpenJDK 11u release and should be
+# in the listed OpenJDK 8u release and should be
 # able to be removed once that release is out
 # and used by this RPM.
 #############################################
@@ -1482,8 +1482,9 @@ BuildRequires: java-%{featurever}-openjdk-portable-misc = %{epoch}:%{version}-%{
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2023c required as of JDK-8305113
-BuildRequires: tzdata-java >= 2023c
+# 2024a required as of JDK-8325150
+# Use 2023d until 2024a is in the buildroot
+BuildRequires: tzdata-java >= 2023d
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
 
@@ -1501,17 +1502,17 @@ BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
 %else
 # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.12.1
+Provides: bundled(freetype) = 2.13.2
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
 Provides: bundled(giflib) = 5.2.1
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 7.0.1
+Provides: bundled(harfbuzz) = 8.2.2
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
 Provides: bundled(lcms2) = 2.15.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.37
+Provides: bundled(libpng) = 1.6.40
 %endif
 
 # this is always built, also during debug-only build
@@ -1864,11 +1865,13 @@ pushd %{top_level_dir_name}
 # nss.cfg PKCS11 support; must come last as it also alters java.security
 %patch1000 -p1
 # PKCS11 SHA3 backport
-%patch2001 -p1
+%patch2002 -p1
+# alt-java
+%patch600 -p1
+# RSA default
+%patch1003 -p1
 popd # openjdk
 
-%patch600
-%patch1003
 
 # Prepare desktop files
 # The _X_ syntax indicates variables that are replaced by make upstream
@@ -2489,6 +2492,69 @@ end
 %endif
 
 %changelog
+* Thu Apr 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.23.0.9-2
+- Fix 11.0.22 release date in NEWS
+
+* Wed Apr 10 2024 Anton Bobrov <abobrov@redhat.com> - 1:11.0.23.0.9-1
+- Update to jdk-11.0.23+9 (GA)
+- Update release notes to 11.0.23+9
+- Switch to GA mode for release
+- Require tzdata 2024a due to upstream inclusion of JDK-8322725
+- Only require tzdata 2023d for now as 2024a is unavailable in buildroot
+- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. **
+- Resolves: RHEL-30917
+
+* Thu Mar 28 2024 Anton Bobrov <abobrov@redhat.com> - 1:11.0.23.0.1-0.1.ea
+- Update to jdk-11.0.23+1 (EA)
+- Update release notes to 11.0.23+1
+- Switch to EA mode
+
+* Wed Jan 10 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.22.0.7-1
+- Update to jdk-11.0.22+7 (GA)
+- Sync the copy of the portable specfile with the latest update
+- Drop local copy of JDK-8312489 which is now included upstream
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+- Resolves: RHEL-20981
+
+* Fri Oct 13 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.21.0.9-2
+- Update to jdk-11.0.21+9 (GA)
+- Sync the copy of the portable specfile with the latest update
+- Re-generate FIPS patch against 11.0.21+1 following backport of JDK-8155246
+- Re-generate SHA3 patch following backport of JDK-8242151
+- Bump libpng version to 1.6.39 following JDK-8305815
+- Bump HarfBuzz version to 7.2.0 following JDK-8307301
+- Bump freetype version to 2.13.0 following JDK-8306881
+- Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal
+- Update bug URL for RHEL to point to the Red Hat customer portal
+- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
+- Apply all patches using -p1
+- Drop local backport of JDK-8243210 which is upstream from 11.0.21+2
+- Add missing JFR alternative ghost
+- Move jcmd to the headless package
+- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. **
+- Resolves: RHEL-12222
+- Resolves: RHEL-13546
+- Resolves: RHEL-13553
+- Resolves: RHEL-13559
+- Resolves: RHEL-13566
+- Resolves: RHEL-13572
+
+* Fri Sep 08 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.20.1.1-2
+- Bump release number so we are newer than 8.6
+- Related: rhbz#2236589
+
+* Tue Sep 05 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.20.1.1-1
+- Update to jdk-11.0.20.1+1 (GA)
+- Add backport of JDK-8312489 already upstream in 11.0.22 (see OPENJDK-2095)
+- Add backport of JDK-8243210 already upstream in 11.0.21 (see RH2229269)
+- Update openjdk_news script to specify subdirectory last
+- Add missing discover_trees script required by openjdk_news
+- Resolves: rhbz#2236589
+
+* Thu Jul 20 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.20.0.8-3
+- Fix tzdata requirement copy-and-paste error that led to two BuildRequires and no Requires
+- Resolves: rhbz#2224411
+
 * Sat Jul 15 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.20.0.8-2
 - Sync the copy of the portable specfile with the latest update
 - Add note at top of spec file about rebuilding