diff --git a/.gitignore b/.gitignore
index 04d7888..8a06098 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openjdk-jdk17u-jdk-17.0.6+10.tar.xz
+SOURCES/openjdk-jdk17u-jdk-17.0.7+7.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/.java-17-openjdk.metadata b/.java-17-openjdk.metadata
index 79c2f67..7e61954 100644
--- a/.java-17-openjdk.metadata
+++ b/.java-17-openjdk.metadata
@@ -1,2 +1,2 @@
-fc29dd4013a289be075afdcb29c8df29d1349c0d SOURCES/openjdk-jdk17u-jdk-17.0.6+10.tar.xz
+bc3222a9f338eeb1c03f2b95f429b954c5da3fa7 SOURCES/openjdk-jdk17u-jdk-17.0.7+7.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index e679dc1..8807249 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,10 +3,334 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 17.0.7 (2023-04-18):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bit.ly/openjdk1707
+
+* CVEs
+ - CVE-2023-21930
+ - CVE-2023-21937
+ - CVE-2023-21938
+ - CVE-2023-21939
+ - CVE-2023-21954
+ - CVE-2023-21967
+ - CVE-2023-21968
+* Security fixes
+ - JDK-8287404: Improve ping times
+ - JDK-8288436: Improve Xalan supports
+ - JDK-8294474: Better AES support
+ - JDK-8295304: Runtime support improvements
+ - JDK-8296676, JDK-8296622: Improve String platform support
+ - JDK-8296684: Improve String platform support
+ - JDK-8296692: Improve String platform support
+ - JDK-8296832: Improve Swing platform support
+ - JDK-8297371: Improve UTF8 representation redux
+ - JDK-8298191: Enhance object reclamation process
+ - JDK-8298310: Enhance TLS session negotiation
+ - JDK-8298667: Improved path handling
+ - JDK-8299129: Enhance NameService lookups
+* Other changes
+ - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
+ - JDK-6779701: Wrong defect ID in the code of test LocalRMIServerSocketFactoryTest.java
+ - JDK-8008243: Zero: Implement fast bytecodes
+ - JDK-8048190: NoClassDefFoundError omits original ExceptionInInitializerError
+ - JDK-8065097: [macosx] javax/swing/Popup/TaskbarPositionTest.java fails because Popup is one pixel off
+ - JDK-8144030: [macosx] test java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails (again)
+ - JDK-8155246: Throw error if default java.security file is missing
+ - JDK-8186765: Speed up test sun/net/www/protocol/https/HttpsClient/ProxyAuthTest.java
+ - JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails
+ - JDK-8195809: [TESTBUG] jps and jcmd -l support for containers is not tested
+ - JDK-8208077: File.listRoots performance degradation
+ - JDK-8209935: Test to cover CodeSource.getCodeSigners()
+ - JDK-8210927: JDB tests do not update source path after doing a redefine class
+ - JDK-8212961: [TESTBUG] vmTestbase/nsk/stress/jni/ native code cleanup
+ - JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java fails
+ - JDK-8223783: sun/net/www/http/HttpClient/MultiThreadTest.java sometimes detect threads+1 connections
+ - JDK-8230374: maxOutputSize, instead of javatest.maxOutputSize, should be used in TEST.properties
+ - JDK-8231491: JDI tc02x004 failed again due to wrong # of breakpoints
+ - JDK-8235297: sun/security/ssl/SSLSessionImpl/ResumptionUpdateBoundValues.java fails intermittent
+ - JDK-8241293: CompressedClassSpaceSizeInJmapHeap.java time out after 8 minutes
+ - JDK-8242115: C2 SATB barriers are not safepoint-safe
+ - JDK-8244669: convert clhsdb "mem" command from javascript to java
+ - JDK-8245654: Add Certigna Root CA
+ - JDK-8251177: [macosx] The text "big" is truncated in JTabbedPane
+ - JDK-8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:"
+ - JDK-8258512: serviceability/sa/TestJmapCore.java timed out on macOS 10.13.6
+ - JDK-8262386: resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java timed out
+ - JDK-8266974: duplicate property key in java.sql.rowset resource bundle
+ - JDK-8267038: Update IANA Language Subtag Registry to Version 2022-03-02
+ - JDK-8270156: Add "randomness" and "stress" keys to JTreg tests which use StressGCM, StressLCM and/or StressIGVN
+ - JDK-8270476: Make floating-point test infrastructure more lambda and method reference friendly
+ - JDK-8271471: [IR Framework] Rare occurrence of "" in PrintIdeal/PrintOptoAssembly can let tests fail
+ - JDK-8271838: AmazonCA.java interop test fails
+ - JDK-8272702: Resolving URI relative path with no / may lead to incorrect toString
+ - JDK-8272985: Reference discovery is confused about atomicity and degree of parallelism
+ - JDK-8273154: Provide a JavadocTester method for non-overlapping, unordered output matching
+ - JDK-8273410: IR verification framework fails with "Should find method name in validIrRulesMap"
+ - JDK-8274911: testlibrary_tests/ir_framework/tests/TestIRMatching.java fails with "java.lang.RuntimeException: Should have thrown exception"
+ - JDK-8275173: testlibrary_tests/ir_framework/tests/TestCheckedTests.java fails after JDK-8274911
+ - JDK-8275301: Unify C-heap buffer overrun checks into NMT
+ - JDK-8275320: NMT should perform buffer overrun checks
+ - JDK-8275582: Don't purge metaspace mapping lists
+ - JDK-8275704: Metaspace::contains() should be threadsafe
+ - JDK-8275843: Random crashes while the UI code is executed
+ - JDK-8276064: CheckCastPP with raw oop input floats below a safepoint
+ - JDK-8276086: Increase size of metaspace mappings
+ - JDK-8277485: Zero: Fix _fast_{i,f}access_0 bytecodes handling
+ - JDK-8277822: Remove debug-only heap overrun checks in os::malloc and friends
+ - JDK-8277946: NMT: Remove VM.native_memory shutdown jcmd command option
+ - JDK-8277990: NMT: Remove NMT shutdown capability
+ - JDK-8278961: Enable debug logging in java/net/DatagramSocket/SendDatagramToBadAddress.java
+ - JDK-8279024: Remove javascript references from clhsdb.html
+ - JDK-8279119: src/jdk.hotspot.agent/doc/index.html file contains references to scripts that no longer exist
+ - JDK-8279351: [TESTBUG] SADebugDTest.java does not handle "Address already in use" error
+ - JDK-8279614: The left line of the TitledBorder is not painted on 150 scale factor
+ - JDK-8280007: Enable Neoverse N1 optimizations for Arm Neoverse V1 & N2
+ - JDK-8280048: Missing comma in copyright header
+ - JDK-8280132: Incorrect comparator com.sun.beans.introspect.MethodInfo.MethodOrder
+ - JDK-8280166: Extend java/lang/instrument/GetObjectSizeIntrinsicsTest.java test cases
+ - JDK-8280553: resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java can fail if GC occurs
+ - JDK-8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption
+ - JDK-8280784: VM_Cleanup unnecessarily processes all thread oops
+ - JDK-8280868: LineBodyHandlerTest.java creates and discards too many clients
+ - JDK-8280889: java/lang/instrument/GetObjectSizeIntrinsicsTest.java fails with -XX:-UseCompressedOops
+ - JDK-8280896: java/nio/file/Files/probeContentType/Basic.java fails on Windows 11
+ - JDK-8281122: [IR Framework] Cleanup IR matching code in preparation for JDK-8280378
+ - JDK-8281170: Test jdk/tools/jpackage/windows/WinInstallerIconTest always fails on Windows 11
+ - JDK-8282036: Change java/util/zip/ZipFile/DeleteTempJar.java to stop HttpServer cleanly in case of exceptions
+ - JDK-8282143: Objects.requireNonNull should be ForceInline
+ - JDK-8282577: ICC_Profile.setData(int, byte[]) invalidates the profile
+ - JDK-8282771: Create test case for JDK-8262981
+ - JDK-8282958: Rendering Issues with Borders on Windows High-DPI systems
+ - JDK-8283606: Tests may fail with zh locale on MacOS
+ - JDK-8283717: vmTestbase/nsk/jdi/ThreadStartEvent/thread/thread001 failed due to SocketTimeoutException
+ - JDK-8283719: java/util/logging/CheckZombieLockTest.java failing intermittently
+ - JDK-8283870: jdeprscan --help causes an exception when the locale is ja, zh_CN or de
+ - JDK-8284115: [IR Framework] Compilation is not found due to rare safepoint while dumping PrintIdeal/PrintOptoAssembly
+ - JDK-8284165: Add pid to process reaper thread name
+ - JDK-8284524: Create an automated test for JDK-4422362
+ - JDK-8284726: Print active locale settings in hs_err reports and in VM.info
+ - JDK-8284767: Create an automated test for JDK-4422535
+ - JDK-8285399: JNI exception pending in awt_GraphicsEnv.c:1432
+ - JDK-8285690: CloneableReference subtest should not throw CloneNotSupportedException
+ - JDK-8285755: JDK-8285093 changed the default for --with-output-sync
+ - JDK-8285835: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work
+ - JDK-8285919: Remove debug printout from JDK-8285093
+ - JDK-8285965: TestScenarios.java does not check for "" correctly
+ - JDK-8286030: Avoid JVM crash when containers share the same /tmp dir
+ - JDK-8286154: Fix 3rd party notices in test files
+ - JDK-8286562: GCC 12 reports some compiler warnings
+ - JDK-8286694: Incorrect argument processing in java launcher
+ - JDK-8286705: GCC 12 reports use-after-free potential bugs
+ - JDK-8286707: JFR: Don't commit JFR internal jdk.JavaMonitorWait events
+ - JDK-8286800: Assert in PhaseIdealLoop::dump_real_LCA is too strong
+ - JDK-8286844: com/sun/jdi/RedefineCrossEvent.java failed with 1 threads completed while VM suspended
+ - JDK-8286873: Improve websocket test execution time
+ - JDK-8286962: java/net/httpclient/ServerCloseTest.java failed once with ConnectException
+ - JDK-8287180: Update IANA Language Subtag Registry to Version 2022-08-08
+ - JDK-8287217: C2: PhaseCCP: remove not visited nodes, prevent type inconsistency
+ - JDK-8287491: compiler/jvmci/errors/TestInvalidDebugInfo.java fails new assert: assert((uint)t < T_CONFLICT + 1) failed: invalid type #
+ - JDK-8287593: ShortResponseBody could be made more resilient to rogue connections
+ - JDK-8287754: Update jib GNU make dependency on Windows to latest cygwin build
+ - JDK-8288005: HotSpot build with disabled PCH fails for Windows AArch64
+ - JDK-8288130: compiler error with AP and explicit record accessor
+ - JDK-8288332: Tier1 validate-source fails after 8279614
+ - JDK-8288415: java/awt/PopupMenu/PopupMenuLocation.java is unstable in MacOS machines
+ - JDK-8288854: getLocalGraphicsEnvironment() on for multi-screen setups throws exception NPE
+ - JDK-8289400: Improve com/sun/jdi/TestScaffold error reporting
+ - JDK-8289440: Remove vmTestbase/nsk/monitoring/MemoryPoolMBean/isCollectionUsageThresholdExceeded/isexceeded003 from ProblemList.txt
+ - JDK-8289508: Improve test coverage for XPath Axes: ancestor, ancestor-or-self, preceding, and preceding-sibling
+ - JDK-8289511: Improve test coverage for XPath Axes: child
+ - JDK-8289647: AssertionError during annotation processing of record related tests
+ - JDK-8289948: Improve test coverage for XPath functions: Node Set Functions
+ - JDK-8290067: Show stack dimensions in UL logging when attaching threads
+ - JDK-8290083: ResponseBodyBeforeError: AssertionError or SSLException: Unsupported or unrecognized SSL message
+ - JDK-8290197: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails on some systems for the ".rar" extension
+ - JDK-8290322: Optimize Vector.rearrange over byte vectors for AVX512BW targets.
+ - JDK-8290836: Improve test coverage for XPath functions: String Functions
+ - JDK-8290837: Improve test coverage for XPath functions: Boolean Functions
+ - JDK-8290838: Improve test coverage for XPath functions: Number Functions
+ - JDK-8290850: C2: create_new_if_for_predicate() does not clone pinned phi input nodes resulting in a broken graph
+ - JDK-8290899: java/lang/String/StringRepeat.java test requests too much heap on windows x86
+ - JDK-8290964: C2 compilation fails with assert "non-reduction loop contains reduction nodes"
+ - JDK-8291825: java/time/nontestng/java/time/zone/CustomZoneNameTest.java fails if defaultLocale and defaultFormatLocale are different
+ - JDK-8292033: Move jdk.X509Certificate event logic to JCA layer
+ - JDK-8292066: Convert TestInputArgument.sh and TestSystemLoadAvg.sh to java version
+ - JDK-8292159: TYPE_USE annotations on generic type arguments of record components discarded
+ - JDK-8292177: InitialSecurityProperty JFR event
+ - JDK-8292285: C2: remove unreachable block after NeverBranch-to-Goto conversion
+ - JDK-8292297: Fix up loading of override java.security properties file
+ - JDK-8292328: AccessibleActionsTest.java test instruction for show popup on JLabel did not specify shift key
+ - JDK-8292443: Weak CAS VarHandle/Unsafe tests should test always-failing cases
+ - JDK-8292602: ZGC: C2 late barrier analysis uses invalid dominator information
+ - JDK-8292660: C2: blocks made unreachable by NeverBranch-to-Goto conversion are removed incorrectly
+ - JDK-8292780: misc tests failed "assert(false) failed: graph should be schedulable"
+ - JDK-8292877: java/util/concurrent/atomic/Serial.java uses {Double,Long}Accumulator incorrectly
+ - JDK-8293000: Review running times of jshell regression tests
+ - JDK-8293326: jdk/sun/security/tools/jarsigner/compatibility/SignTwice.java slow on Windows
+ - JDK-8293466: libjsig should ignore non-modifying sigaction calls
+ - JDK-8293493: Signal Handlers printout should show signal block state
+ - JDK-8293531: C2: some vectorapi tests fail assert "Not monotonic" with flag -XX:TypeProfileLevel=222
+ - JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections
+ - JDK-8293691: converting a defined BasicType value to a string should not crash the VM
+ - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings
+ - JDK-8293819: sun/util/logging/PlatformLoggerTest.java failed with "RuntimeException: Retrieved backing PlatformLogger level null is not the expected CONFIG"
+ - JDK-8293965: Code signing warnings after JDK-8293550
+ - JDK-8293996: C2: fix and simplify IdealLoopTree::do_remove_empty_loop
+ - JDK-8294160: misc crash dump improvements
+ - JDK-8294217: Assertion failure: parsing found no loops but there are some
+ - JDK-8294310: compare.sh fails on macos after JDK-8293550
+ - JDK-8294378: URLPermission constructor exception when using tr locale
+ - JDK-8294538: missing is_unloading() check in SharedRuntime::fixup_callers_callsite()
+ - JDK-8294548: Problem list SA core file tests on macosx-x64 due to JDK-8294316
+ - JDK-8294580: frame::interpreter_frame_print_on() crashes if free BasicObjectLock exists in frame
+ - JDK-8294677: chunklevel::MAX_CHUNK_WORD_SIZE too small for some applications
+ - JDK-8294705: Disable an assertion in test/jdk/java/util/DoubleStreamSums/CompensatedSums.java
+ - JDK-8294902: Undefined Behavior in C2 regalloc with null references
+ - JDK-8294947: Use 64bit atomics in patch_verified_entry on x86_64
+ - JDK-8294958: java/net/httpclient/ConnectTimeout tests are slow
+ - JDK-8295000: java/util/Formatter/Basic test cleanup
+ - JDK-8295066: Folding of loads is broken in C2 after JDK-8242115
+ - JDK-8295116: C2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead
+ - JDK-8295211: Fix autoconf 2.71 warning "AC_CHECK_HEADERS: you should use literals"
+ - JDK-8295413: com/sun/jdi/EATests.java fails with compiler flag -XX:+StressReflectiveCode
+ - JDK-8295414: [Aarch64] C2: assert(false) failed: bad AD file
+ - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13
+ - JDK-8295685: Update Libpng to 1.6.38
+ - JDK-8295724: VirtualMachineError: Out of space in CodeCache for method handle intrinsic
+ - JDK-8295774: Write a test to verify List sends ItemEvent/ActionEvent
+ - JDK-8295777: java/net/httpclient/ConnectExceptionTest.java should not rely on system resolver
+ - JDK-8295788: C2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node"
+ - JDK-8296136: Use correct register in aarch64_enc_fast_unlock()
+ - JDK-8296239: ISO 4217 Amendment 174 Update
+ - JDK-8296329: jar validator doesn't account for minor class file version
+ - JDK-8296389: C2: PhaseCFG::convert_NeverBranch_to_Goto must handle both orders of successors
+ - JDK-8296548: Improve MD5 intrinsic for x86_64
+ - JDK-8296611: Problemlist several sun/security tests until JDK-8295343 is resolved
+ - JDK-8296619: Upgrade jQuery to 3.6.1
+ - JDK-8296675: Exclude linux-aarch64 in NSS tests
+ - JDK-8296878: Document Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters
+ - JDK-8296904: Improve handling of macos xcode toolchain
+ - JDK-8296912: C2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1
+ - JDK-8296924: C2: assert(is_valid_AArch64_address(dest.target())) failed: bad address
+ - JDK-8297088: Update LCMS to 2.14
+ - JDK-8297211: Expensive fillInStackTrace operation in HttpURLConnection.getOutputStream0 when no content-length in response
+ - JDK-8297259: Bump update version for OpenJDK: jdk-17.0.7
+ - JDK-8297264: C2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top
+ - JDK-8297431: [JVMCI] HotSpotJVMCIRuntime.encodeThrowable should not throw an exception
+ - JDK-8297437: javadoc cannot link to old docs (with old style anchors)
+ - JDK-8297480: GetPrimitiveArrayCritical in imageioJPEG misses result - NULL check
+ - JDK-8297489: Modify TextAreaTextEventTest.java as to verify the content change of TextComponent sends TextEvent
+ - JDK-8297523: Various GetPrimitiveArrayCritical miss result - NULL check
+ - JDK-8297569: URLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378
+ - JDK-8297642: PhaseIdealLoop::only_has_infinite_loops must detect all loops that never lead to termination
+ - JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication
+ - JDK-8297959: Provide better descriptions for some Operating System JFR events
+ - JDK-8297963: Partially fix string expansion issues in UTIL_DEFUN_NAMED and related macros
+ - JDK-8298027: Remove SCCS id's from awt jtreg tests
+ - JDK-8298035: Provide better descriptions for JIT compiler JFR events
+ - JDK-8298073: gc/metaspace/CompressedClassSpaceSizeInJmapHeap.java causes test task timeout on macosx
+ - JDK-8298093: improve cleanup and error handling of awt_parseColorModel in awt_parseImage.c
+ - JDK-8298108: Add a regression test for JDK-8297684
+ - JDK-8298129: Let checkpoint event sizes grow beyond u4 limit
+ - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows
+ - JDK-8298459: Fix msys2 linking and handling out of tree build directory for source zip creation
+ - JDK-8298472: AArch64: Detect Ampere-1 and Ampere-1A CPUs and set default options
+ - JDK-8298527: Cygwin's uname -m returns different string than before
+ - JDK-8298568: Fastdebug build fails after JDK-8296389
+ - JDK-8298588: WebSockets: HandshakeUrlEncodingTest unnecessarily depends on a response body
+ - JDK-8298649: JFR: RemoteRecordingStream support for checkpoint event sizes beyond u4
+ - JDK-8298726: (fs) Change PollingWatchService to record last modified time as FileTime rather than milliseconds
+ - JDK-8298947: compiler/codecache/MHIntrinsicAllocFailureTest.java fails intermittently
+ - JDK-8299015: Ensure that HttpResponse.BodySubscribers.ofFile writes all bytes
+ - JDK-8299018: java/net/httpclient/HttpsTunnelAuthTest.java fails with java.io.IOException: HTTP/1.1 header parser received no bytes
+ - JDK-8299194: CustomTzIDCheckDST.java may fail at future date
+ - JDK-8299296: Write a test to verify the components selection sends ItemEvent
+ - JDK-8299388: java/util/regex/NegativeArraySize.java fails on Alpine and sometimes Windows
+ - JDK-8299424: containers/docker/TestMemoryWithCgroupV1.java fails on SLES12 ppc64le when testing Memory and Swap Limit
+ - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
+ - JDK-8299470: sun/jvm/hotspot/SALauncher.java handling of negative rmiport args
+ - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
+ - JDK-8299497: Usage of constructors of primitive wrapper classes should be avoided in java.desktop API docs
+ - JDK-8299520: TestPrintXML.java output error messages in case compare fails
+ - JDK-8299597: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.7
+ - JDK-8299657: sun/tools/jhsdb/SAGetoptTest.java fails after 8299470
+ - JDK-8299671: Speed up compiler/intrinsics/string/TestStringLatin1IndexOfChar.java
+ - JDK-8299789: Compilation of gtest causes build to fail if runtime libraries are in different dirs
+ - JDK-8299957: Enhance error logging in instrument coding with additional jplis_assert_msg
+ - JDK-8299970: Speed up compiler/arraycopy/TestArrayCopyConjoint.java
+ - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems
+ - JDK-8300205: Swing test bug8078268 make latch timeout configurable
+ - JDK-8300266: Detect Virtualization on Linux aarch64
+ - JDK-8300490: Spaces in name of MacOS Code Signing Identity are not correctly handled after JDK-8293550
+ - JDK-8300590: [JVMCI] BytecodeFrame.equals is broken
+ - JDK-8300642: [17u,11u] Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev
+ - JDK-8300692: GCC 12 reports some compiler warnings in bundled freetype
+ - JDK-8300751: [17u] Remove duplicate entry in javac.properties
+ - JDK-8300773: Address the inconsistency between the constant array and pool size
+ - JDK-8301170: perfMemory_windows.cpp add free_security_attr to early returns
+ - JDK-8301342: Prefer ArrayList to LinkedList in LayoutComparator
+ - JDK-8301397: [11u, 17u] Bump jtreg to fix issue with build JDK 11.0.18
+ - JDK-8301760: Fix possible leak in SpNegoContext dispose
+ - JDK-8301842: JFR: increase checkpoint event size for stacktrace and string pool
+ - JDK-8302152: Speed up tests with infinite loops, sleep less
+ - JDK-8302692: [17u] Update GHA Boot JDK to 17.0.6
+ - JDK-8302879: doc/building.md update link to jtreg builds
+ - JDK-8304871: Use default visibility for static library builds
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate
+==========================================================
+The following root certificate has been added to the cacerts truststore:
+
+Name: Certigna (Dhimyotis)
+Alias Name: certignarootca
+Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR
+
+JDK-8292177: New JFR Event: jdk.InitialSecurityProperty
+=======================================================
+The initial security properties loaded by the java.security.Security class
+are now accessible in the new JFR event, `jdk.InitialSecurityProperty`.
+
+The event contains two fields:
+
+* key - the security property key
+* value - the corresponding security property value
+
+The combination of this new event and the existing
+`jdk.SecurityPropertyModification` event means that security
+properties can now be monitored throughout their lifecycle.
+
+The initial security properties are now also printed to the standard
+error output stream when `-Djava.security.debug=properties` is passed
+to the Java virtual machine.
+
+JDK-8155246: Throw Error If Default java.security File Fails to Load
+====================================================================
+A hardcoded set of security properties was used in previous releases
+when the `java.security` file could not be loaded. This set of
+properties were poorly maintained and it was not obvious to the user
+that they were being utilised. This release instead throws an
+`InternalError` if the `java.security` file can not be loaded.
+
+core-libs/java.io:
+
+JDK-8208077: File::listRoots Changed To Return All Available Drives On Windows
+==============================================================================
+The `java.io.File.listRoots()` method on Windows systems filtered out disk
+drives that could not be accessed or did not have media loaded. The
+use of this filtering led to observable performance issues. This release
+now returns all available disk drives, unfiltered.
+
New in release OpenJDK 17.0.6 (2023-01-17):
===========================================
Live versions of these release notes can be found at:
- * https://bitly.com/openjdk1706
+ * https://bit.ly/openjdk1706
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html
* CVEs
@@ -275,7 +599,7 @@ Live versions of these release notes can be found at:
- JDK-8296239: ISO 4217 Amendment 174 Update
- JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing
- JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException
- - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation
+ - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation
- JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent
- JDK-8296715: CLDR v42 update for tzdata 2022f
- JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect
@@ -353,7 +677,7 @@ system property `jdk.tls.enableDtlsResumeCookie` to `false`.
New in release OpenJDK 17.0.5 (2022-10-18):
===========================================
Live versions of these release notes can be found at:
- * https://bitly.com/openjdk1705
+ * https://bit.ly/openjdk1705
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html
* Security fixes
@@ -721,7 +1045,7 @@ Runtime to crash unpredictably.
New in release OpenJDK 17.0.4 (2022-07-19):
===========================================
Live versions of these release notes can be found at:
- * https://bitly.com/openjdk1704
+ * https://bit.ly/openjdk1704
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt
* Security fixes
@@ -1038,7 +1362,7 @@ the use of special devices such as `NUL:`
New in release OpenJDK 17.0.3 (2022-04-19):
===========================================
Live versions of these release notes can be found at:
- * https://bitly.com/openjdk1703
+ * https://bit.ly/openjdk1703
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt
* Security fixes
@@ -1243,7 +1567,7 @@ An OCSP response signed with the RSASSA-PSS algorithm is now supported.
New in release OpenJDK 17.0.2 (2022-01-18):
===========================================
Live versions of these release notes can be found at:
- * https://bitly.com/openjdk1702
+ * https://bit.ly/openjdk1702
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt
* Security fixes
diff --git a/SOURCES/fips-17u-257d544b594.patch b/SOURCES/fips-17u-bf363eecce3.patch
similarity index 81%
rename from SOURCES/fips-17u-257d544b594.patch
rename to SOURCES/fips-17u-bf363eecce3.patch
index 6c03d6f..cd8565c 100644
--- a/SOURCES/fips-17u-257d544b594.patch
+++ b/SOURCES/fips-17u-bf363eecce3.patch
@@ -136,10 +136,10 @@ index a65d91ee974..a8f054c1397 100644
BASIC_JDKLIB_LIBS=""
if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
-index d557549adb3..1cb44bd2595 100644
+index 537c3e3043c..16ad3df6f09 100644
--- a/make/autoconf/spec.gmk.in
+++ b/make/autoconf/spec.gmk.in
-@@ -840,6 +840,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+@@ -841,6 +841,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
# Libraries
#
@@ -1362,27 +1362,18 @@ index a020e1c15d8..3c064965e82 100644
// Return the instance of this class or create one if needed.
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
-index ff2bc942c03..96a3ba4040c 100644
+index 2477027969c..06b1b6c671c 100644
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
-@@ -32,6 +32,7 @@ import java.net.URL;
-
+@@ -33,6 +33,7 @@ import java.net.URL;
+ import jdk.internal.access.JavaSecurityPropertiesAccess;
import jdk.internal.event.EventHelper;
import jdk.internal.event.SecurityPropertyModificationEvent;
+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
import jdk.internal.access.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.util.Debug;
-@@ -47,12 +48,20 @@ import sun.security.jca.*;
- * implementation-specific location, which is typically the properties file
- * {@code conf/security/java.security} in the Java installation directory.
- *
-+ * Additional default values of security properties are read from a
-+ * system-specific location, if available.
-+ *
- * @author Benjamin Renaud
- * @since 1.1
- */
+@@ -57,6 +58,11 @@ import sun.security.jca.*;
public final class Security {
@@ -1394,7 +1385,7 @@ index ff2bc942c03..96a3ba4040c 100644
/* Are we debugging? -- for developers */
private static final Debug sdebug =
Debug.getInstance("properties");
-@@ -67,6 +76,19 @@ public final class Security {
+@@ -74,6 +80,19 @@ public final class Security {
}
static {
@@ -1414,26 +1405,19 @@ index ff2bc942c03..96a3ba4040c 100644
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
-@@ -84,6 +106,7 @@ public final class Security {
+@@ -97,6 +116,7 @@ public final class Security {
+ private static void initialize() {
props = new Properties();
- boolean loadedProps = false;
boolean overrideAll = false;
+ boolean systemSecPropsEnabled = false;
// first load the system properties file
// to determine the value of security.overridePropertiesFile
-@@ -99,6 +122,7 @@ public final class Security {
- if (sdebug != null) {
- sdebug.println("reading security properties file: " +
- propFile);
-+ sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
-@@ -193,6 +217,61 @@ public final class Security {
+@@ -117,6 +137,60 @@ public final class Security {
}
+ loadProps(null, extraPropFile, overrideAll);
}
-
++
+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
+ if (sdebug != null) {
@@ -1453,9 +1437,7 @@ index ff2bc942c03..96a3ba4040c 100644
+ }
+ }
+
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps && systemSecPropsEnabled) {
++ if (systemSecPropsEnabled) {
+ boolean shouldEnable;
+ String sysProp = System.getProperty("com.redhat.fips");
+ if (sysProp == null) {
@@ -1489,15 +1471,27 @@ index ff2bc942c03..96a3ba4040c 100644
+ "system security properties being enabled.");
+ }
+ }
+ initialSecurityProperties = (Properties) props.clone();
+ if (sdebug != null) {
+ for (String key : props.stringPropertyNames()) {
+@@ -124,10 +198,9 @@ public final class Security {
+ props.getProperty(key));
+ }
+ }
+-
}
- /*
+- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
+ InputStream is = null;
+ try {
+ if (masterFile != null && masterFile.exists()) {
diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
new file mode 100644
-index 00000000000..98ffced455b
+index 00000000000..9d26a54f5d4
--- /dev/null
+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,232 @@
+/*
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
+ *
@@ -1578,26 +1572,9 @@ index 00000000000..98ffced455b
+ * security.useSystemPropertiesFile is true.
+ */
+ static boolean configureSysProps(Properties props) {
-+ boolean systemSecPropsLoaded = false;
-+
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(
-+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
-+ props.load(bis);
-+ systemSecPropsLoaded = true;
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties from " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ e.printStackTrace();
-+ }
-+ }
-+ return systemSecPropsLoaded;
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false);
+ }
+
+ /*
@@ -1652,7 +1629,7 @@ index 00000000000..98ffced455b
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-+ System.getProperty("javax.net.ssl.keyStore", ""));
++ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
@@ -1785,10 +1762,10 @@ index 00000000000..3f3caac64dc
+ boolean isPlainKeySupportEnabled();
+}
diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
-index f6d3638c3dd..a1ee182d913 100644
+index ea28bb8747e..77161eb3844 100644
--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
-@@ -39,6 +39,7 @@ import java.io.FilePermission;
+@@ -40,6 +40,7 @@ import java.io.FilePermission;
import java.io.ObjectInputStream;
import java.io.RandomAccessFile;
import java.security.ProtectionDomain;
@@ -1796,7 +1773,7 @@ index f6d3638c3dd..a1ee182d913 100644
import java.security.Signature;
/** A repository of "shared secrets", which are a mechanism for
-@@ -81,6 +82,7 @@ public class SharedSecrets {
+@@ -83,6 +84,7 @@ public class SharedSecrets {
private static JavaSecuritySpecAccess javaSecuritySpecAccess;
private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
private static JavaxCryptoSpecAccess javaxCryptoSpecAccess;
@@ -1804,7 +1781,7 @@ index f6d3638c3dd..a1ee182d913 100644
public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
javaUtilCollectionAccess = juca;
-@@ -442,4 +444,15 @@ public class SharedSecrets {
+@@ -457,4 +459,15 @@ public class SharedSecrets {
MethodHandles.lookup().ensureInitialized(c);
} catch (IllegalAccessException e) {}
}
@@ -1821,7 +1798,7 @@ index f6d3638c3dd..a1ee182d913 100644
+ }
}
diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
-index 9faee9cae36..27f43550aa4 100644
+index fad70bdc058..29a813a485f 100644
--- a/src/java.base/share/classes/module-info.java
+++ b/src/java.base/share/classes/module-info.java
@@ -152,6 +152,8 @@ module java.base {
@@ -1832,9 +1809,9 @@ index 9faee9cae36..27f43550aa4 100644
+ jdk.crypto.ec,
jdk.jartool,
jdk.jlink,
- jdk.net,
+ jdk.jfr,
diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java
-index 912cad59714..709d32912ca 100644
+index 912cad59714..7803e97f7ef 100644
--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java
+++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java
@@ -30,6 +30,7 @@ import java.net.*;
@@ -1856,7 +1833,7 @@ index 912cad59714..709d32912ca 100644
// the default algo used by SecureRandom class for new SecureRandom() calls
public static final String DEF_SECURE_RANDOM_ALGO;
-@@ -94,99 +99,101 @@ public final class SunEntries {
+@@ -94,89 +99,92 @@ public final class SunEntries {
// common attribute map
HashMap attrs = new HashMap<>(3);
@@ -1920,8 +1897,6 @@ index 912cad59714..709d32912ca 100644
- "sun.security.provider.DSA$SHA3_384withDSA", attrs);
- addWithAlias(p, "Signature", "SHA3-512withDSA",
- "sun.security.provider.DSA$SHA3_512withDSA", attrs);
--
-- attrs.remove("KeySize");
+ if (!systemFipsEnabled) {
+ /*
+ * SecureRandom engines
@@ -1944,32 +1919,7 @@ index 912cad59714..709d32912ca 100644
+ add(p, "SecureRandom", "SHA1PRNG",
+ "sun.security.provider.SecureRandom", attrs);
-- add(p, "Signature", "SHA1withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA1withDSAinP1363Format");
-- add(p, "Signature", "NONEwithDSAinP1363Format",
-- "sun.security.provider.DSA$RawDSAinP1363Format");
-- add(p, "Signature", "SHA224withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA224withDSAinP1363Format");
-- add(p, "Signature", "SHA256withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA256withDSAinP1363Format");
-- add(p, "Signature", "SHA384withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA384withDSAinP1363Format");
-- add(p, "Signature", "SHA512withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA512withDSAinP1363Format");
-- add(p, "Signature", "SHA3-224withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
-- add(p, "Signature", "SHA3-256withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
-- add(p, "Signature", "SHA3-384withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
-- add(p, "Signature", "SHA3-512withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
-- /*
-- * Key Pair Generator engines
-- */
-- attrs.clear();
-- attrs.put("ImplementedIn", "Software");
-- attrs.put("KeySize", "2048"); // for DSA KPG and APG only
+- attrs.remove("KeySize");
+ /*
+ * Signature engines
+ */
@@ -2032,16 +1982,39 @@ index 912cad59714..709d32912ca 100644
+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+ add(p, "Signature", "SHA3-512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
-+ /*
-+ * Key Pair Generator engines
-+ */
-+ attrs.clear();
-+ attrs.put("ImplementedIn", "Software");
-+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
++ }
+
+- add(p, "Signature", "SHA1withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+- add(p, "Signature", "NONEwithDSAinP1363Format",
+- "sun.security.provider.DSA$RawDSAinP1363Format");
+- add(p, "Signature", "SHA224withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+- add(p, "Signature", "SHA256withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+- add(p, "Signature", "SHA384withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+- add(p, "Signature", "SHA512withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+- add(p, "Signature", "SHA3-224withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+- add(p, "Signature", "SHA3-256withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+- add(p, "Signature", "SHA3-384withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+- add(p, "Signature", "SHA3-512withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+ /*
+ * Key Pair Generator engines
+ */
+@@ -184,9 +192,11 @@ public final class SunEntries {
+ attrs.put("ImplementedIn", "Software");
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
++ if (!systemFipsEnabled) {
+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
@@ -2049,7 +2022,7 @@ index 912cad59714..709d32912ca 100644
/*
* Algorithm Parameter Generator engines
-@@ -201,40 +208,42 @@ public final class SunEntries {
+@@ -201,40 +211,42 @@ public final class SunEntries {
addWithAlias(p, "AlgorithmParameters", "DSA",
"sun.security.provider.DSAParameters", attrs);
@@ -2126,7 +2099,7 @@ index 912cad59714..709d32912ca 100644
/*
* Certificates
diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
-index ca79f25cc44..225517ac69b 100644
+index ca79f25cc44..a12fcbbd6e7 100644
--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
+++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
@@ -27,6 +27,7 @@ package sun.security.rsa;
@@ -2148,19 +2121,7 @@ index ca79f25cc44..225517ac69b 100644
private void add(Provider p, String type, String algo, String cn,
List aliases, HashMap attrs) {
services.add(new Provider.Service(p, type, algo, cn,
-@@ -56,49 +61,58 @@ public final class SunRsaSignEntries {
- // start populating content using the specified provider
- // common attribute map
- HashMap attrs = new HashMap<>(3);
-- attrs.put("SupportedKeyClasses",
-- "java.security.interfaces.RSAPublicKey" +
-- "|java.security.interfaces.RSAPrivateKey");
-+ if (!systemFipsEnabled) {
-+ attrs.put("SupportedKeyClasses",
-+ "java.security.interfaces.RSAPublicKey" +
-+ "|java.security.interfaces.RSAPrivateKey");
-+ }
-
+@@ -63,42 +68,49 @@ public final class SunRsaSignEntries {
add(p, "KeyFactory", "RSA",
"sun.security.rsa.RSAKeyFactory$Legacy",
getAliases("PKCS1"), null);
@@ -2547,10 +2508,10 @@ index 00000000000..dc8bc72fccb
+ }
+}
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index 63be286686d..b0a589c3fb4 100644
+index fab52688c04..29337576f37 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
-@@ -79,6 +79,16 @@ security.provider.tbd=Apple
+@@ -82,6 +82,17 @@ security.provider.tbd=Apple
#endif
security.provider.tbd=SunPKCS11
@@ -2563,11 +2524,12 @@ index 63be286686d..b0a589c3fb4 100644
+fips.provider.4=SunJSSE
+fips.provider.5=SunJCE
+fips.provider.6=SunRsaSign
++fips.provider.7=XMLDSig
+
#
# A list of preferred providers for specific algorithms. These providers will
# be searched for matching algorithms before the list of registered providers.
-@@ -289,6 +299,47 @@ policy.ignoreIdentityScope=false
+@@ -292,6 +303,47 @@ policy.ignoreIdentityScope=false
#
keystore.type=pkcs12
@@ -2615,7 +2577,7 @@ index 63be286686d..b0a589c3fb4 100644
#
# Controls compatibility mode for JKS and PKCS12 keystore types.
#
-@@ -326,6 +377,13 @@ package.definition=sun.misc.,\
+@@ -329,6 +381,13 @@ package.definition=sun.misc.,\
#
security.overridePropertiesFile=true
@@ -3846,7 +3808,7 @@ index 00000000000..ae4262703e6
+
+}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
-index 8d1b8ccb0ae..950ed20cf62 100644
+index 8d1b8ccb0ae..7ea9b4c5e7f 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
@@ -31,6 +31,7 @@ import java.security.*;
@@ -3857,7 +3819,7 @@ index 8d1b8ccb0ae..950ed20cf62 100644
import javax.crypto.spec.*;
import static sun.security.pkcs11.TemplateManager.*;
-@@ -194,6 +195,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
+@@ -194,6 +195,130 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
return p11Key;
}
@@ -3886,9 +3848,11 @@ index 8d1b8ccb0ae..950ed20cf62 100644
+ }
+
+ if (kdfData.kdfMech == CKM_PKCS5_PBKD2) {
-+ CK_VERSION p11Ver = token.p11.getInfo().cryptokiVersion;
-+ if (P11Util.isNSS(token) || p11Ver.major < 2 ||
-+ p11Ver.major == 2 && p11Ver.minor < 40) {
++ CK_INFO p11Info = token.p11.getInfo();
++ CK_VERSION p11Ver = (p11Info != null ? p11Info.cryptokiVersion
++ : null);
++ if (P11Util.isNSS(token) || p11Ver != null && (p11Ver.major <
++ 2 || p11Ver.major == 2 && p11Ver.minor < 40)) {
+ // NSS keeps using the old structure beyond PKCS #11 v2.40
+ ckMech = new CK_MECHANISM(kdfData.kdfMech,
+ new CK_PKCS5_PBKD2_PARAMS(password, salt,
@@ -3986,7 +3950,7 @@ index 8d1b8ccb0ae..950ed20cf62 100644
static void fixDESParity(byte[] key, int offset) {
for (int i = 0; i < 8; i++) {
int b = key[offset] & 0xfe;
-@@ -320,6 +443,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
+@@ -320,6 +445,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
keySpec = new SecretKeySpec(keyBytes, "DESede");
return engineGenerateSecret(keySpec);
}
@@ -3996,7 +3960,7 @@ index 8d1b8ccb0ae..950ed20cf62 100644
}
throw new InvalidKeySpecException
("Unsupported spec: " + keySpec.getClass().getName());
-@@ -373,6 +499,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
+@@ -373,6 +501,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
// see JCE spec
protected SecretKey engineTranslateKey(SecretKey key)
throws InvalidKeyException {
@@ -4952,7 +4916,7 @@ index 1f9c4d39f57..5e3c1b9d29f 100644
public String toString() {
StringBuilder sb = new StringBuilder();
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 5c0aacd1a67..5fbf8addcba 100644
+index 5c0aacd1a67..d796aaa3075 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
@@ -4969,12 +4933,12 @@ index 5c0aacd1a67..5fbf8addcba 100644
private long pNativeData;
-+ private CK_INFO pInfo;
++ private volatile CK_INFO pInfo;
+
/**
* This method does the initialization of the native library. It is called
* exactly once for this class.
-@@ -145,23 +150,49 @@ public class PKCS11 {
+@@ -145,23 +150,48 @@ public class PKCS11 {
* @postconditions
*/
PKCS11(String pkcs11ModulePath, String functionListName)
@@ -4982,9 +4946,8 @@ index 5c0aacd1a67..5fbf8addcba 100644
+ throws IOException, PKCS11Exception {
connect(pkcs11ModulePath, functionListName);
this.pkcs11ModulePath = pkcs11ModulePath;
-+ pInfo = C_GetInfo();
-+ }
-+
+ }
+
+ /*
+ * Compatibility wrapper to allow this method to work as before
+ * when FIPS mode support is not active.
@@ -4994,8 +4957,8 @@ index 5c0aacd1a67..5fbf8addcba 100644
+ boolean omitInitialize) throws IOException, PKCS11Exception {
+ return getInstance(pkcs11ModulePath, functionList,
+ pInitArgs, omitInitialize, null, null);
- }
-
++ }
++
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
@@ -5028,7 +4991,7 @@ index 5c0aacd1a67..5fbf8addcba 100644
}
if (omitInitialize == false) {
try {
-@@ -179,6 +210,14 @@ public class PKCS11 {
+@@ -179,6 +209,28 @@ public class PKCS11 {
return pkcs11;
}
@@ -5037,13 +5000,27 @@ index 5c0aacd1a67..5fbf8addcba 100644
+ * C_GetInfo. This structure represent Cryptoki library information.
+ */
+ public CK_INFO getInfo() {
-+ return pInfo;
++ CK_INFO lPInfo = pInfo;
++ if (lPInfo == null) {
++ synchronized (this) {
++ lPInfo = pInfo;
++ if (lPInfo == null) {
++ try {
++ lPInfo = C_GetInfo();
++ pInfo = lPInfo;
++ } catch (PKCS11Exception e) {
++ // Some PKCS #11 tokens require initialization first.
++ }
++ }
++ }
++ }
++ return lPInfo;
+ }
+
/**
* Connects this object to the specified PKCS#11 library. This method is for
* internal use only.
-@@ -1625,7 +1664,7 @@ public class PKCS11 {
+@@ -1625,7 +1677,7 @@ public class PKCS11 {
static class SynchronizedPKCS11 extends PKCS11 {
SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
@@ -5052,7 +5029,7 @@ index 5c0aacd1a67..5fbf8addcba 100644
super(pkcs11ModulePath, functionListName);
}
-@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+@@ -1911,4 +1963,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
@@ -5954,3 +5931,1318 @@ index 8c9e4f9dbe6..883dc04758e 100644
}
}
+diff --git a/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java
+new file mode 100644
+index 00000000000..a184a169732
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java
+@@ -0,0 +1,233 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.math.BigInteger;
++import java.security.AlgorithmParameters;
++import java.security.NoSuchAlgorithmException;
++import java.security.Provider;
++import java.security.SecureRandom;
++import java.security.Security;
++import java.util.Map;
++
++import javax.crypto.Cipher;
++import javax.crypto.SecretKey;
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.interfaces.PBEKey;
++import javax.crypto.spec.IvParameterSpec;
++import javax.crypto.spec.PBEKeySpec;
++import javax.crypto.spec.PBEParameterSpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test password based encryption on SunPKCS11's Cipher service
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @run main/othervm/timeout=30 PBECipher
++ */
++
++public final class PBECipher {
++ public static void main(String[] args) throws Exception {
++ java.security.Security.getProviders();
++ PBECipher2.main(args);
++ }
++}
++
++final class PBECipher2 extends PKCS11Test {
++ private static final char[] password = "123456".toCharArray();
++ private static final byte[] salt = "abcdefgh".getBytes();
++ private static final byte[] iv = new byte[16];
++ private static final int iterations = 1000;
++ private static final String plainText = "This is a know plain text!";
++ private static final String sep =
++ "=========================================================================";
++
++ private static enum Configuration {
++ // Provide salt and iterations through a PBEParameterSpec instance
++ PBEParameterSpec,
++
++ // Provide salt and iterations through a AlgorithmParameters instance
++ AlgorithmParameters,
++
++ // Provide salt and iterations through an anonymous class implementing
++ // the javax.crypto.interfaces.PBEKey interface
++ AnonymousPBEKey,
++ }
++
++ private static Provider sunJCE = Security.getProvider("SunJCE");
++
++ // Generated with SunJCE
++ private static final Map assertionData = Map.of(
++ "PBEWithHmacSHA1AndAES_128", new BigInteger("8eebe98a580fb09d026" +
++ "dbfe60b3733b079e0de9ea7b0b1ccba011a1652d1e257", 16),
++ "PBEWithHmacSHA224AndAES_128", new BigInteger("1cbabdeb5d483af4a" +
++ "841942f4b1095b7d6f60e46fabfd2609c015adc38cc227", 16),
++ "PBEWithHmacSHA256AndAES_128", new BigInteger("4d82f6591df3508d2" +
++ "4531f06cdc4f90f4bdab7aeb07fbb57a3712e999d5b6f59", 16),
++ "PBEWithHmacSHA384AndAES_128", new BigInteger("3a0ed0959d51f40b9" +
++ "ba9f506a5277f430521f2fbe1ba94bae368835f221b6cb9", 16),
++ "PBEWithHmacSHA512AndAES_128", new BigInteger("1388287a446009309" +
++ "1418f4eca3ba1735b1fa025423d74ced36ce578d8ebf9da", 16),
++ "PBEWithHmacSHA1AndAES_256", new BigInteger("80f8208daab27ed02dd" +
++ "8a354ef6f23ff7813c84dd1c8a1b081d6f4dee27182a2", 16),
++ "PBEWithHmacSHA224AndAES_256", new BigInteger("7e3b9ce20aec2e52f" +
++ "f6c781602d4f79a55a88495b5217f1e22e1a068268e6247", 16),
++ "PBEWithHmacSHA256AndAES_256", new BigInteger("9d6a8b6a351dfd0dd" +
++ "9e9f45924b2860dca7719c4c07e207a64ebc1acd16cc157", 16),
++ "PBEWithHmacSHA384AndAES_256", new BigInteger("6f1b386cee3a8e2d9" +
++ "8c2e81828da0467dec8b989d22258efeab5932580d01d53", 16),
++ "PBEWithHmacSHA512AndAES_256", new BigInteger("30aaa346b2edd394f" +
++ "50916187876ac32f1287b19d55c5eea6f7ef9b84aaf291e", 16)
++ );
++
++ private static final class NoRandom extends SecureRandom {
++ @Override
++ public void nextBytes(byte[] bytes) {
++ return;
++ }
++ }
++
++ public void main(Provider sunPKCS11) throws Exception {
++ System.out.println("SunPKCS11: " + sunPKCS11.getName());
++ for (Configuration conf : Configuration.values()) {
++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128", conf);
++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128", conf);
++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128", conf);
++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128", conf);
++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128", conf);
++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256", conf);
++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256", conf);
++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256", conf);
++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256", conf);
++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256", conf);
++ }
++ System.out.println("TEST PASS - OK");
++ }
++
++ private void testWith(Provider sunPKCS11, String algorithm,
++ Configuration conf) throws Exception {
++ System.out.println(sep + System.lineSeparator() + algorithm
++ + " (with " + conf.name() + ")");
++
++ Cipher pbeCipher = getCipher(sunPKCS11, algorithm, conf);
++ BigInteger cipherText = new BigInteger(1, pbeCipher.doFinal(
++ plainText.getBytes()));
++ printByteArray("Cipher Text", cipherText);
++
++ BigInteger expectedCipherText = null;
++ if (sunJCE != null) {
++ Cipher c = getCipher(sunJCE, algorithm, conf);
++ if (c != null) {
++ expectedCipherText = new BigInteger(1, c.doFinal(
++ plainText.getBytes()));
++ } else {
++ // Move to assertionData as it's unlikely that any of
++ // the algorithms are available.
++ sunJCE = null;
++ }
++ }
++ if (expectedCipherText == null) {
++ // If SunJCE or the algorithm are not available, assertionData
++ // is used instead.
++ expectedCipherText = assertionData.get(algorithm);
++ }
++
++ if (!cipherText.equals(expectedCipherText)) {
++ printByteArray("Expected Cipher Text", expectedCipherText);
++ throw new Exception("Expected Cipher Text did not match");
++ }
++ }
++
++ private Cipher getCipher(Provider p, String algorithm,
++ Configuration conf) throws Exception {
++ Cipher pbeCipher = null;
++ try {
++ pbeCipher = Cipher.getInstance(algorithm, p);
++ } catch (NoSuchAlgorithmException e) {
++ return null;
++ }
++ switch (conf) {
++ case PBEParameterSpec, AlgorithmParameters -> {
++ SecretKey key = getPasswordOnlyPBEKey();
++ PBEParameterSpec paramSpec = new PBEParameterSpec(
++ salt, iterations, new IvParameterSpec(iv));
++ switch (conf) {
++ case PBEParameterSpec -> {
++ pbeCipher.init(Cipher.ENCRYPT_MODE, key, paramSpec);
++ }
++ case AlgorithmParameters -> {
++ AlgorithmParameters algoParams =
++ AlgorithmParameters.getInstance("PBES2");
++ algoParams.init(paramSpec);
++ pbeCipher.init(Cipher.ENCRYPT_MODE, key, algoParams);
++ }
++ }
++ }
++ case AnonymousPBEKey -> {
++ SecretKey key = getPasswordSaltIterationsPBEKey();
++ pbeCipher.init(Cipher.ENCRYPT_MODE, key, new NoRandom());
++ }
++ }
++ return pbeCipher;
++ }
++
++ private static SecretKey getPasswordOnlyPBEKey() throws Exception {
++ PBEKeySpec keySpec = new PBEKeySpec(password);
++ SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
++ SecretKey skey = skFac.generateSecret(keySpec);
++ keySpec.clearPassword();
++ return skey;
++ }
++
++ private static SecretKey getPasswordSaltIterationsPBEKey() {
++ return new PBEKey() {
++ public byte[] getSalt() { return salt.clone(); }
++ public int getIterationCount() { return iterations; }
++ public String getAlgorithm() { return "PBE"; }
++ public String getFormat() { return "RAW"; }
++ public char[] getPassword() { return null; } // unused in PBE Cipher
++ public byte[] getEncoded() {
++ byte[] passwdBytes = new byte[password.length];
++ for (int i = 0; i < password.length; i++)
++ passwdBytes[i] = (byte) (password[i] & 0x7f);
++ return passwdBytes;
++ }
++ };
++ }
++
++ private static void printByteArray(String title, BigInteger b) {
++ String repr = (b == null) ? "buffer is null" : b.toString(16);
++ System.out.println(title + ": " + repr + System.lineSeparator());
++ }
++
++ public static void main(String[] args) throws Exception {
++ PBECipher2 test = new PBECipher2();
++ Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
++ if (p != null) {
++ test.main(p);
++ } else {
++ main(test);
++ }
++ }
++}
+diff --git a/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java
+new file mode 100644
+index 00000000000..360e11c339d
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java
+@@ -0,0 +1,137 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.io.ByteArrayInputStream;
++import java.io.ByteArrayOutputStream;
++import java.security.Key;
++import java.security.KeyStore;
++import java.security.KeyStoreException;
++import java.security.MessageDigest;
++import java.security.Provider;
++import java.security.Security;
++
++import javax.crypto.spec.SecretKeySpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test SunPKCS11's password based privacy and integrity
++ * applied to PKCS#12 keystores
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @modules java.base/sun.security.util
++ * @run main/othervm/timeout=30 -Dcom.redhat.fips=false -DNO_DEFAULT=true ImportKeyToP12
++ */
++
++public final class ImportKeyToP12 {
++ public static void main(String[] args) throws Exception {
++ java.security.Security.getProviders();
++ ImportKeyToP122.main(args);
++ }
++}
++
++final class ImportKeyToP122 extends PKCS11Test {
++ private static final String alias = "alias";
++ private static final char[] password = "123456".toCharArray();
++ private static final Key key = new SecretKeySpec(new byte[] {
++ 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7,
++ 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf }, "AES");
++ private static final String[] pbeCipherAlgs = new String[] {
++ "PBEWithHmacSHA1AndAES_128", "PBEWithHmacSHA224AndAES_128",
++ "PBEWithHmacSHA256AndAES_128", "PBEWithHmacSHA384AndAES_128",
++ "PBEWithHmacSHA512AndAES_128", "PBEWithHmacSHA1AndAES_256",
++ "PBEWithHmacSHA224AndAES_256", "PBEWithHmacSHA256AndAES_256",
++ "PBEWithHmacSHA384AndAES_256", "PBEWithHmacSHA512AndAES_256"
++ };
++ private static final String[] pbeMacAlgs = new String[] {
++ "HmacPBESHA1", "HmacPBESHA224", "HmacPBESHA256",
++ "HmacPBESHA384", "HmacPBESHA512"
++ };
++ private static final KeyStore p12;
++ private static final String sep =
++ "=========================================================================";
++
++ static {
++ KeyStore tP12 = null;
++ try {
++ tP12 = KeyStore.getInstance("PKCS12");
++ } catch (KeyStoreException e) {}
++ p12 = tP12;
++ }
++
++ public void main(Provider sunPKCS11) throws Exception {
++ System.out.println("SunPKCS11: " + sunPKCS11.getName());
++ // Test all privacy PBE algorithms with an integrity algorithm fixed
++ for (String pbeCipherAlg : pbeCipherAlgs) {
++ testWith(sunPKCS11, pbeCipherAlg, pbeMacAlgs[0]);
++ }
++ // Test all integrity PBE algorithms with a privacy algorithm fixed
++ for (String pbeMacAlg : pbeMacAlgs) {
++ testWith(sunPKCS11, pbeCipherAlgs[0], pbeMacAlg);
++ }
++ System.out.println("TEST PASS - OK");
++ }
++
++ /*
++ * Consistency test: 1) store a secret key in a PKCS#12 keystore using
++ * PBE algorithms from SunPKCS11 and, 2) read the secret key from the
++ * PKCS#12 keystore using PBE algorithms from other security providers
++ * such as SunJCE.
++ */
++ private void testWith(Provider sunPKCS11, String pbeCipherAlg,
++ String pbeMacAlg) throws Exception {
++ System.out.println(sep + System.lineSeparator() +
++ "Cipher PBE: " + pbeCipherAlg + System.lineSeparator() +
++ "Mac PBE: " + pbeMacAlg);
++
++ System.setProperty("keystore.pkcs12.macAlgorithm", pbeMacAlg);
++ System.setProperty("keystore.pkcs12.keyProtectionAlgorithm",
++ pbeCipherAlg);
++
++ // Create an empty PKCS#12 keystore
++ ByteArrayOutputStream baos = new ByteArrayOutputStream();
++ p12.load(null, password);
++
++ // Use PBE privacy and integrity algorithms from SunPKCS11 to store
++ // the secret key
++ Security.insertProviderAt(sunPKCS11, 1);
++ p12.setKeyEntry(alias, key, password, null);
++ p12.store(baos, password);
++
++ // Use PBE privacy and integrity algorithms from other security
++ // providers, such as SunJCE, to read the secret key
++ Security.removeProvider(sunPKCS11.getName());
++ p12.load(new ByteArrayInputStream(baos.toByteArray()), password);
++ Key k = p12.getKey(alias, password);
++
++ if (!MessageDigest.isEqual(key.getEncoded(), k.getEncoded())) {
++ throw new Exception("Keys differ. Consistency check failed.");
++ }
++ System.out.println("Secret key import successful" + System.lineSeparator() + sep);
++ }
++
++ public static void main(String[] args) throws Exception {
++ main(new ImportKeyToP122());
++ }
++}
+diff --git a/test/jdk/sun/security/pkcs11/Mac/PBAMac.java b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java
+new file mode 100644
+index 00000000000..6b5662f6b4c
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java
+@@ -0,0 +1,187 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.math.BigInteger;
++import java.security.NoSuchAlgorithmException;
++import java.security.Provider;
++import java.security.Security;
++import java.util.Map;
++
++import javax.crypto.Mac;
++import javax.crypto.SecretKey;
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.interfaces.PBEKey;
++import javax.crypto.spec.PBEKeySpec;
++import javax.crypto.spec.PBEParameterSpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test password based authentication on SunPKCS11's Mac service
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @run main/othervm/timeout=30 PBAMac
++ */
++
++public final class PBAMac {
++ public static void main(String[] args) throws Exception {
++ java.security.Security.getProviders();
++ PBAMac2.main(args);
++ }
++}
++
++final class PBAMac2 extends PKCS11Test {
++ private static final char[] password = "123456".toCharArray();
++ private static final byte[] salt = "abcdefgh".getBytes();
++ private static final int iterations = 1000;
++ private static final String plainText = "This is a know plain text!";
++ private static final String sep =
++ "=========================================================================";
++
++ private static enum Configuration {
++ // Provide salt & iterations through a PBEParameterSpec instance
++ PBEParameterSpec,
++
++ // Provide salt & iterations through an anonymous class implementing
++ // the javax.crypto.interfaces.PBEKey interface
++ AnonymousPBEKey,
++ }
++
++ // Generated with SunJCE
++ private static final Map assertionData = Map.of(
++ "HmacPBESHA1", new BigInteger("febd26da5d63ce819770a2af1fc2857e" +
++ "e2c9c41c", 16),
++ "HmacPBESHA224", new BigInteger("aa6a3a1c35a4b266fea62d1a871508" +
++ "bd45f8ec326bcf16e09699063", 16),
++ "HmacPBESHA256", new BigInteger("af4d71121fd4e9d52eb42944d99b77" +
++ "8ff64376fcf6af8d1dca3ec688dfada5c8", 16),
++ "HmacPBESHA384", new BigInteger("5d6d37764205985ffca7e4a6222752" +
++ "a8bbd0520858da08ecafdc57e6246894675e375b9ba084f9ce7142" +
++ "35f202cc3452", 16),
++ "HmacPBESHA512", new BigInteger("f586c2006cc2de73fd5743e5cca701" +
++ "c942d3741a7a54a2a649ea36898996cf3c483f2d734179b47751db" +
++ "e8373c980b4072136d2e2810f4e7276024a3e9081cc1", 16)
++ );
++
++ private static Provider sunJCE = Security.getProvider("SunJCE");
++
++ public void main(Provider sunPKCS11) throws Exception {
++ System.out.println("SunPKCS11: " + sunPKCS11.getName());
++ for (Configuration conf : Configuration.values()) {
++ testWith(sunPKCS11, "HmacPBESHA1", conf);
++ testWith(sunPKCS11, "HmacPBESHA224", conf);
++ testWith(sunPKCS11, "HmacPBESHA256", conf);
++ testWith(sunPKCS11, "HmacPBESHA384", conf);
++ testWith(sunPKCS11, "HmacPBESHA512", conf);
++ }
++ System.out.println("TEST PASS - OK");
++ }
++
++ private void testWith(Provider sunPKCS11, String algorithm,
++ Configuration conf) throws Exception {
++ System.out.println(sep + System.lineSeparator() + algorithm
++ + " (with " + conf.name() + ")");
++
++ BigInteger macResult = computeMac(sunPKCS11, algorithm, conf);
++ printByteArray("HMAC Result", macResult);
++
++ BigInteger expectedMacResult = computeExpectedMac(algorithm, conf);
++
++ if (!macResult.equals(expectedMacResult)) {
++ printByteArray("Expected HMAC Result", expectedMacResult);
++ throw new Exception("Expected HMAC Result did not match");
++ }
++ }
++
++ private BigInteger computeMac(Provider p, String algorithm,
++ Configuration conf) throws Exception {
++ Mac pbaMac;
++ try {
++ pbaMac = Mac.getInstance(algorithm, p);
++ } catch (NoSuchAlgorithmException e) {
++ return null;
++ }
++ switch (conf) {
++ case PBEParameterSpec -> {
++ SecretKey key = getPasswordOnlyPBEKey();
++ pbaMac.init(key, new PBEParameterSpec(salt, iterations));
++ }
++ case AnonymousPBEKey -> {
++ SecretKey key = getPasswordSaltIterationsPBEKey();
++ pbaMac.init(key);
++ }
++ }
++ return new BigInteger(1, pbaMac.doFinal(plainText.getBytes()));
++ }
++
++ private BigInteger computeExpectedMac(String algorithm, Configuration conf)
++ throws Exception {
++ if (sunJCE != null) {
++ BigInteger macResult = computeMac(sunJCE, algorithm, conf);
++ if (macResult != null) {
++ return macResult;
++ }
++ // Move to assertionData as it's unlikely that any of
++ // the algorithms are available.
++ sunJCE = null;
++ }
++ // If SunJCE or the algorithm are not available, assertionData
++ // is used instead.
++ return assertionData.get(algorithm);
++ }
++
++ private static SecretKey getPasswordOnlyPBEKey() throws Exception {
++ PBEKeySpec keySpec = new PBEKeySpec(password);
++ SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
++ SecretKey skey = skFac.generateSecret(keySpec);
++ keySpec.clearPassword();
++ return skey;
++ }
++
++ private static SecretKey getPasswordSaltIterationsPBEKey() {
++ return new PBEKey() {
++ public byte[] getSalt() { return salt.clone(); }
++ public int getIterationCount() { return iterations; }
++ public String getAlgorithm() { return "PBE"; }
++ public String getFormat() { return "RAW"; }
++ public char[] getPassword() { return password.clone(); }
++ public byte[] getEncoded() { return null; } // unused in PBA Mac
++ };
++ }
++
++ private static void printByteArray(String title, BigInteger b) {
++ String repr = (b == null) ? "buffer is null" : b.toString(16);
++ System.out.println(title + ": " + repr + System.lineSeparator());
++ }
++
++ public static void main(String[] args) throws Exception {
++ PBAMac2 test = new PBAMac2();
++ Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
++ if (p != null) {
++ test.main(p);
++ } else {
++ main(test);
++ }
++ }
++}
+diff --git a/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java
+new file mode 100644
+index 00000000000..67c3cee5970
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java
+@@ -0,0 +1,296 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.lang.reflect.Field;
++import java.lang.reflect.Method;
++import java.math.BigInteger;
++import java.security.NoSuchAlgorithmException;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.spec.PBEKeySpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test key derivation on SunPKCS11's SecretKeyFactory service
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @modules java.base/com.sun.crypto.provider:open
++ * @run main/othervm/timeout=30 TestPBKD
++ */
++
++public final class TestPBKD {
++ public static void main(String[] args) throws Exception {
++ java.security.Security.getProviders();
++ TestPBKD2.main(args);
++ }
++}
++
++final class TestPBKD2 extends PKCS11Test {
++ private static final char[] password = "123456".toCharArray();
++ private static final byte[] salt = "abcdefgh".getBytes();
++ private static final int iterations = 1000;
++ private static final String sep =
++ "=========================================================================";
++
++ private static Provider sunJCE = Security.getProvider("SunJCE");
++
++ // Generated with SunJCE
++ private static final Map assertionData =
++ new HashMap<>() {{
++ put("HmacPBESHA1", new BigInteger("5f7d1c360d1703cede76f47db" +
++ "2fa3facc62e7694", 16));
++ put("HmacPBESHA224", new BigInteger("289563f799b708f522ab2a3" +
++ "8d283d0afa8fc1d3d227fcb9236c3a035", 16));
++ put("HmacPBESHA256", new BigInteger("888defcf4ef37eb0647014a" +
++ "d172dd6fa3b3e9d024b962dba47608eea9b9c4b79", 16));
++ put("HmacPBESHA384", new BigInteger("f5464b34253fadab8838d0d" +
++ "b11980c1787a99bf6f6304f2d8c942e30bada523494f9d5a0f3" +
++ "741e411de21add8b5718a8", 16));
++ put("HmacPBESHA512", new BigInteger("18ae94337b132c68c611bc2" +
++ "e723ac24dcd44a46d900dae2dd6170380d4c34f90fef7bdeb5f" +
++ "6fddeb0d2230003e329b7a7eefcd35810d364ba95d31b68bb61" +
++ "e52", 16));
++ put("PBEWithHmacSHA1AndAES_128", new BigInteger("fdb3dcc2e81" +
++ "244d4d56bf7ec8dd61dd7", 16));
++ put("PBEWithHmacSHA224AndAES_128", new BigInteger("5ef9e5c6f" +
++ "df7c355f3b424233a9f24c2", 16));
++ put("PBEWithHmacSHA256AndAES_128", new BigInteger("c5af597b0" +
++ "1b4f6baac8f62ff6f22bfb1", 16));
++ put("PBEWithHmacSHA384AndAES_128", new BigInteger("c3208ebc5" +
++ "d6db88858988ec00153847d", 16));
++ put("PBEWithHmacSHA512AndAES_128", new BigInteger("b27e8f7fb" +
++ "6a4bd5ebea892cd9a7f5043", 16));
++ put("PBEWithHmacSHA1AndAES_256", new BigInteger("fdb3dcc2e81" +
++ "244d4d56bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2ccde" +
++ "98", 16));
++ put("PBEWithHmacSHA224AndAES_256", new BigInteger("5ef9e5c6f" +
++ "df7c355f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8d" +
++ "f64d", 16));
++ put("PBEWithHmacSHA256AndAES_256", new BigInteger("c5af597b0" +
++ "1b4f6baac8f62ff6f22bfb1f319c3278c8b31cc616294716d4e" +
++ "ab08", 16));
++ put("PBEWithHmacSHA384AndAES_256", new BigInteger("c3208ebc5" +
++ "d6db88858988ec00153847d5b1b7a8723640a022dc332bcaefe" +
++ "b356", 16));
++ put("PBEWithHmacSHA512AndAES_256", new BigInteger("b27e8f7fb" +
++ "6a4bd5ebea892cd9a7f5043cefff9c38b07e599721e8d116189" +
++ "5482", 16));
++ put("PBKDF2WithHmacSHA1", new BigInteger("fdb3dcc2e81244d4d5" +
++ "6bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2cc", 16));
++ put("PBKDF2WithHmacSHA224", new BigInteger("5ef9e5c6fdf7c355" +
++ "f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8df64d1a0" +
++ "736ec1c69eef1c7b2", 16));
++ put("PBKDF2WithHmacSHA256", new BigInteger("c5af597b01b4f6ba" +
++ "ac8f62ff6f22bfb1f319c3278c8b31cc616294716d4eab080b9" +
++ "add9db34a42ceb2fea8d27adc00f4", 16));
++ put("PBKDF2WithHmacSHA384", new BigInteger("c3208ebc5d6db888" +
++ "58988ec00153847d5b1b7a8723640a022dc332bcaefeb356995" +
++ "d076a949d35c42c7e1e1ca936c12f8dc918e497edf279a522b7" +
++ "c99580e2613846b3919af637da", 16));
++ put("PBKDF2WithHmacSHA512", new BigInteger("b27e8f7fb6a4bd5e" +
++ "bea892cd9a7f5043cefff9c38b07e599721e8d1161895482da2" +
++ "55746844cc1030be37ba1969df10ff59554d1ac5468fa9b7297" +
++ "7bb7fd52103a0a7b488cdb8957616c3e23a16bca92120982180" +
++ "c6c11a4f14649b50d0ade3a", 16));
++ }};
++
++ static interface AssertData {
++ BigInteger derive(String pbAlgo, PBEKeySpec keySpec) throws Exception;
++ }
++
++ static final class P12PBKDAssertData implements AssertData {
++ private final int outLen;
++ private final String kdfAlgo;
++ private final int blockLen;
++
++ P12PBKDAssertData(int outLen, String kdfAlgo, int blockLen) {
++ this.outLen = outLen;
++ this.kdfAlgo = kdfAlgo;
++ this.blockLen = blockLen;
++ }
++
++ @Override
++ public BigInteger derive(String pbAlgo, PBEKeySpec keySpec)
++ throws Exception {
++ // Since we need to access an internal SunJCE API, we use reflection
++ Class PKCS12PBECipherCore = Class.forName(
++ "com.sun.crypto.provider.PKCS12PBECipherCore");
++
++ Field macKeyField = PKCS12PBECipherCore.getDeclaredField("MAC_KEY");
++ macKeyField.setAccessible(true);
++ int MAC_KEY = (int) macKeyField.get(null);
++
++ Method deriveMethod = PKCS12PBECipherCore.getDeclaredMethod(
++ "derive", char[].class, byte[].class, int.class,
++ int.class, int.class, String.class, int.class);
++ deriveMethod.setAccessible(true);
++
++ return new BigInteger(1, (byte[]) deriveMethod.invoke(null,
++ keySpec.getPassword(), keySpec.getSalt(),
++ keySpec.getIterationCount(), this.outLen,
++ MAC_KEY, this.kdfAlgo, this.blockLen));
++ }
++ }
++
++ static final class PBKD2AssertData implements AssertData {
++ private final String kdfAlgo;
++ private final int keyLen;
++
++ PBKD2AssertData(String kdfAlgo, int keyLen) {
++ // Key length is pinned by the algorithm name (not kdfAlgo,
++ // but the algorithm under test: PBEWithHmacSHA*AndAES_*)
++ this.kdfAlgo = kdfAlgo;
++ this.keyLen = keyLen;
++ }
++
++ PBKD2AssertData(String kdfAlgo) {
++ // Key length is variable for the algorithm under test
++ // (kdfAlgo is the algorithm under test: PBKDF2WithHmacSHA*)
++ this(kdfAlgo, -1);
++ }
++
++ @Override
++ public BigInteger derive(String pbAlgo, PBEKeySpec keySpec)
++ throws Exception {
++ if (this.keyLen != -1) {
++ keySpec = new PBEKeySpec(
++ keySpec.getPassword(), keySpec.getSalt(),
++ keySpec.getIterationCount(), this.keyLen);
++ }
++ if (sunJCE != null) {
++ try {
++ return new BigInteger(1, SecretKeyFactory.getInstance(
++ this.kdfAlgo, sunJCE).generateSecret(keySpec)
++ .getEncoded());
++ } catch (NoSuchAlgorithmException e) {
++ // Move to assertionData as it's unlikely that any of
++ // the algorithms are available.
++ sunJCE = null;
++ }
++ }
++ // If SunJCE or the algorithm are not available, assertionData
++ // is used instead.
++ return assertionData.get(pbAlgo);
++ }
++ }
++
++ public void main(Provider sunPKCS11) throws Exception {
++ System.out.println("SunPKCS11: " + sunPKCS11.getName());
++ testWith(sunPKCS11, "HmacPBESHA1",
++ new P12PBKDAssertData(20, "SHA-1", 64));
++ testWith(sunPKCS11, "HmacPBESHA224",
++ new P12PBKDAssertData(28, "SHA-224", 64));
++ testWith(sunPKCS11, "HmacPBESHA256",
++ new P12PBKDAssertData(32, "SHA-256", 64));
++ testWith(sunPKCS11, "HmacPBESHA384",
++ new P12PBKDAssertData(48, "SHA-384", 128));
++ testWith(sunPKCS11, "HmacPBESHA512",
++ new P12PBKDAssertData(64, "SHA-512", 128));
++
++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128",
++ new PBKD2AssertData("PBKDF2WithHmacSHA1", 128));
++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128",
++ new PBKD2AssertData("PBKDF2WithHmacSHA224", 128));
++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128",
++ new PBKD2AssertData("PBKDF2WithHmacSHA256", 128));
++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128",
++ new PBKD2AssertData("PBKDF2WithHmacSHA384", 128));
++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128",
++ new PBKD2AssertData("PBKDF2WithHmacSHA512", 128));
++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256",
++ new PBKD2AssertData("PBKDF2WithHmacSHA1", 256));
++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256",
++ new PBKD2AssertData("PBKDF2WithHmacSHA224", 256));
++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256",
++ new PBKD2AssertData("PBKDF2WithHmacSHA256", 256));
++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256",
++ new PBKD2AssertData("PBKDF2WithHmacSHA384", 256));
++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256",
++ new PBKD2AssertData("PBKDF2WithHmacSHA512", 256));
++
++ // Use 1,5 * digest size as the testing derived key length (in bits)
++ testWith(sunPKCS11, "PBKDF2WithHmacSHA1", 240,
++ new PBKD2AssertData("PBKDF2WithHmacSHA1"));
++ testWith(sunPKCS11, "PBKDF2WithHmacSHA224", 336,
++ new PBKD2AssertData("PBKDF2WithHmacSHA224"));
++ testWith(sunPKCS11, "PBKDF2WithHmacSHA256", 384,
++ new PBKD2AssertData("PBKDF2WithHmacSHA256"));
++ testWith(sunPKCS11, "PBKDF2WithHmacSHA384", 576,
++ new PBKD2AssertData("PBKDF2WithHmacSHA384"));
++ testWith(sunPKCS11, "PBKDF2WithHmacSHA512", 768,
++ new PBKD2AssertData("PBKDF2WithHmacSHA512"));
++
++ System.out.println("TEST PASS - OK");
++ }
++
++ private static void testWith(Provider sunPKCS11, String algorithm,
++ AssertData assertData) throws Exception {
++ PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations);
++ testWith(sunPKCS11, algorithm, keySpec, assertData);
++ }
++
++ private static void testWith(Provider sunPKCS11, String algorithm,
++ int keyLen, AssertData assertData) throws Exception {
++ PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations, keyLen);
++ testWith(sunPKCS11, algorithm, keySpec, assertData);
++ }
++
++ private static void testWith(Provider sunPKCS11, String algorithm,
++ PBEKeySpec keySpec, AssertData assertData) throws Exception {
++ System.out.println(sep + System.lineSeparator() + algorithm);
++
++ SecretKeyFactory skFac = SecretKeyFactory.getInstance(
++ algorithm, sunPKCS11);
++ BigInteger derivedKey = new BigInteger(1,
++ skFac.generateSecret(keySpec).getEncoded());
++ printByteArray("Derived Key", derivedKey);
++
++ BigInteger expectedDerivedKey = assertData.derive(algorithm, keySpec);
++
++ if (!derivedKey.equals(expectedDerivedKey)) {
++ printByteArray("Expected Derived Key", expectedDerivedKey);
++ throw new Exception("Expected Derived Key did not match");
++ }
++ }
++
++ private static void printByteArray(String title, BigInteger b) {
++ String repr = (b == null) ? "buffer is null" : b.toString(16);
++ System.out.println(title + ": " + repr + System.lineSeparator());
++ }
++
++ public static void main(String[] args) throws Exception {
++ TestPBKD2 test = new TestPBKD2();
++ Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
++ if (p != null) {
++ test.main(p);
++ } else {
++ main(test);
++ }
++ }
++}
+diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java
+new file mode 100644
+index 00000000000..ce01c655eb8
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java
+@@ -0,0 +1,349 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.lang.reflect.Method;
++import java.nio.charset.StandardCharsets;
++import java.nio.file.Files;
++import java.nio.file.Path;
++import java.security.KeyStore;
++import java.security.Provider;
++import java.security.Security;
++import java.util.Arrays;
++import java.util.function.Consumer;
++import java.util.List;
++import javax.crypto.Cipher;
++import javax.crypto.spec.SecretKeySpec;
++
++import jdk.test.lib.process.Proc;
++import jdk.test.lib.util.FileUtils;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary
++ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used
++ * for a successful login into an NSS DB. Some additional unitary testing
++ * is then performed. This test depends on NSS modutil and must be run in
++ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available).
++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open
++ * @library /test/lib
++ * @requires (jdk.version.major >= 8)
++ * @run main/othervm/timeout=600 NssdbPin
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++public final class NssdbPin {
++
++ // Public properties and names
++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
++ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS";
++ private static final String NSSDB_TOKEN_NAME =
++ "NSS FIPS 140-2 Certificate DB";
++
++ // Data to be tested
++ private static final String[] PINS_TO_TEST =
++ new String[] {
++ "",
++ "1234567890abcdef1234567890ABCDEF\uA4F7"
++ };
++ private static enum PropType { SYSTEM, SECURITY }
++ private static enum LoginType { IMPLICIT, EXPLICIT }
++
++ // Internal test fields
++ private static final boolean DEBUG = true;
++ private static class TestContext {
++ String pin;
++ PropType propType;
++ Path workspace;
++ String nssdbPath;
++ Path nssdbPinFile;
++ LoginType loginType;
++ TestContext(String pin, Path workspace) {
++ this.pin = pin;
++ this.workspace = workspace;
++ this.nssdbPath = "sql:" + workspace;
++ this.loginType = LoginType.IMPLICIT;
++ }
++ }
++
++ public static void main(String[] args) throws Throwable {
++ if (args.length == 3) {
++ // Executed by a child process.
++ mainChild(args[0], args[1], LoginType.valueOf(args[2]));
++ } else if (args.length == 0) {
++ // Executed by the parent process.
++ mainLauncher();
++ // Test defaults
++ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT);
++ System.out.println("TEST PASS - OK");
++ } else {
++ throw new Exception("Unexpected number of arguments.");
++ }
++ }
++
++ private static void mainChild(String expectedPath, String expectedPin,
++ LoginType loginType) throws Throwable {
++ if (DEBUG) {
++ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP,
++ FIPS_NSSDB_PIN_PROP)) {
++ System.out.println(prop + " (System): " +
++ System.getProperty(prop));
++ System.out.println(prop + " (Security): " +
++ Security.getProperty(prop));
++ }
++ }
++
++ /*
++ * Functional cross-test against an NSS DB generated by modutil
++ * with the same PIN. Check that we can perform a crypto operation
++ * that requires a login. The login might be explicit or implicit.
++ */
++ Provider p = Security.getProvider(FIPS_PROVIDER_NAME);
++ if (DEBUG) {
++ System.out.println(FIPS_PROVIDER_NAME + ": " + p);
++ }
++ if (p == null) {
++ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed.");
++ }
++ if (DEBUG) {
++ System.out.println("Login type: " + loginType);
++ }
++ if (loginType == LoginType.EXPLICIT) {
++ // Do the expansion to account for truncation, so C_Login in
++ // the NSS Software Token gets a UTF-8 encoded PIN.
++ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8);
++ char[] pinChar = new char[pinUtf8.length];
++ for (int i = 0; i < pinChar.length; i++) {
++ pinChar[i] = (char)(pinUtf8[i] & 0xFF);
++ }
++ KeyStore.getInstance("PKCS11", p).load(null, pinChar);
++ if (DEBUG) {
++ System.out.println("Explicit login succeeded.");
++ }
++ }
++ if (DEBUG) {
++ System.out.println("Trying a crypto operation...");
++ }
++ final int blockSize = 16;
++ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p);
++ cipher.init(Cipher.ENCRYPT_MODE,
++ new SecretKeySpec(new byte[blockSize], "AES"));
++ if (cipher.doFinal(new byte[blockSize]).length != blockSize) {
++ throw new Exception("Could not perform a crypto operation.");
++ }
++ if (DEBUG) {
++ if (loginType == LoginType.IMPLICIT) {
++ System.out.println("Implicit login succeeded.");
++ }
++ System.out.println("Crypto operation after login succeeded.");
++ }
++
++ if (loginType == LoginType.IMPLICIT) {
++ /*
++ * Additional unitary testing. Expected to succeed at this point.
++ */
++ if (DEBUG) {
++ System.out.println("Trying unitary test...");
++ }
++ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP);
++ if (DEBUG) {
++ System.out.println("Path value (as a System property): " +
++ sysPathProp);
++ }
++ if (!expectedPath.equals(sysPathProp)) {
++ throw new Exception("Path is different than expected: " +
++ sysPathProp + " (actual) vs " + expectedPath +
++ " (expected).");
++ }
++ Class c = Class
++ .forName("sun.security.pkcs11.FIPSTokenLoginHandler");
++ Method m = c.getDeclaredMethod("getFipsNssdbPin");
++ m.setAccessible(true);
++ String pin = null;
++ char[] pinChar = (char[]) m.invoke(c);
++ if (pinChar != null) {
++ byte[] pinUtf8 = new byte[pinChar.length];
++ for (int i = 0; i < pinUtf8.length; i++) {
++ pinUtf8[i] = (byte) pinChar[i];
++ }
++ pin = new String(pinUtf8, StandardCharsets.UTF_8);
++ }
++ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) ||
++ expectedPin.isEmpty() && pin != null) {
++ throw new Exception("PIN is different than expected: '" + pin +
++ "' (actual) vs '" + expectedPin + "' (expected).");
++ }
++ if (DEBUG) {
++ System.out.println("PIN value: " + pin);
++ System.out.println("Unitary test succeeded.");
++ }
++ }
++ }
++
++ private static void mainLauncher() throws Throwable {
++ for (String pin : PINS_TO_TEST) {
++ Path workspace = Files.createTempDirectory(null);
++ try {
++ TestContext ctx = new TestContext(pin, workspace);
++ createNSSDB(ctx);
++ {
++ ctx.loginType = LoginType.IMPLICIT;
++ for (PropType propType : PropType.values()) {
++ ctx.propType = propType;
++ pinLauncher(ctx);
++ envLauncher(ctx);
++ fileLauncher(ctx);
++ }
++ }
++ explicitLoginLauncher(ctx);
++ } finally {
++ FileUtils.deleteFileTreeWithRetry(workspace);
++ }
++ }
++ }
++
++ private static void pinLauncher(TestContext ctx) throws Throwable {
++ launchTest(p -> {}, "pin:" + ctx.pin, ctx);
++ }
++
++ private static void envLauncher(TestContext ctx) throws Throwable {
++ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR";
++ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin),
++ "env:" + NSSDB_PIN_ENV_VAR, ctx);
++ }
++
++ private static void fileLauncher(TestContext ctx) throws Throwable {
++ // The file containing the PIN (ctx.nssdbPinFile) was created by the
++ // generatePinFile method, called from createNSSDB.
++ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx);
++ }
++
++ private static void explicitLoginLauncher(TestContext ctx)
++ throws Throwable {
++ ctx.loginType = LoginType.EXPLICIT;
++ ctx.propType = PropType.SYSTEM;
++ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx);
++ }
++
++ private static void launchTest(Consumer procCb, String pinPropVal,
++ TestContext ctx) throws Throwable {
++ if (DEBUG) {
++ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP +
++ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP +
++ "=" + pinPropVal);
++ }
++ Proc p = Proc.create(NssdbPin.class.getName())
++ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name());
++ if (ctx.propType == PropType.SYSTEM) {
++ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath);
++ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal);
++ // Make sure that Security properties defaults are not used.
++ p.secprop(FIPS_NSSDB_PATH_PROP, "");
++ p.secprop(FIPS_NSSDB_PIN_PROP, "");
++ } else if (ctx.propType == PropType.SECURITY) {
++ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath);
++ pinPropVal = escapeForPropsFile(pinPropVal);
++ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal);
++ } else {
++ throw new Exception("Unsupported property type.");
++ }
++ if (DEBUG) {
++ p.inheritIO();
++ p.prop("java.security.debug", "sunpkcs11");
++ p.debug(NssdbPin.class.getName());
++
++ // Need the launched process to connect to a debugger?
++ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" +
++ // "transport=dt_socket,address=localhost:8000,suspend=y");
++ } else {
++ p.nodump();
++ }
++ procCb.accept(p);
++ p.start().waitFor(0);
++ }
++
++ private static String escapeForPropsFile(String str) throws Throwable {
++ StringBuffer sb = new StringBuffer();
++ for (int i = 0; i < str.length(); i++) {
++ int cp = str.codePointAt(i);
++ if (Character.UnicodeBlock.of(cp)
++ == Character.UnicodeBlock.BASIC_LATIN) {
++ sb.append(Character.toChars(cp));
++ } else {
++ sb.append("\\u").append(String.format("%04X", cp));
++ }
++ }
++ return sb.toString();
++ }
++
++ private static void createNSSDB(TestContext ctx) throws Throwable {
++ ProcessBuilder pb = getModutilPB(ctx, "-create");
++ if (DEBUG) {
++ System.out.println("Creating an NSS DB in " + ctx.workspace +
++ "...");
++ System.out.println("cmd: " + String.join(" ", pb.command()));
++ }
++ if (pb.start().waitFor() != 0) {
++ throw new Exception("NSS DB creation failed.");
++ }
++ generatePinFile(ctx);
++ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME,
++ "-newpwfile", ctx.nssdbPinFile.toString());
++ if (DEBUG) {
++ System.out.println("NSS DB created.");
++ System.out.println("Changing NSS DB PIN...");
++ System.out.println("cmd: " + String.join(" ", pb.command()));
++ }
++ if (pb.start().waitFor() != 0) {
++ throw new Exception("NSS DB PIN change failed.");
++ }
++ if (DEBUG) {
++ System.out.println("NSS DB PIN changed.");
++ }
++ }
++
++ private static ProcessBuilder getModutilPB(TestContext ctx, String... args)
++ throws Throwable {
++ ProcessBuilder pb = new ProcessBuilder("modutil", "-force");
++ List pbCommand = pb.command();
++ if (args != null) {
++ pbCommand.addAll(Arrays.asList(args));
++ }
++ pbCommand.add("-dbdir");
++ pbCommand.add(ctx.nssdbPath);
++ if (DEBUG) {
++ pb.inheritIO();
++ } else {
++ pb.redirectError(ProcessBuilder.Redirect.INHERIT);
++ }
++ return pb;
++ }
++
++ private static void generatePinFile(TestContext ctx) throws Throwable {
++ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null);
++ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() +
++ "2nd line with garbage");
++ }
++}
+diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java
+new file mode 100644
+index 00000000000..87f1ad04505
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java
+@@ -0,0 +1,77 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.security.Provider;
++import java.security.Security;
++
++/*
++ * @test
++ * @bug 9999999
++ * @requires (jdk.version.major >= 8)
++ * @run main/othervm/timeout=30 VerifyMissingAttributes
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++public final class VerifyMissingAttributes {
++
++ private static final String[] svcAlgImplementedIn = {
++ "AlgorithmParameterGenerator.DSA",
++ "AlgorithmParameters.DSA",
++ "CertificateFactory.X.509",
++ "KeyStore.JKS",
++ "KeyStore.CaseExactJKS",
++ "KeyStore.DKS",
++ "CertStore.Collection",
++ "CertStore.com.sun.security.IndexedCollection"
++ };
++
++ public static void main(String[] args) throws Throwable {
++ Provider sunProvider = Security.getProvider("SUN");
++ for (String svcAlg : svcAlgImplementedIn) {
++ String filter = svcAlg + " ImplementedIn:Software";
++ doQuery(sunProvider, filter);
++ }
++ if (Double.parseDouble(
++ System.getProperty("java.specification.version")) >= 17) {
++ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" +
++ "java.security.interfaces.RSAPublicKey" +
++ "|java.security.interfaces.RSAPrivateKey";
++ doQuery(Security.getProvider("SunRsaSign"), filter);
++ }
++ System.out.println("TEST PASS - OK");
++ }
++
++ private static void doQuery(Provider expectedProvider, String filter)
++ throws Exception {
++ if (expectedProvider == null) {
++ throw new Exception("Provider not found.");
++ }
++ Provider[] providers = Security.getProviders(filter);
++ if (providers == null || providers.length != 1 ||
++ providers[0] != expectedProvider) {
++ throw new Exception("Failure retrieving the provider with this" +
++ " query: " + filter);
++ }
++ }
++}
diff --git a/SOURCES/jdk8274864-remove_amman_cairo_hacks.patch b/SOURCES/jdk8274864-remove_amman_cairo_hacks.patch
new file mode 100644
index 0000000..5a5263a
--- /dev/null
+++ b/SOURCES/jdk8274864-remove_amman_cairo_hacks.patch
@@ -0,0 +1,53 @@
+commit 1b3825db8631e55771fb723d4fcd10040ea15b7e
+Author: duke
+Date: Wed Apr 12 17:25:27 2023 +0000
+
+ Backport ec199072c5867624d66840238cc8828e16ae8da7
+
+diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+index 6f6e190efcd..ef278203182 100644
+--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+@@ -608,34 +608,6 @@ public final class ZoneInfoFile {
+ params[8] = endRule.secondOfDay * 1000;
+ params[9] = toSTZTime[endRule.timeDefinition];
+ dstSavings = (startRule.offsetAfter - startRule.offsetBefore) * 1000;
+-
+- // Note: known mismatching -> Asia/Amman
+- // ZoneInfo : startDayOfWeek=5 <= Thursday
+- // startTime=86400000 <= 24 hours
+- // This: startDayOfWeek=6
+- // startTime=0
+- // Similar workaround needs to be applied to Africa/Cairo and
+- // its endDayOfWeek and endTime
+- // Below is the workarounds, it probably slows down everyone a little
+- if (params[2] == 6 && params[3] == 0 &&
+- (zoneId.equals("Asia/Amman"))) {
+- params[2] = 5;
+- params[3] = 86400000;
+- }
+- // Additional check for startDayOfWeek=6 and starTime=86400000
+- // is needed for Asia/Amman;
+- if (params[2] == 7 && params[3] == 0 &&
+- (zoneId.equals("Asia/Amman"))) {
+- params[2] = 6; // Friday
+- params[3] = 86400000; // 24h
+- }
+- //endDayOfWeek and endTime workaround
+- if (params[7] == 6 && params[8] == 0 &&
+- (zoneId.equals("Africa/Cairo"))) {
+- params[7] = 5;
+- params[8] = 86400000;
+- }
+-
+ } else if (nTrans > 0) { // only do this if there is something in table already
+ if (lastyear < LASTYEAR) {
+ // ZoneInfo has an ending entry for 2037
+@@ -908,7 +880,6 @@ public final class ZoneInfoFile {
+ this.dow = dowByte == 0 ? -1 : dowByte;
+ this.secondOfDay = timeByte == 31 ? in.readInt() : timeByte * 3600;
+ this.timeDefinition = (data & (3 << 12)) >>> 12;
+-
+ this.standardOffset = stdByte == 255 ? in.readInt() : (stdByte - 128) * 900;
+ this.offsetBefore = beforeByte == 3 ? in.readInt() : standardOffset + beforeByte * 1800;
+ this.offsetAfter = afterByte == 3 ? in.readInt() : standardOffset + afterByte * 1800;
diff --git a/SOURCES/jdk8305113-tzdata2023c.patch b/SOURCES/jdk8305113-tzdata2023c.patch
new file mode 100644
index 0000000..6758dfd
--- /dev/null
+++ b/SOURCES/jdk8305113-tzdata2023c.patch
@@ -0,0 +1,1098 @@
+commit 9619cdb7b7f63f2d8a71d35c8672be93fd6255e9
+Author: Yoshiki Sato
+Date: Wed Apr 5 01:19:00 2023 +0000
+
+ Backport ed9592c6e81f82e2bf6508ce45ba15aad8232181
+
+diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
+index 0f328a4a7ff..66bd061e8bc 100644
+--- a/make/data/tzdata/VERSION
++++ b/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022g
++tzdata2023c
+diff --git a/make/data/tzdata/africa b/make/data/tzdata/africa
+index 830d7d10b7e..a73405fdb01 100644
+--- a/make/data/tzdata/africa
++++ b/make/data/tzdata/africa
+@@ -344,6 +344,14 @@ Rule Egypt 2007 only - Sep Thu>=1 24:00 0 -
+ # From Mina Samuel (2016-07-04):
+ # Egyptian government took the decision to cancel the DST,
+
++# From Ahmad ElDardiry (2023-03-01):
++# Egypt officially announced today that daylight savings will be
++# applied from last Friday of April to last Thursday of October.
++# From Paul Eggert (2023-03-01):
++# Assume transitions are at 00:00 and 24:00 respectively.
++# From Amir Adib (2023-03-07):
++# https://www.facebook.com/EgyptianCabinet/posts/638829614954129/
++
+ Rule Egypt 2008 only - Aug lastThu 24:00 0 -
+ Rule Egypt 2009 only - Aug 20 24:00 0 -
+ Rule Egypt 2010 only - Aug 10 24:00 0 -
+@@ -353,6 +361,8 @@ Rule Egypt 2014 only - May 15 24:00 1:00 S
+ Rule Egypt 2014 only - Jun 26 24:00 0 -
+ Rule Egypt 2014 only - Jul 31 24:00 1:00 S
+ Rule Egypt 2014 only - Sep lastThu 24:00 0 -
++Rule Egypt 2023 max - Apr lastFri 0:00 1:00 S
++Rule Egypt 2023 max - Oct lastThu 24:00 0 -
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ #STDOFF 2:05:08.9
+@@ -452,7 +462,7 @@ Zone Africa/Nairobi 2:27:16 - LMT 1908 May
+ # President William R. Tolbert, Jr., July 23, 1971-July 31, 1972.
+ # Monrovia: Executive Mansion.
+ #
+-# Use the abbreviation "MMT" before 1972, as the more-accurate numeric
++# Use the abbreviation "MMT" before 1972, as the more accurate numeric
+ # abbreviation "-004430" would be one byte over the POSIX limit.
+ #
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+@@ -589,8 +599,8 @@ Zone Africa/Tripoli 0:52:44 - LMT 1920
+ # DST the coming summer...
+ #
+ # Some sources, in French:
+-# http://www.defimedia.info/news/946/Rashid-Beebeejaun-:-%C2%AB-L%E2%80%99heure-d%E2%80%99%C3%A9t%C3%A9-ne-sera-pas-appliqu%C3%A9e-cette-ann%C3%A9e-%C2%BB
+-# http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-%C3%A9conomie-d-%C3%A9nergie-de-l-heure-d-%C3%A9t%C3%A9-ont-%C3%A9t%C3%A9-atteints-
++# http://www.defimedia.info/news/946/Rashid-Beebeejaun-:-«-L%E2%80%99heure-d%E2%80%99été-ne-sera-pas-appliquée-cette-année-»
++# http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-économie-d-énergie-de-l-heure-d-été-ont-été-atteints-
+ #
+ # Our wrap-up:
+ # https://www.timeanddate.com/news/time/mauritius-dst-will-not-repeat.html
+@@ -721,7 +731,7 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis
+ # More articles in the press
+ # https://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-leve.html
+ # http://www.lematin.ma/Actualite/Express/Article.asp?id=148923
+-# http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT%2B1-a-partir-de-dim
++# http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT+1-a-partir-de-dim
+
+ # From Petr Machata (2011-03-30):
+ # They have it written in English here:
+@@ -736,7 +746,7 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis
+ # According to Infomédiaire web site from Morocco (infomediaire.ma),
+ # on March 9, 2012, (in French) Heure légale:
+ # Le Maroc adopte officiellement l'heure d'été
+-# http://www.infomediaire.ma/news/maroc/heure-l%C3%A9gale-le-maroc-adopte-officiellement-lheure-d%C3%A9t%C3%A9
++# http://www.infomediaire.ma/news/maroc/heure-légale-le-maroc-adopte-officiellement-lheure-dété
+ # Governing Council adopted draft decree, that Morocco DST starts on
+ # the last Sunday of March (March 25, 2012) and ends on
+ # last Sunday of September (September 30, 2012)
+@@ -860,19 +870,28 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis
+ # Friday or Saturday (and so the 2 days off are on a weekend), the next time
+ # shift will be the next weekend.
+ #
+-# From Paul Eggert (2020-05-31):
++# From Milamber (2021-03-31, 2022-03-10):
++# https://www.mmsp.gov.ma/fr/actualites.aspx?id=2076
++# https://www.ecoactu.ma/horaires-administration-ramadan-gmtheure-gmt-a-partir-de-dimanche-27-mars/
++#
++# From Milamber (2023-03-14, 2023-03-15):
++# The return to legal GMT time will take place this Sunday, March 19 at 3 a.m.
++# ... the return to GMT+1 will be made on Sunday April 23, 2023 at 2 a.m.
++# https://www.mmsp.gov.ma/fr/actualites/passage-à-l%E2%80%99heure-gmt-à-partir-du-dimanche-19-mars-2023
++#
++# From Paul Eggert (2023-03-14):
+ # For now, guess that in the future Morocco will fall back at 03:00
+ # the last Sunday before Ramadan, and spring forward at 02:00 the
+-# first Sunday after two days after Ramadan. To implement this,
++# first Sunday after one day after Ramadan. To implement this,
+ # transition dates and times for 2019 through 2087 were determined by
+-# running the following program under GNU Emacs 26.3. (This algorithm
++# running the following program under GNU Emacs 28.2. (This algorithm
+ # also produces the correct transition dates for 2016 through 2018,
+ # though the times differ due to Morocco's time zone change in 2018.)
+ # (let ((islamic-year 1440))
+ # (require 'cal-islam)
+ # (while (< islamic-year 1511)
+ # (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year)))
+-# (b (+ 2 (calendar-islamic-to-absolute (list 10 1 islamic-year))))
++# (b (+ 1 (calendar-islamic-to-absolute (list 10 1 islamic-year))))
+ # (sunday 0))
+ # (while (/= sunday (mod (setq a (1- a)) 7)))
+ # (while (/= sunday (mod b 7))
+@@ -886,10 +905,6 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis
+ # (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a))
+ # (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b)))))
+ # (setq islamic-year (+ 1 islamic-year))))
+-#
+-# From Milamber (2021-03-31, 2022-03-10), confirming these predictions:
+-# https://www.mmsp.gov.ma/fr/actualites.aspx?id=2076
+-# https://www.ecoactu.ma/horaires-administration-ramadan-gmtheure-gmt-a-partir-de-dimanche-27-mars/
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Morocco 1939 only - Sep 12 0:00 1:00 -
+@@ -942,7 +957,7 @@ Rule Morocco 2021 only - May 16 2:00 0 -
+ Rule Morocco 2022 only - Mar 27 3:00 -1:00 -
+ Rule Morocco 2022 only - May 8 2:00 0 -
+ Rule Morocco 2023 only - Mar 19 3:00 -1:00 -
+-Rule Morocco 2023 only - Apr 30 2:00 0 -
++Rule Morocco 2023 only - Apr 23 2:00 0 -
+ Rule Morocco 2024 only - Mar 10 3:00 -1:00 -
+ Rule Morocco 2024 only - Apr 14 2:00 0 -
+ Rule Morocco 2025 only - Feb 23 3:00 -1:00 -
+@@ -958,7 +973,7 @@ Rule Morocco 2029 only - Feb 18 2:00 0 -
+ Rule Morocco 2029 only - Dec 30 3:00 -1:00 -
+ Rule Morocco 2030 only - Feb 10 2:00 0 -
+ Rule Morocco 2030 only - Dec 22 3:00 -1:00 -
+-Rule Morocco 2031 only - Feb 2 2:00 0 -
++Rule Morocco 2031 only - Jan 26 2:00 0 -
+ Rule Morocco 2031 only - Dec 14 3:00 -1:00 -
+ Rule Morocco 2032 only - Jan 18 2:00 0 -
+ Rule Morocco 2032 only - Nov 28 3:00 -1:00 -
+@@ -974,7 +989,7 @@ Rule Morocco 2036 only - Nov 23 2:00 0 -
+ Rule Morocco 2037 only - Oct 4 3:00 -1:00 -
+ Rule Morocco 2037 only - Nov 15 2:00 0 -
+ Rule Morocco 2038 only - Sep 26 3:00 -1:00 -
+-Rule Morocco 2038 only - Nov 7 2:00 0 -
++Rule Morocco 2038 only - Oct 31 2:00 0 -
+ Rule Morocco 2039 only - Sep 18 3:00 -1:00 -
+ Rule Morocco 2039 only - Oct 23 2:00 0 -
+ Rule Morocco 2040 only - Sep 2 3:00 -1:00 -
+@@ -990,7 +1005,7 @@ Rule Morocco 2044 only - Aug 28 2:00 0 -
+ Rule Morocco 2045 only - Jul 9 3:00 -1:00 -
+ Rule Morocco 2045 only - Aug 20 2:00 0 -
+ Rule Morocco 2046 only - Jul 1 3:00 -1:00 -
+-Rule Morocco 2046 only - Aug 12 2:00 0 -
++Rule Morocco 2046 only - Aug 5 2:00 0 -
+ Rule Morocco 2047 only - Jun 23 3:00 -1:00 -
+ Rule Morocco 2047 only - Jul 28 2:00 0 -
+ Rule Morocco 2048 only - Jun 7 3:00 -1:00 -
+@@ -1006,7 +1021,7 @@ Rule Morocco 2052 only - Jun 2 2:00 0 -
+ Rule Morocco 2053 only - Apr 13 3:00 -1:00 -
+ Rule Morocco 2053 only - May 25 2:00 0 -
+ Rule Morocco 2054 only - Apr 5 3:00 -1:00 -
+-Rule Morocco 2054 only - May 17 2:00 0 -
++Rule Morocco 2054 only - May 10 2:00 0 -
+ Rule Morocco 2055 only - Mar 28 3:00 -1:00 -
+ Rule Morocco 2055 only - May 2 2:00 0 -
+ Rule Morocco 2056 only - Mar 12 3:00 -1:00 -
+@@ -1022,7 +1037,7 @@ Rule Morocco 2060 only - Mar 7 2:00 0 -
+ Rule Morocco 2061 only - Jan 16 3:00 -1:00 -
+ Rule Morocco 2061 only - Feb 27 2:00 0 -
+ Rule Morocco 2062 only - Jan 8 3:00 -1:00 -
+-Rule Morocco 2062 only - Feb 19 2:00 0 -
++Rule Morocco 2062 only - Feb 12 2:00 0 -
+ Rule Morocco 2062 only - Dec 31 3:00 -1:00 -
+ Rule Morocco 2063 only - Feb 4 2:00 0 -
+ Rule Morocco 2063 only - Dec 16 3:00 -1:00 -
+@@ -1038,7 +1053,7 @@ Rule Morocco 2067 only - Dec 11 2:00 0 -
+ Rule Morocco 2068 only - Oct 21 3:00 -1:00 -
+ Rule Morocco 2068 only - Dec 2 2:00 0 -
+ Rule Morocco 2069 only - Oct 13 3:00 -1:00 -
+-Rule Morocco 2069 only - Nov 24 2:00 0 -
++Rule Morocco 2069 only - Nov 17 2:00 0 -
+ Rule Morocco 2070 only - Oct 5 3:00 -1:00 -
+ Rule Morocco 2070 only - Nov 9 2:00 0 -
+ Rule Morocco 2071 only - Sep 20 3:00 -1:00 -
+@@ -1054,7 +1069,7 @@ Rule Morocco 2075 only - Sep 15 2:00 0 -
+ Rule Morocco 2076 only - Jul 26 3:00 -1:00 -
+ Rule Morocco 2076 only - Sep 6 2:00 0 -
+ Rule Morocco 2077 only - Jul 18 3:00 -1:00 -
+-Rule Morocco 2077 only - Aug 29 2:00 0 -
++Rule Morocco 2077 only - Aug 22 2:00 0 -
+ Rule Morocco 2078 only - Jul 10 3:00 -1:00 -
+ Rule Morocco 2078 only - Aug 14 2:00 0 -
+ Rule Morocco 2079 only - Jun 25 3:00 -1:00 -
+@@ -1064,13 +1079,13 @@ Rule Morocco 2080 only - Jul 21 2:00 0 -
+ Rule Morocco 2081 only - Jun 1 3:00 -1:00 -
+ Rule Morocco 2081 only - Jul 13 2:00 0 -
+ Rule Morocco 2082 only - May 24 3:00 -1:00 -
+-Rule Morocco 2082 only - Jul 5 2:00 0 -
++Rule Morocco 2082 only - Jun 28 2:00 0 -
+ Rule Morocco 2083 only - May 16 3:00 -1:00 -
+ Rule Morocco 2083 only - Jun 20 2:00 0 -
+ Rule Morocco 2084 only - Apr 30 3:00 -1:00 -
+ Rule Morocco 2084 only - Jun 11 2:00 0 -
+ Rule Morocco 2085 only - Apr 22 3:00 -1:00 -
+-Rule Morocco 2085 only - Jun 3 2:00 0 -
++Rule Morocco 2085 only - May 27 2:00 0 -
+ Rule Morocco 2086 only - Apr 14 3:00 -1:00 -
+ Rule Morocco 2086 only - May 19 2:00 0 -
+ Rule Morocco 2087 only - Mar 30 3:00 -1:00 -
+@@ -1213,15 +1228,15 @@ Zone Africa/Windhoek 1:08:24 - LMT 1892 Feb 8
+ # From P Chan (2020-12-03):
+ # GMT was adopted as the standard time of Lagos on 1905-07-01.
+ # Lagos Weekly Record, 1905-06-24, p 3
+-# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446%2C5221%2C1931%2C1235
++# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446,5221,1931,1235
+ # says "It is officially notified that on and after the 1st of July 1905
+-# Greenwich Mean Solar Time will be adopted thought the Colony and
++# Greenwich Mean Solar Time will be adopted throughout the Colony and
+ # Protectorate, and that it will be necessary to put all clocks 13 minutes and
+ # 35 seconds back, recording local mean time."
+ #
+ # It seemed that Lagos returned to LMT on 1908-07-01.
+ # [The Lagos Standard], 1908-07-01, p 5
+-# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92%2C3590%2C3944%2C2523
++# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92,3590,3944,2523
+ # says "Scarcely have the people become accustomed to this new time, when
+ # another official notice has now appeared announcing that from and after the
+ # 1st July next, return will be made to local mean time."
+@@ -1233,7 +1248,7 @@ Zone Africa/Windhoek 1:08:24 - LMT 1892 Feb 8
+ # https://libsysdigi.library.illinois.edu/ilharvest/Africana/Books2011-05/3064634/3064634_1914/3064634_1914_opt.pdf#page=27
+ # "On January 1st [1914], a universal standard time for Nigeria was adopted,
+ # viz., half an hour fast on Greenwich mean time, corresponding to the meridian
+-# 7 [degrees] 30' E. long."
++# 7° 30' E. long."
+ # Lloyd's Register of Shipping (1915) says "Hitherto the time observed in Lagos
+ # was the local mean time. On 1st January, 1914, standard time for the whole of
+ # Nigeria was introduced ... Lagos time has been advanced about 16 minutes
+@@ -1251,7 +1266,7 @@ Zone Africa/Windhoek 1:08:24 - LMT 1892 Feb 8
+ # The Lagos Weekly Record, 1919-09-20, p 3 details discussion on the first
+ # reading of this Bill by the Legislative Council of the Colony of Nigeria on
+ # Thursday 1919-08-28:
+-# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261%2C3408%2C2994%2C1915
++# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261,3408,2994,1915
+ # "The proposal is that the Globe should be divided into twelve zones East and
+ # West of Greenwich, of one hour each, Nigeria falling into the zone with a
+ # standard of one hour fast on Greenwich Mean Time. Nigeria standard time is
+diff --git a/make/data/tzdata/antarctica b/make/data/tzdata/antarctica
+index 792542b9224..3de5e726eb4 100644
+--- a/make/data/tzdata/antarctica
++++ b/make/data/tzdata/antarctica
+@@ -315,7 +315,7 @@ Zone Antarctica/Rothera 0 - -00 1976 Dec 1
+ # but that he found it more convenient to keep GMT+12
+ # as supplies for the station were coming from McMurdo Sound,
+ # which was on GMT+12 because New Zealand was on GMT+12 all year
+-# at that time (1957). (Source: Siple's book 90 Degrees South.)
++# at that time (1957). (Source: Siple's book 90° South.)
+ #
+ # From Susan Smith
+ # http://www.cybertours.com/whs/pole10.html
+diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
+index ff81978bc47..6a048c3ad28 100644
+--- a/make/data/tzdata/asia
++++ b/make/data/tzdata/asia
+@@ -2714,6 +2714,40 @@ Zone Asia/Pyongyang 8:23:00 - LMT 1908 Apr 1
+
+
+ # Lebanon
++#
++# From Saadallah Itani (2023-03-23):
++# Lebanon ... announced today delay of Spring forward from March 25 to April 20.
++#
++# From Paul Eggert (2023-03-27):
++# This announcement was by the Lebanese caretaker prime minister Najib Mikati.
++# https://www.mtv.com.lb/en/News/Local/1352516/lebanon-postpones-daylight-saving-time-adoption
++# A video was later leaked to the media of parliament speaker Nabih Berri
++# asking Mikati to postpone DST to aid observance of Ramadan, Mikati objecting
++# that this would cause problems such as scheduling airline flights, to which
++# Berri interjected, "What flights?"
++#
++# The change was controversial and led to a partly-sectarian divide.
++# Many Lebanese institutions, including the education ministry, the Maronite
++# church, and two news channels LCBI and MTV, ignored the announcement and
++# went ahead with the long-scheduled spring-forward on March 25/26, some
++# arguing that the prime minister had not followed the law because the change
++# had not been approved by the cabinet. Google went with the announcement;
++# Apple ignored it. At least one bank followed the announcement for its doors,
++# but ignored the announcement in internal computer systems.
++# Beirut international airport listed two times for each departure.
++# Dan Azzi wrote "My view is that this whole thing is a Dumb and Dumber movie."
++# Eventually the prime minister backed down, said the cabinet had decided to
++# stick with its 1998 decision, and that DST would begin midnight March 29/30.
++# https://www.nna-leb.gov.lb/en/miscellaneous/604093/lebanon-has-two-times-of-day-amid-daylight-savings
++# https://www.cnbc.com/2023/03/27/lebanon-in-two-different-time-zones-as-government-disagrees-on-daylight-savings.html
++#
++# Although we could model the chaos with two Zones, that would likely cause
++# more trouble than it would cure. Since so many manual clocks and
++# computer-based timestamps ignored the announcement, stick with official
++# cabinet resolutions in the data while recording the prime minister's
++# announcement as a comment. This is how we treated a similar situation in
++# Rio de Janeiro in spring 1993.
++#
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Lebanon 1920 only - Mar 28 0:00 1:00 S
+ Rule Lebanon 1920 only - Oct 25 0:00 0 -
+@@ -2739,6 +2773,10 @@ Rule Lebanon 1992 only - Oct 4 0:00 0 -
+ Rule Lebanon 1993 max - Mar lastSun 0:00 1:00 S
+ Rule Lebanon 1993 1998 - Sep lastSun 0:00 0 -
+ Rule Lebanon 1999 max - Oct lastSun 0:00 0 -
++# This one-time rule, announced by the prime minister first for April 21
++# then for March 30, is commented out for reasons described above.
++#Rule Lebanon 2023 only - Mar 30 0:00 1:00 S
++
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Beirut 2:22:00 - LMT 1880
+ 2:00 Lebanon EE%sT
+@@ -2977,7 +3015,7 @@ Zone Asia/Kathmandu 5:41:16 - LMT 1920
+ # 9pm and moving clocks forward by one hour for the next three months. ...."
+ #
+ # http://www.worldtimezone.com/dst_news/dst_news_pakistan01.html
+-# http://www.dailytimes.com.pk/default.asp?page=2008%5C05%5C15%5Cstory_15-5-2008_pg1_4
++# http://www.dailytimes.com.pk/default.asp?page=2008\05\15\story_15-5-2008_pg1_4
+
+ # From Arthur David Olson (2008-05-19):
+ # XXX--midnight transitions is a guess; 2008 only is a guess.
+@@ -3300,7 +3338,7 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # Some of many sources in Arabic:
+ # http://www.samanews.com/index.php?act=Show&id=122638
+ #
+-# http://safa.ps/details/news/74352/%D8%A8%D8%AF%D8%A1-%D8%A7%D9%84%D8%AA%D9%88%D9%82%D9%8A%D8%AA-%D8%A7%D9%84%D8%B5%D9%8A%D9%81%D9%8A-%D8%A8%D8%A7%D9%84%D8%B6%D9%81%D8%A9-%D9%88%D8%BA%D8%B2%D8%A9-%D9%84%D9%8A%D9%84%D8%A9-%D8%A7%D9%84%D8%AC%D9%85%D8%B9%D8%A9.html
++# http://safa.ps/details/news/74352/بدء-التوقيت-الصيفي-بالضفة-وغزة-ليلة-الجمعة.html
+ #
+ # Our brief summary:
+ # https://www.timeanddate.com/news/time/gaza-west-bank-dst-2012.html
+@@ -3310,7 +3348,7 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # time from midnight on Friday, March 29, 2013" (translated).
+ # [These are in Arabic and are for Gaza and for Ramallah, respectively.]
+ # http://www.samanews.com/index.php?act=Show&id=154120
+-# http://safa.ps/details/news/99844/%D8%B1%D8%A7%D9%85-%D8%A7%D9%84%D9%84%D9%87-%D8%A8%D8%AF%D8%A1-%D8%A7%D9%84%D8%AA%D9%88%D9%82%D9%8A%D8%AA-%D8%A7%D9%84%D8%B5%D9%8A%D9%81%D9%8A-29-%D8%A7%D9%84%D8%AC%D8%A7%D8%B1%D9%8A.html
++# http://safa.ps/details/news/99844/رام-الله-بدء-التوقيت-الصيفي-29-الجاري.html
+
+ # From Steffen Thorsen (2013-09-24):
+ # The Gaza and West Bank are ending DST Thursday at midnight
+@@ -3408,9 +3446,41 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # (2022-08-31): ... the Saturday before the last Sunday in March and October
+ # at 2:00 AM ,for the years from 2023 to 2026.
+ # (2022-09-05): https://mtit.pna.ps/Site/New/1453
+-#
+-# From Paul Eggert (2022-08-31):
+-# For now, assume that this rule will also be used after 2026.
++
++# From Heba Hamad (2023-03-22):
++# ... summer time will begin in Palestine from Saturday 04-29-2023,
++# 02:00 AM by 60 minutes forward.
++#
++# From Paul Eggert (2023-03-22):
++# For now, guess that spring and fall transitions will normally
++# continue to use 2022's rules, that during DST Palestine will switch
++# to standard time at 02:00 the last Saturday before Ramadan and back
++# to DST at 02:00 the first Saturday after Ramadan, and that
++# if the normal spring-forward or fall-back transition occurs during
++# Ramadan the former is delayed and the latter advanced.
++# To implement this, I predicted Ramadan-oriented transition dates for
++# 2023 through 2086 by running the following program under GNU Emacs 28.2,
++# with the results integrated by hand into the table below.
++# Predictions after 2086 are approximated without Ramadan.
++#
++# (let ((islamic-year 1444))
++# (require 'cal-islam)
++# (while (< islamic-year 1510)
++# (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year)))
++# (b (+ 1 (calendar-islamic-to-absolute (list 10 1 islamic-year))))
++# (saturday 6))
++# (while (/= saturday (mod (setq a (1- a)) 7)))
++# (while (/= saturday (mod b 7))
++# (setq b (1+ b)))
++# (setq a (calendar-gregorian-from-absolute a))
++# (setq b (calendar-gregorian-from-absolute b))
++# (insert
++# (format
++# (concat "Rule Palestine\t%d\tonly\t-\t%s\t%2d\t2:00\t0\t-\n"
++# "Rule Palestine\t%d\tonly\t-\t%s\t%2d\t2:00\t1:00\tS\n")
++# (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a))
++# (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b)))))
++# (setq islamic-year (+ 1 islamic-year))))
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
+@@ -3450,8 +3520,86 @@ Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S
+ Rule Palestine 2020 only - Oct 24 1:00 0 -
+ Rule Palestine 2021 only - Oct 29 1:00 0 -
+ Rule Palestine 2022 only - Mar 27 0:00 1:00 S
+-Rule Palestine 2022 max - Oct Sat<=30 2:00 0 -
+-Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S
++Rule Palestine 2022 2035 - Oct Sat<=30 2:00 0 -
++Rule Palestine 2023 only - Apr 29 2:00 1:00 S
++Rule Palestine 2024 only - Apr 13 2:00 1:00 S
++Rule Palestine 2025 only - Apr 5 2:00 1:00 S
++Rule Palestine 2026 2054 - Mar Sat<=30 2:00 1:00 S
++Rule Palestine 2036 only - Oct 18 2:00 0 -
++Rule Palestine 2037 only - Oct 10 2:00 0 -
++Rule Palestine 2038 only - Sep 25 2:00 0 -
++Rule Palestine 2039 only - Sep 17 2:00 0 -
++Rule Palestine 2039 only - Oct 22 2:00 1:00 S
++Rule Palestine 2039 2067 - Oct Sat<=30 2:00 0 -
++Rule Palestine 2040 only - Sep 1 2:00 0 -
++Rule Palestine 2040 only - Oct 13 2:00 1:00 S
++Rule Palestine 2041 only - Aug 24 2:00 0 -
++Rule Palestine 2041 only - Sep 28 2:00 1:00 S
++Rule Palestine 2042 only - Aug 16 2:00 0 -
++Rule Palestine 2042 only - Sep 20 2:00 1:00 S
++Rule Palestine 2043 only - Aug 1 2:00 0 -
++Rule Palestine 2043 only - Sep 12 2:00 1:00 S
++Rule Palestine 2044 only - Jul 23 2:00 0 -
++Rule Palestine 2044 only - Aug 27 2:00 1:00 S
++Rule Palestine 2045 only - Jul 15 2:00 0 -
++Rule Palestine 2045 only - Aug 19 2:00 1:00 S
++Rule Palestine 2046 only - Jun 30 2:00 0 -
++Rule Palestine 2046 only - Aug 11 2:00 1:00 S
++Rule Palestine 2047 only - Jun 22 2:00 0 -
++Rule Palestine 2047 only - Jul 27 2:00 1:00 S
++Rule Palestine 2048 only - Jun 6 2:00 0 -
++Rule Palestine 2048 only - Jul 18 2:00 1:00 S
++Rule Palestine 2049 only - May 29 2:00 0 -
++Rule Palestine 2049 only - Jul 3 2:00 1:00 S
++Rule Palestine 2050 only - May 21 2:00 0 -
++Rule Palestine 2050 only - Jun 25 2:00 1:00 S
++Rule Palestine 2051 only - May 6 2:00 0 -
++Rule Palestine 2051 only - Jun 17 2:00 1:00 S
++Rule Palestine 2052 only - Apr 27 2:00 0 -
++Rule Palestine 2052 only - Jun 1 2:00 1:00 S
++Rule Palestine 2053 only - Apr 12 2:00 0 -
++Rule Palestine 2053 only - May 24 2:00 1:00 S
++Rule Palestine 2054 only - Apr 4 2:00 0 -
++Rule Palestine 2054 only - May 16 2:00 1:00 S
++Rule Palestine 2055 only - May 1 2:00 1:00 S
++Rule Palestine 2056 only - Apr 22 2:00 1:00 S
++Rule Palestine 2057 only - Apr 7 2:00 1:00 S
++Rule Palestine 2058 max - Mar Sat<=30 2:00 1:00 S
++Rule Palestine 2068 only - Oct 20 2:00 0 -
++Rule Palestine 2069 only - Oct 12 2:00 0 -
++Rule Palestine 2070 only - Oct 4 2:00 0 -
++Rule Palestine 2071 only - Sep 19 2:00 0 -
++Rule Palestine 2072 only - Sep 10 2:00 0 -
++Rule Palestine 2072 only - Oct 15 2:00 1:00 S
++Rule Palestine 2073 only - Sep 2 2:00 0 -
++Rule Palestine 2073 only - Oct 7 2:00 1:00 S
++Rule Palestine 2074 only - Aug 18 2:00 0 -
++Rule Palestine 2074 only - Sep 29 2:00 1:00 S
++Rule Palestine 2075 only - Aug 10 2:00 0 -
++Rule Palestine 2075 only - Sep 14 2:00 1:00 S
++Rule Palestine 2075 max - Oct Sat<=30 2:00 0 -
++Rule Palestine 2076 only - Jul 25 2:00 0 -
++Rule Palestine 2076 only - Sep 5 2:00 1:00 S
++Rule Palestine 2077 only - Jul 17 2:00 0 -
++Rule Palestine 2077 only - Aug 28 2:00 1:00 S
++Rule Palestine 2078 only - Jul 9 2:00 0 -
++Rule Palestine 2078 only - Aug 13 2:00 1:00 S
++Rule Palestine 2079 only - Jun 24 2:00 0 -
++Rule Palestine 2079 only - Aug 5 2:00 1:00 S
++Rule Palestine 2080 only - Jun 15 2:00 0 -
++Rule Palestine 2080 only - Jul 20 2:00 1:00 S
++Rule Palestine 2081 only - Jun 7 2:00 0 -
++Rule Palestine 2081 only - Jul 12 2:00 1:00 S
++Rule Palestine 2082 only - May 23 2:00 0 -
++Rule Palestine 2082 only - Jul 4 2:00 1:00 S
++Rule Palestine 2083 only - May 15 2:00 0 -
++Rule Palestine 2083 only - Jun 19 2:00 1:00 S
++Rule Palestine 2084 only - Apr 29 2:00 0 -
++Rule Palestine 2084 only - Jun 10 2:00 1:00 S
++Rule Palestine 2085 only - Apr 21 2:00 0 -
++Rule Palestine 2085 only - Jun 2 2:00 1:00 S
++Rule Palestine 2086 only - Apr 13 2:00 0 -
++Rule Palestine 2086 only - May 18 2:00 1:00 S
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
+@@ -3655,7 +3803,7 @@ Zone Asia/Singapore 6:55:25 - LMT 1901 Jan 1
+ # standard time is SLST.
+ #
+ # From Paul Eggert (2016-10-18):
+-# "SLST" seems to be reasonably recent and rarely-used outside time
++# "SLST" seems to be reasonably recent and rarely used outside time
+ # zone nerd sources. I searched Google News and found three uses of
+ # it in the International Business Times of India in February and
+ # March of this year when discussing cricket match times, but nothing
+diff --git a/make/data/tzdata/australasia b/make/data/tzdata/australasia
+index fbe3b8a6d72..893d7055eab 100644
+--- a/make/data/tzdata/australasia
++++ b/make/data/tzdata/australasia
+@@ -346,7 +346,7 @@ Zone Antarctica/Macquarie 0 - -00 1899 Nov
+
+ # From Steffen Thorsen (2013-01-10):
+ # Fiji will end DST on 2014-01-19 02:00:
+-# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVINGS-TO-END-THIS-MONTH-%281%29.aspx
++# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVINGS-TO-END-THIS-MONTH-(1).aspx
+
+ # From Ken Rylander (2014-10-20):
+ # DST will start Nov. 2 this year.
+@@ -746,7 +746,7 @@ Zone Pacific/Pago_Pago 12:37:12 - LMT 1892 Jul 5
+ #
+ # Samoa's Daylight Saving Time Act 2009 is available here, but does not
+ # contain any dates:
+-# http://www.parliament.gov.ws/documents/acts/Daylight%20Saving%20Act%20%202009%20%28English%29%20-%20Final%207-7-091.pdf
++# http://www.parliament.gov.ws/documents/acts/Daylight%20Saving%20Act%20%202009%20(English)%20-%20Final%207-7-091.pdf
+
+ # From Laupue Raymond Hughes (2010-10-07):
+ # Please see
+@@ -1831,7 +1831,7 @@ Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila
+ # period. It would probably be reasonable to assume Guam use GMT+9 during
+ # that period of time like the surrounding area.
+
+-# From Paul Eggert (2018-11-18):
++# From Paul Eggert (2023-01-23):
+ # Howse writes (p 153) "The Spaniards, on the other hand, reached the
+ # Philippines and the Ladrones from America," and implies that the Ladrones
+ # (now called the Marianas) kept American date for quite some time.
+@@ -1844,7 +1844,7 @@ Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila
+ # they did as that avoids the need for a separate zone due to our 1970 cutoff.
+ #
+ # US Public Law 106-564 (2000-12-23) made UT +10 the official standard time,
+-# under the name "Chamorro Standard Time". There is no official abbreviation,
++# under the name "Chamorro standard time". There is no official abbreviation,
+ # but Congressman Robert A. Underwood, author of the bill that became law,
+ # wrote in a press release (2000-12-27) that he will seek the use of "ChST".
+
+@@ -2222,24 +2222,18 @@ Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila
+ # an international standard, there are some places on the high seas where the
+ # correct date is ambiguous.
+
+-# From Wikipedia (2005-08-31):
+-# Before 1920, all ships kept local apparent time on the high seas by setting
+-# their clocks at night or at the morning sight so that, given the ship's
+-# speed and direction, it would be 12 o'clock when the Sun crossed the ship's
+-# meridian (12 o'clock = local apparent noon). During 1917, at the
+-# Anglo-French Conference on Time-keeping at Sea, it was recommended that all
+-# ships, both military and civilian, should adopt hourly standard time zones
+-# on the high seas. Whenever a ship was within the territorial waters of any
+-# nation it would use that nation's standard time. The captain was permitted
+-# to change his ship's clocks at a time of his choice following his ship's
+-# entry into another zone time - he often chose midnight. These zones were
+-# adopted by all major fleets between 1920 and 1925 but not by many
+-# independent merchant ships until World War II.
+-
+-# From Paul Eggert, using references suggested by Oscar van Vlijmen
+-# (2005-03-20):
+-#
+-# The American Practical Navigator (2002)
+-# http://pollux.nss.nima.mil/pubs/pubs_j_apn_sections.html?rid=187
+-# talks only about the 180-degree meridian with respect to ships in
+-# international waters; it ignores the international date line.
++# From Wikipedia (2023-01-23):
++# The nautical time zone system is analogous to the terrestrial time zone
++# system for use on high seas. Under the system time changes are required for
++# changes of longitude in one-hour steps. The one-hour step corresponds to a
++# time zone width of 15° longitude. The 15° gore that is offset from GMT or
++# UT1 (not UTC) by twelve hours is bisected by the nautical date line into two
++# 7°30' gores that differ from GMT by ±12 hours. A nautical date line is
++# implied but not explicitly drawn on time zone maps. It follows the 180th
++# meridian except where it is interrupted by territorial waters adjacent to
++# land, forming gaps: it is a pole-to-pole dashed line.
++
++# From Paul Eggert (2023-01-23):
++# The American Practical Navigator ,
++# 2019 edition, merely says that the International Date Line
++# "coincides with the 180th meridian over most of its length."
+diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward
+index fa44f655009..c0746d6dd1b 100644
+--- a/make/data/tzdata/backward
++++ b/make/data/tzdata/backward
+@@ -297,6 +297,7 @@ Link America/Argentina/Cordoba America/Rosario
+ Link America/Tijuana America/Santa_Isabel
+ Link America/Denver America/Shiprock
+ Link America/Toronto America/Thunder_Bay
++Link America/Edmonton America/Yellowknife
+ Link Pacific/Auckland Antarctica/South_Pole
+ Link Asia/Shanghai Asia/Chongqing
+ Link Asia/Shanghai Asia/Harbin
+diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
+index acc5da3ec79..446d2e1e658 100644
+--- a/make/data/tzdata/europe
++++ b/make/data/tzdata/europe
+@@ -540,9 +540,7 @@ Zone Europe/London -0:01:15 - LMT 1847 Dec 1
+ # other form with a traditional approximation for Irish timestamps
+ # after 1971-10-31 02:00 UTC; although this approximation has tm_isdst
+ # flags that are reversed, its UTC offsets are correct and this often
+-# suffices. This source file currently uses only nonnegative SAVE
+-# values, but this is intended to change and downstream code should
+-# not rely on it.
++# suffices....
+ #
+ # The following is like GB-Eire and EU, except with standard time in
+ # summer and negative daylight saving time in winter. It is for when
+@@ -1136,19 +1134,18 @@ Zone Atlantic/Faroe -0:27:04 - LMT 1908 Jan 11 # Tórshavn
+ #
+ # From Jürgen Appel (2022-11-25):
+ # https://ina.gl/samlinger/oversigt-over-samlinger/samling/dagsordener/dagsorden.aspx?lang=da&day=24-11-2022
+-# If I understand this correctly, from the next planned switch to
+-# summer time, Greenland will permanently stay at that time, i.e. no
+-# switch back to winter time in 2023 will occur.
+-#
+-# From Paul Eggert (2022-11-28):
+-# The official document in Danish
+-# https://naalakkersuisut.gl/-/media/naalakkersuisut/filer/kundgoerelser/2022/11/2511/31_da_inatsisartutlov-om-tidens-bestemmelse.pdf?la=da&hash=A33597D8A38CC7038465241119EF34F3
+-# says standard time for Greenland is -02, that Naalakkersuisut can lay down
+-# rules for DST and can require some areas to use a different time zone,
+-# and that this all takes effect 2023-03-25 22:00. The abovementioned
+-# "bekymringer" URL says the intent is no transition March 25, that
+-# Greenland will not go back to winter time in fall 2023, and that
+-# only America/Nuuk is affected (though further changes may occur).
++#
++# From Thomas M. Steenholdt (2022-12-02):
++# - The bill to move America/Nuuk from UTC-03 to UTC-02 passed.
++# - The bill to stop observing DST did not (Greenland will stop observing DST
++# when EU does).
++# Details on the implementation are here (section 6):
++# https://ina.gl/dvd/EM%202022/pdf/media/2553529/pkt17_em2022_tidens_bestemmelse_bem_da.pdf
++# This is how the change will be implemented:
++# 1. The shift *to* DST in 2023 happens as normal.
++# 2. The shift *from* DST in 2023 happens as normal, but coincides with the
++# shift to UTC-02 normaltime (people will not change their clocks here).
++# 3. After this, DST is still observed, but as -02/-01 instead of -03/-02.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Thule 1991 1992 - Mar lastSun 2:00 1:00 D
+@@ -1172,8 +1169,8 @@ Zone America/Scoresbysund -1:27:52 - LMT 1916 Jul 28 # Ittoqqortoormiit
+ -1:00 EU -01/+00
+ Zone America/Nuuk -3:26:56 - LMT 1916 Jul 28 # Godthåb
+ -3:00 - -03 1980 Apr 6 2:00
+- -3:00 EU -03/-02 2023 Mar 25 22:00
+- -2:00 - -02
++ -3:00 EU -03/-02 2023 Oct 29 1:00u
++ -2:00 EU -02/-01
+ Zone America/Thule -4:35:08 - LMT 1916 Jul 28 # Pituffik
+ -4:00 Thule A%sT
+
+@@ -1509,9 +1506,9 @@ Zone Europe/Paris 0:09:21 - LMT 1891 Mar 16
+ Rule Germany 1946 only - Apr 14 2:00s 1:00 S
+ Rule Germany 1946 only - Oct 7 2:00s 0 -
+ Rule Germany 1947 1949 - Oct Sun>=1 2:00s 0 -
+-# http://www.ptb.de/de/org/4/44/441/salt.htm says the following transition
+-# occurred at 3:00 MEZ, not the 2:00 MEZ given in Shanks & Pottenger.
+-# Go with the PTB.
++# https://www.ptb.de/cms/en/ptb/fachabteilungen/abt4/fb-44/ag-441/realisation-of-legal-time-in-germany/dst-and-midsummer-dst-in-germany-until-1979.html
++# says the following transition occurred at 3:00 MEZ, not the 2:00 MEZ
++# given in Shanks & Pottenger. Go with the PTB.
+ Rule Germany 1947 only - Apr 6 3:00s 1:00 S
+ Rule Germany 1947 only - May 11 2:00s 2:00 M
+ Rule Germany 1947 only - Jun 29 3:00 1:00 S
+@@ -2272,7 +2269,7 @@ Zone Europe/Bucharest 1:44:24 - LMT 1891 Oct
+ # the State Duma has approved ... the draft bill on returning to
+ # winter time standard and return Russia 11 time zones. The new
+ # regulations will come into effect on October 26, 2014 at 02:00 ...
+-# http://asozd2.duma.gov.ru/main.nsf/%28Spravka%29?OpenAgent&RN=431985-6&02
++# http://asozd2.duma.gov.ru/main.nsf/(Spravka)?OpenAgent&RN=431985-6&02
+ # Here is a link where we put together table (based on approved Bill N
+ # 431985-6) with proposed 11 Russian time zones and corresponding
+ # areas/cities/administrative centers in the Russian Federation (in English):
+@@ -2682,13 +2679,13 @@ Zone Europe/Volgograd 2:57:40 - LMT 1920 Jan 3
+ 3:00 - +03 1930 Jun 21
+ 4:00 - +04 1961 Nov 11
+ 4:00 Russia +04/+05 1988 Mar 27 2:00s
+- 3:00 Russia +03/+04 1991 Mar 31 2:00s
++ 3:00 Russia MSK/MSD 1991 Mar 31 2:00s
+ 4:00 - +04 1992 Mar 29 2:00s
+- 3:00 Russia +03/+04 2011 Mar 27 2:00s
+- 4:00 - +04 2014 Oct 26 2:00s
+- 3:00 - +03 2018 Oct 28 2:00s
++ 3:00 Russia MSK/MSD 2011 Mar 27 2:00s
++ 4:00 - MSK 2014 Oct 26 2:00s
++ 3:00 - MSK 2018 Oct 28 2:00s
+ 4:00 - +04 2020 Dec 27 2:00s
+- 3:00 - +03
++ 3:00 - MSK
+
+ # From Paul Eggert (2016-11-11):
+ # Europe/Saratov covers:
+@@ -2719,11 +2716,11 @@ Zone Europe/Saratov 3:04:18 - LMT 1919 Jul 1 0:00u
+ Zone Europe/Kirov 3:18:48 - LMT 1919 Jul 1 0:00u
+ 3:00 - +03 1930 Jun 21
+ 4:00 Russia +04/+05 1989 Mar 26 2:00s
+- 3:00 Russia +03/+04 1991 Mar 31 2:00s
++ 3:00 Russia MSK/MSD 1991 Mar 31 2:00s
+ 4:00 - +04 1992 Mar 29 2:00s
+- 3:00 Russia +03/+04 2011 Mar 27 2:00s
+- 4:00 - +04 2014 Oct 26 2:00s
+- 3:00 - +03
++ 3:00 Russia MSK/MSD 2011 Mar 27 2:00s
++ 4:00 - MSK 2014 Oct 26 2:00s
++ 3:00 - MSK
+
+ # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2001-08-25):
+ # Europe/Samara covers...
+diff --git a/make/data/tzdata/iso3166.tab b/make/data/tzdata/iso3166.tab
+index fbfb74bec45..cea17732dd1 100644
+--- a/make/data/tzdata/iso3166.tab
++++ b/make/data/tzdata/iso3166.tab
+@@ -261,7 +261,7 @@ SY Syria
+ SZ Eswatini (Swaziland)
+ TC Turks & Caicos Is
+ TD Chad
+-TF French Southern Territories
++TF French S. Terr.
+ TG Togo
+ TH Thailand
+ TJ Tajikistan
+diff --git a/make/data/tzdata/leapseconds b/make/data/tzdata/leapseconds
+index d6fb840f512..89ce8b89cd2 100644
+--- a/make/data/tzdata/leapseconds
++++ b/make/data/tzdata/leapseconds
+@@ -95,11 +95,11 @@ Leap 2016 Dec 31 23:59:60 + S
+ # Any additional leap seconds will come after this.
+ # This Expires line is commented out for now,
+ # so that pre-2020a zic implementations do not reject this file.
+-#Expires 2023 Jun 28 00:00:00
++#Expires 2023 Dec 28 00:00:00
+
+ # POSIX timestamps for the data in this file:
+ #updated 1467936000 (2016-07-08 00:00:00 UTC)
+-#expires 1687910400 (2023-06-28 00:00:00 UTC)
++#expires 1703721600 (2023-12-28 00:00:00 UTC)
+
+-# Updated through IERS Bulletin C64
+-# File expires on: 28 June 2023
++# Updated through IERS Bulletin C65
++# File expires on: 28 December 2023
+diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica
+index a5fd701f88c..e240cf35103 100644
+--- a/make/data/tzdata/northamerica
++++ b/make/data/tzdata/northamerica
+@@ -1,4 +1,3 @@
+-#
+ # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ #
+ # This code is free software; you can redistribute it and/or modify it
+@@ -299,9 +298,10 @@ Zone PST8PDT -8:00 US P%sT
+ # -10 Standard Alaska Time (AST) Alaska-Hawaii standard time (AHST)
+ # -11 (unofficial) Nome (NST) Bering standard time (BST)
+ #
+-# From Paul Eggert (2000-01-08), following a heads-up from Rives McDow:
+-# Public law 106-564 (2000-12-23) introduced ... "Chamorro Standard Time"
++# From Paul Eggert (2023-01-23), from a 2001-01-08 heads-up from Rives McDow:
++# Public law 106-564 (2000-12-23) introduced "Chamorro standard time"
+ # for time in Guam and the Northern Marianas. See the file "australasia".
++# Also see 15 U.S.C. §263 .
+ #
+ # From Paul Eggert (2015-04-17):
+ # HST and HDT are standardized abbreviations for Hawaii-Aleutian
+@@ -618,7 +618,7 @@ Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
+ # local times of other Alaskan locations so that they change simultaneously.
+
+ # From Paul Eggert (2014-07-18):
+-# One opinion of the early-1980s turmoil in Alaska over time zones and
++# One opinion of the early 1980s turmoil in Alaska over time zones and
+ # daylight saving time appeared as graffiti on a Juneau airport wall:
+ # "Welcome to Juneau. Please turn your watch back to the 19th century."
+ # See: Turner W. Alaska's four time zones now two. NY Times 1983-11-01.
+@@ -690,6 +690,10 @@ Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
+ # So they won't be waiting for Alaska to join them on 2019-03-10, but will
+ # rather change their clocks twice in seven weeks.
+
++# From Paul Eggert (2023-01-23):
++# America/Adak is for the Aleutian Islands that are part of Alaska
++# and are west of 169.5° W.
++
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone America/Juneau 15:02:19 - LMT 1867 Oct 19 15:33:32
+ -8:57:41 - LMT 1900 Aug 20 12:00
+@@ -2148,10 +2152,6 @@ Zone America/Fort_Nelson -8:10:47 - LMT 1884
+ # Nunavut ... moved ... to incorporate the whole territory into one time zone.
+ # Nunavut moves to single time zone Oct. 31
+ # http://www.nunatsiaq.com/nunavut/nvt90903_13.html
+-#
+-# From Antoine Leca (1999-09-06):
+-# We then need to create a new timezone for the Kitikmeot region of Nunavut
+-# to differentiate it from the Yellowknife region.
+
+ # From Paul Eggert (1999-09-20):
+ # Basic Facts: The New Territory
+@@ -2345,9 +2345,6 @@ Zone America/Cambridge_Bay 0 - -00 1920 # trading post est.?
+ -5:00 - EST 2000 Nov 5 0:00
+ -6:00 - CST 2001 Apr 1 3:00
+ -7:00 Canada M%sT
+-Zone America/Yellowknife 0 - -00 1935 # Yellowknife founded?
+- -7:00 NT_YK M%sT 1980
+- -7:00 Canada M%sT
+ Zone America/Inuvik 0 - -00 1953 # Inuvik founded
+ -8:00 NT_YK P%sT 1979 Apr lastSun 2:00
+ -7:00 NT_YK M%sT 1980
+@@ -2584,7 +2581,7 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
+ # and in addition changes all of Chihuahua to -06 with no DST.
+
+ # From Heitor David Pinto (2022-11-28):
+-# Now the northern municipalities want to have the same time zone as the
++# Now the northern [municipios] want to have the same time zone as the
+ # respective neighboring cities in the US, for example Juárez in UTC-7 with
+ # DST, matching El Paso, and Ojinaga in UTC-6 with DST, matching Presidio....
+ # the president authorized the publication of the decree for November 29,
+@@ -2621,7 +2618,7 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u
+ -5:00 - EST 1982 Dec 2
+ -6:00 Mexico C%sT
+ # Coahuila, Nuevo León, Tamaulipas (near US border)
+-# This includes the following municipalities:
++# This includes the following municipios:
+ # in Coahuila: Acuña, Allende, Guerrero, Hidalgo, Jiménez, Morelos, Nava,
+ # Ocampo, Piedras Negras, Villa Unión, Zaragoza
+ # in Nuevo León: Anáhuac
+@@ -2647,8 +2644,8 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u
+ -6:00 - CST 2002 Feb 20
+ -6:00 Mexico C%sT
+ # Chihuahua (near US border - western side)
+-# This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
+-# and Práxedis G Guerrero.
++# This includes the municipios of Janos, Ascensión, Juárez, Guadalupe, and
++# Práxedis G Guerrero.
+ # http://gaceta.diputados.gob.mx/PDF/65/2a022/nov/20221124-VII.pdf
+ Zone America/Ciudad_Juarez -7:05:56 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+@@ -2662,7 +2659,8 @@ Zone America/Ciudad_Juarez -7:05:56 - LMT 1922 Jan 1 7:00u
+ -6:00 - CST 2022 Nov 30 0:00
+ -7:00 US M%sT
+ # Chihuahua (near US border - eastern side)
+-# The municipalities of Coyame del Sotol, Ojinaga, and Manuel Benavides.
++# This includes the municipios of Coyame del Sotol, Ojinaga, and Manuel
++# Benavides.
+ # http://gaceta.diputados.gob.mx/PDF/65/2a022/nov/20221124-VII.pdf
+ Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+@@ -3083,7 +3081,7 @@ Zone America/Costa_Rica -5:36:13 - LMT 1890 # San José
+ #
+ # He supplied these references:
+ #
+-# http://www.prensalatina.com.mx/article.asp?ID=%7B4CC32C1B-A9F7-42FB-8A07-8631AFC923AF%7D&language=ES
++# http://www.prensalatina.com.mx/article.asp?ID={4CC32C1B-A9F7-42FB-8A07-8631AFC923AF}&language=ES
+ # http://actualidad.terra.es/sociedad/articulo/cuba_llama_ahorrar_energia_cambio_1957044.htm
+ #
+ # From Alex Krivenyshev (2007-10-25):
+diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica
+index 81fdd793df4..4024e7180cd 100644
+--- a/make/data/tzdata/southamerica
++++ b/make/data/tzdata/southamerica
+@@ -231,7 +231,7 @@ Rule Arg 2008 only - Oct Sun>=15 0:00 1:00 -
+ # Hora de verano para la República Argentina
+ # http://buenasiembra.com.ar/esoterismo/astrologia/hora-de-verano-de-la-republica-argentina-27.html
+ # says that standard time in Argentina from 1894-10-31
+-# to 1920-05-01 was -4:16:48.25. Go with this more-precise value
++# to 1920-05-01 was -4:16:48.25. Go with this more precise value
+ # over Shanks & Pottenger. It is upward compatible with Milne, who
+ # says Córdoba time was -4:16:48.2.
+
+diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab
+index 939432d3456..3edb0d61c80 100644
+--- a/make/data/tzdata/zone.tab
++++ b/make/data/tzdata/zone.tab
+@@ -144,9 +144,8 @@ CA +744144-0944945 America/Resolute Central - NU (Resolute)
+ CA +624900-0920459 America/Rankin_Inlet Central - NU (central)
+ CA +5024-10439 America/Regina CST - SK (most areas)
+ CA +5017-10750 America/Swift_Current CST - SK (midwest)
+-CA +5333-11328 America/Edmonton Mountain - AB; BC (E); SK (W)
++CA +5333-11328 America/Edmonton Mountain - AB; BC (E); NT (E); SK (W)
+ CA +690650-1050310 America/Cambridge_Bay Mountain - NU (west)
+-CA +6227-11421 America/Yellowknife Mountain - NT (central)
+ CA +682059-1334300 America/Inuvik Mountain - NT (west)
+ CA +4906-11631 America/Creston MST - BC (Creston)
+ CA +5546-12014 America/Dawson_Creek MST - BC (Dawson Cr, Ft St John)
+@@ -162,7 +161,7 @@ CG -0416+01517 Africa/Brazzaville
+ CH +4723+00832 Europe/Zurich
+ CI +0519-00402 Africa/Abidjan
+ CK -2114-15946 Pacific/Rarotonga
+-CL -3327-07040 America/Santiago Chile (most areas)
++CL -3327-07040 America/Santiago most of Chile
+ CL -5309-07055 America/Punta_Arenas Region of Magallanes
+ CL -2709-10926 Pacific/Easter Easter Island
+ CM +0403+00942 Africa/Douala
+@@ -174,10 +173,10 @@ CU +2308-08222 America/Havana
+ CV +1455-02331 Atlantic/Cape_Verde
+ CW +1211-06900 America/Curacao
+ CX -1025+10543 Indian/Christmas
+-CY +3510+03322 Asia/Nicosia Cyprus (most areas)
++CY +3510+03322 Asia/Nicosia most of Cyprus
+ CY +3507+03357 Asia/Famagusta Northern Cyprus
+ CZ +5005+01426 Europe/Prague
+-DE +5230+01322 Europe/Berlin Germany (most areas)
++DE +5230+01322 Europe/Berlin most of Germany
+ DE +4742+00841 Europe/Busingen Busingen
+ DJ +1136+04309 Africa/Djibouti
+ DK +5540+01235 Europe/Copenhagen
+@@ -210,7 +209,7 @@ GF +0456-05220 America/Cayenne
+ GG +492717-0023210 Europe/Guernsey
+ GH +0533-00013 Africa/Accra
+ GI +3608-00521 Europe/Gibraltar
+-GL +6411-05144 America/Nuuk Greenland (most areas)
++GL +6411-05144 America/Nuuk most of Greenland
+ GL +7646-01840 America/Danmarkshavn National Park (east coast)
+ GL +7029-02158 America/Scoresbysund Scoresbysund/Ittoqqortoormiit
+ GL +7634-06847 America/Thule Thule/Pituffik
+@@ -258,7 +257,7 @@ KP +3901+12545 Asia/Pyongyang
+ KR +3733+12658 Asia/Seoul
+ KW +2920+04759 Asia/Kuwait
+ KY +1918-08123 America/Cayman
+-KZ +4315+07657 Asia/Almaty Kazakhstan (most areas)
++KZ +4315+07657 Asia/Almaty most of Kazakhstan
+ KZ +4448+06528 Asia/Qyzylorda Qyzylorda/Kyzylorda/Kzyl-Orda
+ KZ +5312+06337 Asia/Qostanay Qostanay/Kostanay/Kustanay
+ KZ +5017+05710 Asia/Aqtobe Aqtobe/Aktobe
+@@ -282,12 +281,12 @@ MD +4700+02850 Europe/Chisinau
+ ME +4226+01916 Europe/Podgorica
+ MF +1804-06305 America/Marigot
+ MG -1855+04731 Indian/Antananarivo
+-MH +0709+17112 Pacific/Majuro Marshall Islands (most areas)
++MH +0709+17112 Pacific/Majuro most of Marshall Islands
+ MH +0905+16720 Pacific/Kwajalein Kwajalein
+ MK +4159+02126 Europe/Skopje
+ ML +1239-00800 Africa/Bamako
+ MM +1647+09610 Asia/Yangon
+-MN +4755+10653 Asia/Ulaanbaatar Mongolia (most areas)
++MN +4755+10653 Asia/Ulaanbaatar most of Mongolia
+ MN +4801+09139 Asia/Hovd Bayan-Olgiy, Govi-Altai, Hovd, Uvs, Zavkhan
+ MN +4804+11430 Asia/Choibalsan Dornod, Sukhbaatar
+ MO +221150+1133230 Asia/Macau
+@@ -325,7 +324,7 @@ NO +5955+01045 Europe/Oslo
+ NP +2743+08519 Asia/Kathmandu
+ NR -0031+16655 Pacific/Nauru
+ NU -1901-16955 Pacific/Niue
+-NZ -3652+17446 Pacific/Auckland New Zealand (most areas)
++NZ -3652+17446 Pacific/Auckland most of New Zealand
+ NZ -4357-17633 Pacific/Chatham Chatham Islands
+ OM +2336+05835 Asia/Muscat
+ PA +0858-07932 America/Panama
+@@ -333,7 +332,7 @@ PE -1203-07703 America/Lima
+ PF -1732-14934 Pacific/Tahiti Society Islands
+ PF -0900-13930 Pacific/Marquesas Marquesas Islands
+ PF -2308-13457 Pacific/Gambier Gambier Islands
+-PG -0930+14710 Pacific/Port_Moresby Papua New Guinea (most areas)
++PG -0930+14710 Pacific/Port_Moresby most of Papua New Guinea
+ PG -0613+15534 Pacific/Bougainville Bougainville
+ PH +1435+12100 Asia/Manila
+ PK +2452+06703 Asia/Karachi
+@@ -379,7 +378,7 @@ RU +4310+13156 Asia/Vladivostok MSK+07 - Amur River
+ RU +643337+1431336 Asia/Ust-Nera MSK+07 - Oymyakonsky
+ RU +5934+15048 Asia/Magadan MSK+08 - Magadan
+ RU +4658+14242 Asia/Sakhalin MSK+08 - Sakhalin Island
+-RU +6728+15343 Asia/Srednekolymsk MSK+08 - Sakha (E); North Kuril Is
++RU +6728+15343 Asia/Srednekolymsk MSK+08 - Sakha (E); N Kuril Is
+ RU +5301+15839 Asia/Kamchatka MSK+09 - Kamchatka
+ RU +6445+17729 Asia/Anadyr MSK+09 - Bering Sea
+ RW -0157+03004 Africa/Kigali
+@@ -420,7 +419,7 @@ TT +1039-06131 America/Port_of_Spain
+ TV -0831+17913 Pacific/Funafuti
+ TW +2503+12130 Asia/Taipei
+ TZ -0648+03917 Africa/Dar_es_Salaam
+-UA +5026+03031 Europe/Kyiv Ukraine (most areas)
++UA +5026+03031 Europe/Kyiv most of Ukraine
+ UG +0019+03225 Africa/Kampala
+ UM +2813-17722 Pacific/Midway Midway Islands
+ UM +1917+16637 Pacific/Wake Wake Island
+@@ -443,7 +442,7 @@ US +465042-1012439 America/North_Dakota/New_Salem Central - ND (Morton rural)
+ US +471551-1014640 America/North_Dakota/Beulah Central - ND (Mercer)
+ US +394421-1045903 America/Denver Mountain (most areas)
+ US +433649-1161209 America/Boise Mountain - ID (south); OR (east)
+-US +332654-1120424 America/Phoenix MST - Arizona (except Navajo)
++US +332654-1120424 America/Phoenix MST - AZ (except Navajo)
+ US +340308-1181434 America/Los_Angeles Pacific
+ US +611305-1495401 America/Anchorage Alaska (most areas)
+ US +581807-1342511 America/Juneau Alaska - Juneau area
+@@ -451,7 +450,7 @@ US +571035-1351807 America/Sitka Alaska - Sitka area
+ US +550737-1313435 America/Metlakatla Alaska - Annette Island
+ US +593249-1394338 America/Yakutat Alaska - Yakutat
+ US +643004-1652423 America/Nome Alaska (west)
+-US +515248-1763929 America/Adak Aleutian Islands
++US +515248-1763929 America/Adak Alaska - western Aleutians
+ US +211825-1575130 Pacific/Honolulu Hawaii
+ UY -345433-0561245 America/Montevideo
+ UZ +3940+06648 Asia/Samarkand Uzbekistan (west)
+diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+index ef278203182..3762eb820bb 100644
+--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+@@ -608,6 +608,17 @@ public final class ZoneInfoFile {
+ params[8] = endRule.secondOfDay * 1000;
+ params[9] = toSTZTime[endRule.timeDefinition];
+ dstSavings = (startRule.offsetAfter - startRule.offsetBefore) * 1000;
++
++ // Note: known mismatching -> Africa/Cairo
++ // ZoneInfo : startDayOfWeek=5 <= Thursday
++ // startTime=86400000 <= 24:00
++ // This: startDayOfWeek=6 <= Friday
++ // startTime=0 <= 0:00
++ if (zoneId.equals("Africa/Cairo") &&
++ params[7] == Calendar.FRIDAY && params[8] == 0) {
++ params[7] = Calendar.THURSDAY;
++ params[8] = SECONDS_PER_DAY * 1000;
++ }
+ } else if (nTrans > 0) { // only do this if there is something in table already
+ if (lastyear < LASTYEAR) {
+ // ZoneInfo has an ending entry for 2037
+diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
+index bf7918659ae..2763ac30ca7 100644
+--- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
++++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -845,9 +845,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
+ {"Europe/Jersey", GMTBST},
+ {"Europe/Kaliningrad", EET},
+ {"Europe/Kiev", EET},
+- {"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00",
+- "Kirov Daylight Time", "GMT+03:00",
+- "Kirov Time", "GMT+03:00"}},
++ {"Europe/Kirov", MSK},
+ {"Europe/Lisbon", WET},
+ {"Europe/Ljubljana", CET},
+ {"Europe/London", GMTBST},
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+index 0f66ee12c94..c5483b48512 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022g
++tzdata2023c
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
+index d495743b268..07c5edbafee 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
+@@ -211,6 +211,7 @@ Link America/Argentina/Cordoba America/Rosario
+ Link America/Tijuana America/Santa_Isabel
+ Link America/Denver America/Shiprock
+ Link America/Toronto America/Thunder_Bay
++Link America/Edmonton America/Yellowknife
+ Link Pacific/Auckland Antarctica/South_Pole
+ Link Asia/Shanghai Asia/Chongqing
+ Link Asia/Shanghai Asia/Harbin
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+index 44db4dbdb81..03f5305e65e 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -92,7 +92,6 @@ America/Vancouver PST PDT
+ America/Whitehorse MST
+ America/Winnipeg CST CDT
+ America/Yakutat AKST AKDT
+-America/Yellowknife MST MDT
+ Antarctica/Macquarie AEST AEDT
+ Asia/Beirut EET EEST
+ Asia/Famagusta EET EEST
+@@ -144,6 +143,7 @@ Europe/Dublin IST/GMT IST/GMT
+ Europe/Gibraltar CET CEST
+ Europe/Helsinki EET EEST
+ Europe/Kaliningrad EET
++Europe/Kirov MSK
+ Europe/Kyiv EET EEST
+ Europe/Lisbon WET WEST
+ Europe/London GMT/BST GMT/BST
+@@ -160,6 +160,7 @@ Europe/Tallinn EET EEST
+ Europe/Tirane CET CEST
+ Europe/Vienna CET CEST
+ Europe/Vilnius EET EEST
++Europe/Volgograd MSK
+ Europe/Warsaw CET CEST
+ Europe/Zurich CET CEST
+ HST HST
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneTest.java b/test/jdk/java/util/TimeZone/TimeZoneTest.java
+index d31d1722b7b..8e5d403f87b 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneTest.java
++++ b/test/jdk/java/util/TimeZone/TimeZoneTest.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -25,7 +25,7 @@
+ * @test
+ * @bug 4028006 4044013 4096694 4107276 4107570 4112869 4130885 7039469 7126465 7158483
+ * 8008577 8077685 8098547 8133321 8138716 8148446 8151876 8159684 8166875 8181157
+- * 8228469 8274407
++ * 8228469 8274407 8305113
+ * @modules java.base/sun.util.resources
+ * @library /java/text/testlib
+ * @summary test TimeZone
+@@ -121,7 +121,7 @@ public class TimeZoneTest extends IntlTest
+ new ZoneDescriptor("GMT", 0, false),
+ new ZoneDescriptor("UTC", 0, false),
+ new ZoneDescriptor("ECT", 60, true),
+- new ZoneDescriptor("ART", 120, false),
++ new ZoneDescriptor("ART", 120, true),
+ new ZoneDescriptor("EET", 120, true),
+ new ZoneDescriptor("EAT", 180, false),
+ new ZoneDescriptor("MET", 60, true),
diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec
index d28151d..066f841 100644
--- a/SPECS/java-17-openjdk.spec
+++ b/SPECS/java-17-openjdk.spec
@@ -321,7 +321,7 @@
# New Version-String scheme-style defines
%global featurever 17
%global interimver 0
-%global updatever 6
+%global updatever 7
%global patchver 0
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
@@ -361,15 +361,16 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
-%global fipsver 257d544b594
+%global fipsver bf363eecce3
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 10
-%global rpmrelease 3
+%global buildver 7
+%global rpmrelease 1
+#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1336,7 +1337,7 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
# Crypto policy and FIPS support patches
# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
-# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
+# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
# Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included:
# PR3183, RH1340845: Follow system wide crypto policy
@@ -1366,6 +1367,10 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
# Remove forgotten dead code from RH2020290 and RH2104724
# OJ1357: Fix issue on FIPS with a SecurityManager in place
+# RH2134669: Add missing attributes when registering services in FIPS mode.
+# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+# RH1940064: Enable XML Signature provider in FIPS mode
+# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
Patch1001: fips-17u-%{fipsver}.patch
#############################################
@@ -1376,9 +1381,13 @@ Patch1001: fips-17u-%{fipsver}.patch
#############################################
#
-# OpenJDK patches appearing in 17.0.3
+# OpenJDK patches appearing in 17.0.8
#
#############################################
+# JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
+Patch2001: jdk8274864-remove_amman_cairo_hacks.patch
+# JDK-8305113: (tz) Update Timezone Data to 2023c
+Patch2002: jdk8305113-tzdata2023c.patch
#############################################
#
@@ -1418,8 +1427,8 @@ BuildRequires: java-17-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2022g required as of JDK-8297804
-BuildRequires: tzdata-java >= 2022g
+# 2023c required as of JDK-8305113
+BuildRequires: tzdata-java >= 2023c
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1817,6 +1826,9 @@ pushd %{top_level_dir_name}
%patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security
%patch1000 -p1
+# tzdata update
+%patch2001 -p1
+%patch2002 -p1
popd # openjdk
%patch600
@@ -2627,6 +2639,24 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Apr 13 2023 Andrew Hughes - 1:17.0.7.0.7-1
+- Update to jdk-17.0.7.0+7
+- Update release notes to 17.0.7.0+7
+- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113
+- Update generate_tarball.sh to add support for passing a boot JDK to the configure run
+- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
+- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
+- Update FIPS support against 17.0.7+6 and bring in latest changes:
+- * RH2134669: Add missing attributes when registering services in FIPS mode.
+- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+- * RH1940064: Enable XML Signature provider in FIPS mode
+- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
+- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. **
+- Resolves: rhbz#2185182
+- Resolves: rhbz#2186804
+- Resolves: rhbz#2186811
+- Resolves: rhbz#2186807
+
* Sat Jan 14 2023 Andrew Hughes - 1:17.0.6.0.10-3
- Add missing release note for JDK-8295687
- Resolves: rhbz#2160111