import java-17-openjdk-17.0.6.0.10-3.el8_7

This commit is contained in:
CentOS Sources 2023-01-18 04:46:06 -05:00 committed by Stepan Oksanichenko
parent b76ec77e13
commit 28a3146a97
11 changed files with 883 additions and 925 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-jdk17u-jdk-17.0.5+8.tar.xz SOURCES/openjdk-jdk17u-jdk-17.0.6+10.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -1,2 +1,2 @@
7d985db5968fb24fbeb9ff2cd2819d63ab9ca64e SOURCES/openjdk-jdk17u-jdk-17.0.5+8.tar.xz fc29dd4013a289be075afdcb29c8df29d1349c0d SOURCES/openjdk-jdk17u-jdk-17.0.6+10.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -3,6 +3,353 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 17.0.6 (2023-01-17):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1706
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html
* CVEs
- CVE-2023-21835
- CVE-2023-21843
* Security fixes
- JDK-8286070: Improve UTF8 representation
- JDK-8286496: Improve Thread labels
- JDK-8287411: Enhance DTLS performance
- JDK-8288516: Enhance font creation
- JDK-8289350: Better media supports
- JDK-8293554: Enhanced DH Key Exchanges
- JDK-8293598: Enhance InetAddress address handling
- JDK-8293717: Objective view of ObjectView
- JDK-8293734: Improve BMP image handling
- JDK-8293742: Better Banking of Sounds
- JDK-8295687: Better BMP bounds
* Other changes
- JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows
- JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
- JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails
- JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails
- JDK-8029633: Raw inner class constructor ref should not perform diamond inference
- JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails
- JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled
- JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails
- JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java
- JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java
- JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout
- JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails
- JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...'
- JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
- JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs
- JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos
- JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos
- JDK-8244670: convert clhsdb "whatis" command from javascript to java
- JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives.
- JDK-8255439: System Tray icons get corrupted when Windows scaling changes
- JDK-8256811: Delayed/missed jdwp class unloading events
- JDK-8257722: Improve "keytool -printcert -jarfile" output
- JDK-8262721: Add Tests to verify single iteration loops are properly optimized
- JDK-8265489: Stress test times out because of long ObjectSynchronizer::monitors_iterate(...) operation
- JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint
- JDK-8266519: Cleanup resolve() leftovers from BarrierSet et al
- JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java
- JDK-8268033: compiler/intrinsics/bmi/verifycode/BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow"
- JDK-8268276: Base64 Decoding optimization for x86 using AVX-512
- JDK-8268297: jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out
- JDK-8268779: ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space"
- JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs
- JDK-8269404: Base64 Encoding optimization enhancements for x86 using AVX-512
- JDK-8269571: NMT should print total malloc bytes and invocation count
- JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m)
- JDK-8270086: ARM32-softfp: Do not load CONSTANT_double using the condy helper methods in the interpreter
- JDK-8270155: ARM32: Improve register dump in hs_err
- JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction
- JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns.
- JDK-8270947: AArch64: C1: use zero_words to initialize all objects
- JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts
- JDK-8271834: TestStringDeduplicationAgeThreshold intermittent failures on Shenandoah
- JDK-8271956: AArch64: C1 build failed after JDK-8270947
- JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline"
- JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64
- JDK-8272608: java_lang_System::allow_security_manager() doesn't set its initialization flag
- JDK-8272776: NullPointerException not reported
- JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947
- JDK-8272809: JFR thread sampler SI_KERNEL SEGV in metaspace::VirtualSpaceList::contains
- JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java
- JDK-8273108: RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276
- JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints
- JDK-8273380: ARM32: Default to {ldrexd,strexd} in StubRoutines::atomic_{load|store}_long
- JDK-8273459: Update code segment alignment to 64 bytes
- JDK-8273497: building.md should link to both md and html
- JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368
- JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12
- JDK-8273685: Remove jtreg tag manual=yesno for java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction
- JDK-8273880: Zero: Print warnings when unsupported intrinsics are enabled
- JDK-8273881: Metaspace: test repeated deallocations
- JDK-8274029: Remove jtreg tag manual=yesno for java/awt/print/Dialog/DialogOrient.java
- JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI
- JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/Common.java delay is too high
- JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS
- JDK-8274456: Remove jtreg tag manual=yesno java/awt/print/PrinterJob/PageDialogTest.java
- JDK-8274527: Minimal VM build fails after JDK-8273459
- JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening
- JDK-8274903: Zero: Support AsyncGetCallTrace
- JDK-8275170: Some jtreg sound tests should be marked with sound keyword
- JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList
- JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
- JDK-8275569: Add linux-aarch64 to test-make profiles
- JDK-8276108: Wrong instruction generation in aarch64 backend
- JDK-8276904: Optional.toString() is unnecessarily expensive
- JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM"
- JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64
- JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64
- JDK-8277358: Accelerate CRC32-C
- JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check
- JDK-8277576: ProblemList runtime/ErrorHandling/CreateCoredumpOnCrash.java on macosx-X64
- JDK-8277577: ProblemList compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64
- JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64
- JDK-8277866: gc/epsilon/TestMemoryMXBeans.java failed with wrong initial heap size
- JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
- JDK-8277928: Fix compilation on macosx-aarch64 after 8276108
- JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch"
- JDK-8278826: Print error if Shenandoah flags are empty (instead of crashing)
- JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore
- JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop"
- JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out
- JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC
- JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails
- JDK-8280016: gc/g1/TestShrinkAuxiliaryData30 test fails on large machines
- JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes
- JDK-8280234: AArch64 "core" variant does not build after JDK-8270947
- JDK-8280391: NMT: Correct NMT tag on CollectedHeap
- JDK-8280511: AArch64: Combine shift and negate to a single instruction
- JDK-8280554: resourcehogs/serviceability/sa/ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered
- JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object
- JDK-8280872: Reorder code cache segments to improve code density
- JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
- JDK-8280948: Write a regression test for JDK-4659800
- JDK-8281296: Create a regression test for JDK-4515999
- JDK-8281744: x86: Use short jumps in TIG::set_vtos_entry_points
- JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores
- JDK-8282276: Problem list failing two Robot Screen Capture tests
- JDK-8282347: AARCH64: Untaken branch in has_negatives stub
- JDK-8282398: EndingDotHostname.java test fails because SSL cert expired
- JDK-8282402: Create a regression test for JDK-4666101
- JDK-8282511: Use fixed certificate validation date in SSLExampleCert template
- JDK-8282528: AArch64: Incorrect replicate2L_zero rule
- JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
- JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1
- JDK-8282730: LdapLoginModule throw NPE from logout method after login failure
- JDK-8282777: Create a Regression test for JDK-4515031
- JDK-8282857: Create a regression test for JDK-4702690
- JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2
- JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup
- JDK-8283298: Make CodeCacheSegmentSize a product flag
- JDK-8283337: Posix signal handler modification warning triggering incorrectly
- JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32
- JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
- JDK-8283999: Update JMH devkit to 1.35
- JDK-8284533: Improve InterpreterCodelet data footprint
- JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction"
- JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
- JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X
- JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation
- JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
- JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently
- JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp -XX:+DeoptimizeALot
- JDK-8285093: Introduce UTIL_ARG_WITH
- JDK-8285305: Create an automated test for JDK-4495286
- JDK-8285373: Create an automated test for JDK-4702233
- JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)"
- JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java
- JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java
- JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox
- JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment
- JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server"
- JDK-8286172: Create an automated test for JDK-4516019
- JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3"
- JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable
- JDK-8286452: The array length of testSmallConstArray should be small and const
- JDK-8286460: Remove dependence on JAR filename in CDS tests
- JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2
- JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3
- JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray
- JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows
- JDK-8286872: Refactor add/modify notification icon (TrayIcon)
- JDK-8287011: Improve container information
- JDK-8287076: Document.normalizeDocument() produces different results
- JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance
- JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path
- JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative
- JDK-8287740: NSAccessibilityShowMenuAction not working for text editors
- JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile
- JDK-8288132: Update test artifacts in QuoVadis CA interop tests
- JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces
- JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable
- JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
- JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name
- JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support
- JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output
- JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented
- JDK-8289301: P11Cipher should not throw out of bounds exception during padding
- JDK-8289524: Add JFR JIT restart event
- JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException
- JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https
- JDK-8290207: Missing notice in dom.md
- JDK-8290209: jcup.md missing additional text
- JDK-8290374: Shenandoah: Remove inaccurate comment on SBS::load_reference_barrier()
- JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1
- JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure
- JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes
- JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS
- JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
- JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize
- JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses
- JDK-8290839: jdk/jfr/event/compiler/TestJitRestart.java failed with "RuntimeException: No JIT restart event found: expected true, was false"
- JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM
- JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is false
- JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4
- JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
- JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127
- JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath
- JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region
- JDK-8292083: Detected container memory limit may exceed physical machine memory
- JDK-8292158: AES-CTR cipher state corruption with AVX-512
- JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out
- JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory
- JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle
- JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update
- JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library
- JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free
- JDK-8292816: GPL Classpath exception missing from assemblyprefix.h
- JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures
- JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading
- JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java
- JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6
- JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform
- JDK-8292903: enhance round_up_power_of_2 assertion output
- JDK-8293010: JDI ObjectReference/referringObjects/referringObjects001 fails: assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) failed: checking
- JDK-8293044: C1: Missing access check on non-accessible class
- JDK-8293232: Fix race condition in pkcs11 SessionManager
- JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if
- JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present
- JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint
- JDK-8293535: jdk/javadoc/doclet/testJavaFX/TestJavaFxMode.java fail with jfx
- JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
- JDK-8293550: Optionally add get-task-allow entitlement to macos binaries
- JDK-8293578: Duplicate ldc generated by javac
- JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake"
- JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details
- JDK-8293672: Update freetype md file
- JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present
- JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception
- JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
- JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent
- JDK-8293826: Closed test fails after JDK-8276108 on aarch64
- JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening
- JDK-8293834: Update CLDR data following tzdata 2022c update
- JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum
- JDK-8293965: Code signing warnings after JDK-8293550
- JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
- JDK-8294307: ISO 4217 Amendment 173 Update
- JDK-8294310: compare.sh fails on macos after JDK-8293550
- JDK-8294357: (tz) Update Timezone Data to 2022d
- JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode
- JDK-8294740: Add cgroups keyword to TestDockerBasic.java
- JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md
- JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator
- JDK-8295173: (tz) Update Timezone Data to 2022e
- JDK-8295288: Some vm_flags tests associate with a wrong BugID
- JDK-8295405: Add cause in a couple of IllegalArgumentException and InvalidParameterException shown by sun/security/pkcs11 tests
- JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp
- JDK-8295419: JFR: Change name of jdk.JitRestart
- JDK-8295429: Update harfbuzz md file
- JDK-8295469: S390X: Optimized builds are broken
- JDK-8295554: Move the "sizecalc.h" to the correct location
- JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev
- JDK-8295714: GHA ::set-output is deprecated and will be removed
- JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error
- JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor
- JDK-8295952: Problemlist existing compiler/rtm tests also on x86
- JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM
- JDK-8296108: (tz) Update Timezone Data to 2022f
- JDK-8296239: ISO 4217 Amendment 174 Update
- JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing
- JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException
- JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation
- JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent
- JDK-8296715: CLDR v42 update for tzdata 2022f
- JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect
- JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds
- JDK-8296956: [JVMCI] HotSpotResolvedJavaFieldImpl.getIndex returns wrong value
- JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2
- JDK-8296958: [JVMCI] add API for retrieving ConstantValue attributes
- JDK-8296960: [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool
- JDK-8296961: [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField
- JDK-8296967: [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod
- JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used
- JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again
- JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java
- JDK-8297309: Memory leak in ShenandoahFullGC
- JDK-8297481: Create a regression test for JDK-4424517
- JDK-8297530: java.lang.IllegalArgumentException: Negative length on strings concatenation
- JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run
- JDK-8297656: AArch64: Enable AES/GCM Intrinsics
- JDK-8297804: (tz) Update Timezone Data to 2022g
- JDK-8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6
- JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
- JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
Notes on individual issues:
===========================
client-libs/javax.imageio:
JDK-8295687: Better BMP bounds
==============================
Loading a linked ICC profile within a BMP image is now disabled by
default. To re-enable it, set the new system property
`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property
replaces the old property,
`sun.imageio.plugins.bmp.disableLinkedProfiles`.
client-libs/javax.sound:
JDK-8293742: Better Banking of Sounds
=====================================
Previously, the SoundbankReader implementation,
`com.sun.media.sound.JARSoundbankReader`, would download a JAR
soundbank from a URL. This behaviour is now disabled by default. To
re-enable it, set the new system property `jdk.sound.jarsoundbank` to
`true`.
security-libs/java.security:
JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set
==========================================================================================================
Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to
hold principals and credentials so that it rejected null
values. Attempts to call add(null), contains(null) or remove(null)
were changed to throw a NullPointerException.
However, the logout() methods in the LoginModule implementations
within the JDK were not updated to check for null values, which may
occur in the event of a failed login. As a result, a logout() call may
throw a NullPointerException.
The LoginModule implementations have now been updated with such checks
and an implementation note added to the specification to suggest that
the same change is made in third party modules. Developers of third
party modules are advised to verify that their logout() method does not
throw a NullPointerException.
security-libs/javax.net.ssl:
JDK-8287411: Enhance DTLS performance
=====================================
The JDK now exchanges DTLS cookies for all handshakes, new and
resumed. The previous behaviour can be re-enabled by setting the new
system property `jdk.tls.enableDtlsResumeCookie` to `false`.
New in release OpenJDK 17.0.5 (2022-10-18): New in release OpenJDK 17.0.5 (2022-10-18):
=========================================== ===========================================
Live versions of these release notes can be found at: Live versions of these release notes can be found at:

View File

@ -30,7 +30,7 @@ import java.util.TimeZone;
public class TestTranslations { public class TestTranslations {
private static Map<Locale,String[]> KYIV; private static Map<Locale,String[]> KYIV, CIUDAD_JUAREZ;
static { static {
Map<Locale,String[]> map = new HashMap<Locale,String[]>(); Map<Locale,String[]> map = new HashMap<Locale,String[]>();
@ -44,6 +44,18 @@ public class TestTranslations {
"Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
"Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
KYIV = Collections.unmodifiableMap(map); KYIV = Collections.unmodifiableMap(map);
map = new HashMap<Locale,String[]>();
map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
"Mountain Daylight Time", "MDT", "MDT",
"Mountain Time", "MT", "MT"});
map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST",
"heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT",
"heure des Rocheuses", "UTC\u221207:00", "MT"});
map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST",
"Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT",
"Rocky-Mountain-Zeit", "GMT-07:00", "MT"});
CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
} }
@ -53,7 +65,6 @@ public class TestTranslations {
System.exit(1); System.exit(1);
} }
String localeProvider = args[0];
System.out.println("Checking sanity of full zone string set..."); System.out.println("Checking sanity of full zone string set...");
boolean invalid = Arrays.stream(Locale.getAvailableLocales()) boolean invalid = Arrays.stream(Locale.getAvailableLocales())
.peek(l -> System.out.println("Locale: " + l)) .peek(l -> System.out.println("Locale: " + l))
@ -68,9 +79,18 @@ public class TestTranslations {
System.exit(2); System.exit(2);
} }
for (Locale l : KYIV.keySet()) { String localeProvider = args[0];
String[] expected = KYIV.get(l); testZone(localeProvider, KYIV,
for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) { new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
testZone(localeProvider, CIUDAD_JUAREZ,
new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
}
private static void testZone(String localeProvider, Map<Locale,String[]> exp, String[] ids) {
for (Locale l : exp.keySet()) {
String[] expected = exp.get(l);
System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
for (String id : ids) {
String expectedShortStd = null; String expectedShortStd = null;
String expectedShortDST = null; String expectedShortDST = null;
String expectedShortGen = null; String expectedShortGen = null;
@ -124,7 +144,7 @@ public class TestTranslations {
} }
if (!expected[6].equals(longGen)) { if (!expected[6].equals(longGen)) {
System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
id, l, longGen, expected[6]); id, l, longGen, expected[6]);
System.exit(8); System.exit(8);
} }

View File

@ -1,9 +1,33 @@
diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4
index 5f4b22bb27f..1ca9f5b8ffe 100644
--- a/make/autoconf/build-aux/pkg.m4
+++ b/make/autoconf/build-aux/pkg.m4
@@ -179,3 +179,19 @@ else
ifelse([$3], , :, [$3])
fi[]dnl
])# PKG_CHECK_MODULES
+
+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+dnl -------------------------------------------
+dnl Since: 0.28
+dnl
+dnl Retrieves the value of the pkg-config variable for the given module.
+AC_DEFUN([PKG_CHECK_VAR],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
+
+_PKG_CONFIG([$1], [variable="][$3]["], [$2])
+AS_VAR_COPY([$1], [pkg_cv_][$1])
+
+AS_VAR_IF([$1], [""], [$5], [$4])dnl
+])dnl PKG_CHECK_VAR
diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4
new file mode 100644 new file mode 100644
index 00000000000..b2b1c1787da index 00000000000..f48fc7f7e80
--- /dev/null --- /dev/null
+++ b/make/autoconf/lib-sysconf.m4 +++ b/make/autoconf/lib-sysconf.m4
@@ -0,0 +1,84 @@ @@ -0,0 +1,87 @@
+# +#
+# Copyright (c) 2021, Red Hat, Inc. +# Copyright (c) 2021, Red Hat, Inc.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
@ -38,8 +62,10 @@ index 00000000000..b2b1c1787da
+ # + #
+ # Check for the NSS library + # Check for the NSS library
+ # + #
+ AC_MSG_CHECKING([for NSS library directory])
+ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])])
+ +
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) + AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)])
+ +
+ # default is not available + # default is not available
+ DEFAULT_SYSCONF_NSS=no + DEFAULT_SYSCONF_NSS=no
@ -87,6 +113,7 @@ index 00000000000..b2b1c1787da
+ fi + fi
+ fi + fi
+ AC_SUBST(USE_SYSCONF_NSS) + AC_SUBST(USE_SYSCONF_NSS)
+ AC_SUBST(NSS_LIBDIR)
+]) +])
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
index a65d91ee974..a8f054c1397 100644 index a65d91ee974..a8f054c1397 100644
@ -109,20 +136,43 @@ index a65d91ee974..a8f054c1397 100644
BASIC_JDKLIB_LIBS="" BASIC_JDKLIB_LIBS=""
if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
index c2c9c4adf3a..9d105b37acf 100644 index d557549adb3..1cb44bd2595 100644
--- a/make/autoconf/spec.gmk.in --- a/make/autoconf/spec.gmk.in
+++ b/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in
@@ -836,6 +836,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ @@ -840,6 +840,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
# Libraries # Libraries
# #
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
+NSS_LIBS:=@NSS_LIBS@ +NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@ +NSS_CFLAGS:=@NSS_CFLAGS@
+NSS_LIBDIR:=@NSS_LIBDIR@
+ +
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_CFLAGS:=@LCMS_CFLAGS@
LCMS_LIBS:=@LCMS_LIBS@ LCMS_LIBS:=@LCMS_LIBS@
diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk
index 4b894eeae4a..51567071aa8 100644
--- a/make/modules/java.base/Gendata.gmk
+++ b/make/modules/java.base/Gendata.gmk
@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST
TARGETS += $(GENDATA_JAVA_SECURITY)
################################################################################
+
+GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in
+GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg
+
+$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC)
+ $(call LogInfo, Generating nss.fips.cfg)
+ $(call MakeTargetDir)
+ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \
+ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \
+ )
+
+TARGETS += $(GENDATA_NSS_FIPS_CFG)
+
+################################################################################
diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk
index 5658ff342e5..c8bc5bde1e1 100644 index 5658ff342e5..c8bc5bde1e1 100644
--- a/make/modules/java.base/Lib.gmk --- a/make/modules/java.base/Lib.gmk
@ -1771,7 +1821,7 @@ index f6d3638c3dd..a1ee182d913 100644
+ } + }
} }
diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
index 63bb580eb3a..dbbf11bbb22 100644 index 9faee9cae36..27f43550aa4 100644
--- a/src/java.base/share/classes/module-info.java --- a/src/java.base/share/classes/module-info.java
+++ b/src/java.base/share/classes/module-info.java +++ b/src/java.base/share/classes/module-info.java
@@ -152,6 +152,8 @@ module java.base { @@ -152,6 +152,8 @@ module java.base {
@ -2193,18 +2243,6 @@ index ca79f25cc44..225517ac69b 100644
addA(p, "AlgorithmParameters", "RSASSA-PSS", addA(p, "AlgorithmParameters", "RSASSA-PSS",
"sun.security.rsa.PSSParameters", null); "sun.security.rsa.PSSParameters", null);
} }
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
index 6ffdfeda18d..82e896170f0 100644
--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -32,6 +32,7 @@ import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import javax.net.ssl.*;
+import jdk.internal.access.SharedSecrets;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java
new file mode 100644 new file mode 100644
index 00000000000..dc8bc72fccb index 00000000000..dc8bc72fccb
@ -2509,7 +2547,7 @@ index 00000000000..dc8bc72fccb
+ } + }
+} +}
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 6d91e3f8e4e..f357b630460 100644 index 63be286686d..b0a589c3fb4 100644
--- a/src/java.base/share/conf/security/java.security --- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security
@@ -79,6 +79,16 @@ security.provider.tbd=Apple @@ -79,6 +79,16 @@ security.provider.tbd=Apple
@ -2529,7 +2567,7 @@ index 6d91e3f8e4e..f357b630460 100644
# #
# A list of preferred providers for specific algorithms. These providers will # A list of preferred providers for specific algorithms. These providers will
# be searched for matching algorithms before the list of registered providers. # be searched for matching algorithms before the list of registered providers.
@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false @@ -289,6 +299,47 @@ policy.ignoreIdentityScope=false
# #
keystore.type=pkcs12 keystore.type=pkcs12
@ -2537,11 +2575,47 @@ index 6d91e3f8e4e..f357b630460 100644
+# Default keystore type used when global crypto-policies are set to FIPS. +# Default keystore type used when global crypto-policies are set to FIPS.
+# +#
+fips.keystore.type=pkcs12 +fips.keystore.type=pkcs12
+
+#
+# Location of the NSS DB keystore (PKCS11) in FIPS mode.
+#
+# The syntax for this property is identical to the 'nssSecmodDirectory'
+# attribute available in the SunPKCS11 NSS configuration file. Use the
+# 'sql:' prefix to refer to an SQLite DB.
+#
+# If the system property fips.nssdb.path is also specified, it supersedes
+# the security property value defined here.
+#
+# Note: the default value for this property points to an NSS DB that might be
+# readable by multiple operating system users and unsuitable to store keys.
+#
+fips.nssdb.path=sql:/etc/pki/nssdb
+
+#
+# PIN for the NSS DB keystore (PKCS11) in FIPS mode.
+#
+# Values must take any of the following forms:
+# 1) pin:<value>
+# Value: clear text PIN value.
+# 2) env:<value>
+# Value: environment variable containing the PIN value.
+# 3) file:<value>
+# Value: path to a file containing the PIN value in its first
+# line.
+#
+# If the system property fips.nssdb.pin is also specified, it supersedes
+# the security property value defined here.
+#
+# When used as a system property, UTF-8 encoded values are valid. When
+# used as a security property (such as in this file), encode non-Basic
+# Latin Unicode characters with \uXXXX.
+#
+fips.nssdb.pin=pin:
+ +
# #
# Controls compatibility mode for JKS and PKCS12 keystore types. # Controls compatibility mode for JKS and PKCS12 keystore types.
# #
@@ -326,6 +341,13 @@ package.definition=sun.misc.,\ @@ -326,6 +377,13 @@ package.definition=sun.misc.,\
# #
security.overridePropertiesFile=true security.overridePropertiesFile=true
@ -2555,8 +2629,22 @@ index 6d91e3f8e4e..f357b630460 100644
# #
# Determines the default key and trust manager factory algorithms for # Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package. # the javax.net.ssl package.
diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in
new file mode 100644
index 00000000000..55bbba98b7a
--- /dev/null
+++ b/src/java.base/share/conf/security/nss.fips.cfg.in
@@ -0,0 +1,8 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = ${fips.nssdb.path}
+nssDbMode = readWrite
+nssModule = fips
+
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
index b22f26947af..3ee2ce6ea88 100644 index b22f26947af..02bea84e210 100644
--- a/src/java.base/share/lib/security/default.policy --- a/src/java.base/share/lib/security/default.policy
+++ b/src/java.base/share/lib/security/default.policy +++ b/src/java.base/share/lib/security/default.policy
@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { @@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" {
@ -2575,6 +2663,15 @@ index b22f26947af..3ee2ce6ea88 100644
permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
permission java.lang.RuntimePermission permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*"; "accessClassInPackage.sun.security.*";
@@ -140,6 +142,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read";
+ permission java.util.PropertyPermission "fips.nssdb.path", "read,write";
+ permission java.util.PropertyPermission "fips.nssdb.pin", "read";
permission java.security.SecurityPermission "putProviderProperty.*";
permission java.security.SecurityPermission "clearProviderProperties.*";
permission java.security.SecurityPermission "removeProviderProperty.*";
diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c
new file mode 100644 new file mode 100644
index 00000000000..ddf9befe5bc index 00000000000..ddf9befe5bc
@ -2819,10 +2916,10 @@ index 00000000000..ddf9befe5bc
+#endif +#endif
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644 new file mode 100644
index 00000000000..8cfa2734d4e index 00000000000..d3f0bffb821
--- /dev/null --- /dev/null
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,461 @@ @@ -0,0 +1,457 @@
+/* +/*
+ * Copyright (c) 2021, Red Hat, Inc. + * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
@ -2897,9 +2994,6 @@ index 00000000000..8cfa2734d4e
+ private static volatile Provider sunECProvider = null; + private static volatile Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); + private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+ +
+ private static volatile KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) + static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception { + throws PKCS11Exception {
+ long keyID = -1; + long keyID = -1;
@ -3144,8 +3238,7 @@ index 00000000000..8cfa2734d4e
+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, + CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); + CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( + RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey + RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey);
+ );
+ CK_ATTRIBUTE attr; + CK_ATTRIBUTE attr;
+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { + if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); + attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
@ -3284,6 +3377,162 @@ index 00000000000..8cfa2734d4e
+ } + }
+ } + }
+} +}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
new file mode 100644
index 00000000000..f8d505ca815
--- /dev/null
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2022, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardOpenOption;
+import java.security.ProviderException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import sun.security.util.Debug;
+import sun.security.util.SecurityProperties;
+
+final class FIPSTokenLoginHandler implements CallbackHandler {
+
+ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
+
+ private static final Debug debug = Debug.getInstance("sunpkcs11");
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ if (!(callbacks[0] instanceof PasswordCallback)) {
+ throw new UnsupportedCallbackException(callbacks[0]);
+ }
+ PasswordCallback pc = (PasswordCallback)callbacks[0];
+ pc.setPassword(getFipsNssdbPin());
+ }
+
+ private static char[] getFipsNssdbPin() throws ProviderException {
+ if (debug != null) {
+ debug.println("FIPS: Reading NSS DB PIN for token...");
+ }
+ String pinProp = SecurityProperties
+ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP);
+ if (pinProp != null && !pinProp.isEmpty()) {
+ String[] pinPropParts = pinProp.split(":", 2);
+ if (pinPropParts.length < 2) {
+ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP +
+ " property value.");
+ }
+ String prefix = pinPropParts[0].toLowerCase();
+ String value = pinPropParts[1];
+ String pin = null;
+ if (prefix.equals("env")) {
+ if (debug != null) {
+ debug.println("FIPS: PIN value from the '" + value +
+ "' environment variable.");
+ }
+ pin = System.getenv(value);
+ } else if (prefix.equals("file")) {
+ if (debug != null) {
+ debug.println("FIPS: PIN value from the '" + value +
+ "' file.");
+ }
+ pin = getPinFromFile(Paths.get(value));
+ } else if (prefix.equals("pin")) {
+ if (debug != null) {
+ debug.println("FIPS: PIN value from the " +
+ FIPS_NSSDB_PIN_PROP + " property.");
+ }
+ pin = value;
+ } else {
+ throw new ProviderException("Unsupported prefix for " +
+ FIPS_NSSDB_PIN_PROP + ".");
+ }
+ if (pin != null && !pin.isEmpty()) {
+ if (debug != null) {
+ debug.println("FIPS: non-empty PIN.");
+ }
+ /*
+ * C_Login in libj2pkcs11 receives the PIN in a char[] and
+ * discards the upper byte of each char, before passing
+ * the value to the NSS Software Token. However, the
+ * NSS Software Token accepts any UTF-8 PIN value. Thus,
+ * expand the PIN here to account for later truncation.
+ */
+ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8);
+ char[] pinChar = new char[pinUtf8.length];
+ for (int i = 0; i < pinChar.length; i++) {
+ pinChar[i] = (char)(pinUtf8[i] & 0xFF);
+ }
+ return pinChar;
+ }
+ }
+ if (debug != null) {
+ debug.println("FIPS: empty PIN.");
+ }
+ return null;
+ }
+
+ /*
+ * This method extracts the token PIN from the first line of a password
+ * file in the same way as NSS modutil. See for example the -newpwfile
+ * argument used to change the password for an NSS DB.
+ */
+ private static String getPinFromFile(Path f) throws ProviderException {
+ try (InputStream is =
+ Files.newInputStream(f, StandardOpenOption.READ)) {
+ /*
+ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil,
+ * reads up to 4096 bytes. In addition, the NSS Software Token
+ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN
+ * in nss/lib/softoken/pkcs11i.h).
+ */
+ BufferedReader in =
+ new BufferedReader(new InputStreamReader(
+ new ByteArrayInputStream(is.readNBytes(4096)),
+ StandardCharsets.UTF_8));
+ return in.readLine();
+ } catch (IOException ioe) {
+ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP +
+ " from the '" + f + "' file.", ioe);
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
index 9b69072280e..5696b904979 100644 index 9b69072280e..5696b904979 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
@ -3597,7 +3846,7 @@ index 00000000000..ae4262703e6
+ +
+} +}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
index c98960f7fcc..c14319a5356 100644 index 8d1b8ccb0ae..950ed20cf62 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
@@ -31,6 +31,7 @@ import java.security.*; @@ -31,6 +31,7 @@ import java.security.*;
@ -3608,7 +3857,7 @@ index c98960f7fcc..c14319a5356 100644
import javax.crypto.spec.*; import javax.crypto.spec.*;
import static sun.security.pkcs11.TemplateManager.*; import static sun.security.pkcs11.TemplateManager.*;
@@ -193,6 +194,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { @@ -194,6 +195,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
return p11Key; return p11Key;
} }
@ -3737,7 +3986,7 @@ index c98960f7fcc..c14319a5356 100644
static void fixDESParity(byte[] key, int offset) { static void fixDESParity(byte[] key, int offset) {
for (int i = 0; i < 8; i++) { for (int i = 0; i < 8; i++) {
int b = key[offset] & 0xfe; int b = key[offset] & 0xfe;
@@ -319,6 +442,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { @@ -320,6 +443,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
keySpec = new SecretKeySpec(keyBytes, "DESede"); keySpec = new SecretKeySpec(keyBytes, "DESede");
return engineGenerateSecret(keySpec); return engineGenerateSecret(keySpec);
} }
@ -3747,7 +3996,7 @@ index c98960f7fcc..c14319a5356 100644
} }
throw new InvalidKeySpecException throw new InvalidKeySpecException
("Unsupported spec: " + keySpec.getClass().getName()); ("Unsupported spec: " + keySpec.getClass().getName());
@@ -372,6 +498,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { @@ -373,6 +499,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
// see JCE spec // see JCE spec
protected SecretKey engineTranslateKey(SecretKey key) protected SecretKey engineTranslateKey(SecretKey key)
throws InvalidKeyException { throws InvalidKeyException {
@ -3880,7 +4129,7 @@ index 262cfc062ad..72b64f72c0a 100644
Provider p = sun; Provider p = sun;
if (p == null) { if (p == null) {
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 112b639aa96..3e170b4c115 100644 index aa35e8fa668..1855e5631bd 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@ @@ -26,6 +26,9 @@
@ -3893,7 +4142,7 @@ index 112b639aa96..3e170b4c115 100644
import java.util.*; import java.util.*;
import java.security.*; import java.security.*;
@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback; @@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback;
import com.sun.crypto.provider.ChaCha20Poly1305Parameters; import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
@ -3901,7 +4150,12 @@ index 112b639aa96..3e170b4c115 100644
import jdk.internal.misc.InnocuousThread; import jdk.internal.misc.InnocuousThread;
import sun.security.util.Debug; import sun.security.util.Debug;
import sun.security.util.ResourcesMgr; import sun.security.util.ResourcesMgr;
@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; import static sun.security.util.SecurityConstants.PROVIDER_VER;
+import sun.security.util.SecurityProperties;
import static sun.security.util.SecurityProviderConstants.getAliases;
import sun.security.pkcs11.Secmod.*;
@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
*/ */
public final class SunPKCS11 extends AuthProvider { public final class SunPKCS11 extends AuthProvider {
@ -3935,11 +4189,43 @@ index 112b639aa96..3e170b4c115 100644
+ fipsImportKey = fipsImportKeyTmp; + fipsImportKey = fipsImportKeyTmp;
+ fipsExportKey = fipsExportKeyTmp; + fipsExportKey = fipsExportKeyTmp;
+ } + }
+
+ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
+ +
private static final long serialVersionUID = -1354835039035306505L; private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11"); static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -320,10 +355,19 @@ public final class SunPKCS11 extends AuthProvider { @@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider {
return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
@Override
public SunPKCS11 run() throws Exception {
+ if (systemFipsEnabled) {
+ /*
+ * The nssSecmodDirectory attribute in the SunPKCS11
+ * NSS configuration file takes the value of the
+ * fips.nssdb.path System property after expansion.
+ * Security properties expansion is unsupported.
+ */
+ String nssdbPath =
+ SecurityProperties.privilegedGetOverridable(
+ FIPS_NSSDB_PATH_PROP);
+ if (System.getSecurityManager() != null) {
+ AccessController.doPrivileged(
+ (PrivilegedAction<Void>) () -> {
+ System.setProperty(
+ FIPS_NSSDB_PATH_PROP,
+ nssdbPath);
+ return null;
+ });
+ } else {
+ System.setProperty(
+ FIPS_NSSDB_PATH_PROP, nssdbPath);
+ }
+ }
return new SunPKCS11(new Config(newConfigName));
}
});
@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first // request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK; initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11; PKCS11 tmpPKCS11;
@ -3960,7 +4246,7 @@ index 112b639aa96..3e170b4c115 100644
} catch (PKCS11Exception e) { } catch (PKCS11Exception e) {
if (debug != null) { if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e); debug.println("Multi-threaded initialization failed: " + e);
@@ -339,11 +383,12 @@ public final class SunPKCS11 extends AuthProvider { @@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider {
initArgs.flags = 0; initArgs.flags = 0;
} }
tmpPKCS11 = PKCS11.getInstance(library, tmpPKCS11 = PKCS11.getInstance(library,
@ -3975,32 +4261,7 @@ index 112b639aa96..3e170b4c115 100644
if (p11Info.cryptokiVersion.major < 2) { if (p11Info.cryptokiVersion.major < 2) {
throw new ProviderException("Only PKCS#11 v2.0 and later " throw new ProviderException("Only PKCS#11 v2.0 and later "
+ "supported, library version is v" + p11Info.cryptokiVersion); + "supported, library version is v" + p11Info.cryptokiVersion);
@@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider { @@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException
@@ -417,14 +480,19 @@ public final class SunPKCS11 extends AuthProvider {
final String className; final String className;
final List<String> aliases; final List<String> aliases;
final int[] mechanisms; final int[] mechanisms;
@ -4021,7 +4282,7 @@ index 112b639aa96..3e170b4c115 100644
} }
private P11Service service(Token token, int mechanism) { private P11Service service(Token token, int mechanism) {
return new P11Service return new P11Service
@@ -458,18 +526,29 @@ public final class SunPKCS11 extends AuthProvider { @@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider {
private static void d(String type, String algorithm, String className, private static void d(String type, String algorithm, String className,
int[] m) { int[] m) {
@ -4054,7 +4315,7 @@ index 112b639aa96..3e170b4c115 100644
} }
private static void register(Descriptor d) { private static void register(Descriptor d) {
@@ -525,6 +604,7 @@ public final class SunPKCS11 extends AuthProvider { @@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider {
String P11Cipher = "sun.security.pkcs11.P11Cipher"; String P11Cipher = "sun.security.pkcs11.P11Cipher";
String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher";
@ -4062,7 +4323,7 @@ index 112b639aa96..3e170b4c115 100644
String P11Signature = "sun.security.pkcs11.P11Signature"; String P11Signature = "sun.security.pkcs11.P11Signature";
String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature";
@@ -587,6 +667,30 @@ public final class SunPKCS11 extends AuthProvider { @@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider {
d(MAC, "SslMacSHA1", P11Mac, d(MAC, "SslMacSHA1", P11Mac,
m(CKM_SSL3_SHA1_MAC)); m(CKM_SSL3_SHA1_MAC));
@ -4093,7 +4354,7 @@ index 112b639aa96..3e170b4c115 100644
d(KPG, "RSA", P11KeyPairGenerator, d(KPG, "RSA", P11KeyPairGenerator,
getAliases("PKCS1"), getAliases("PKCS1"),
m(CKM_RSA_PKCS_KEY_PAIR_GEN)); m(CKM_RSA_PKCS_KEY_PAIR_GEN));
@@ -685,6 +789,66 @@ public final class SunPKCS11 extends AuthProvider { @@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider {
d(SKF, "ChaCha20", P11SecretKeyFactory, d(SKF, "ChaCha20", P11SecretKeyFactory,
m(CKM_CHACHA20_POLY1305)); m(CKM_CHACHA20_POLY1305));
@ -4160,7 +4421,7 @@ index 112b639aa96..3e170b4c115 100644
// XXX attributes for Ciphers (supported modes, padding) // XXX attributes for Ciphers (supported modes, padding)
dA(CIP, "ARCFOUR", P11Cipher, dA(CIP, "ARCFOUR", P11Cipher,
m(CKM_RC4)); m(CKM_RC4));
@@ -754,6 +918,46 @@ public final class SunPKCS11 extends AuthProvider { @@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider {
d(CIP, "RSA/ECB/NoPadding", P11RSACipher, d(CIP, "RSA/ECB/NoPadding", P11RSACipher,
m(CKM_RSA_X_509)); m(CKM_RSA_X_509));
@ -4207,7 +4468,7 @@ index 112b639aa96..3e170b4c115 100644
d(SIG, "RawDSA", P11Signature, d(SIG, "RawDSA", P11Signature,
List.of("NONEwithDSA"), List.of("NONEwithDSA"),
m(CKM_DSA)); m(CKM_DSA));
@@ -1144,9 +1348,21 @@ public final class SunPKCS11 extends AuthProvider { @@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider {
if (ds == null) { if (ds == null) {
continue; continue;
} }
@ -4229,7 +4490,60 @@ index 112b639aa96..3e170b4c115 100644
supportedAlgs.put(d, integerMech); supportedAlgs.put(d, integerMech);
continue; continue;
} }
@@ -1244,6 +1460,8 @@ public final class SunPKCS11 extends AuthProvider { @@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider {
}
@Override
+ @SuppressWarnings("removal")
public Object newInstance(Object param)
throws NoSuchAlgorithmException {
if (token.isValid() == false) {
throw new NoSuchAlgorithmException("Token has been removed");
}
+ if (systemFipsEnabled && !token.fipsLoggedIn &&
+ !getType().equals("KeyStore")) {
+ /*
+ * The NSS Software Token in FIPS 140-2 mode requires a
+ * user login for most operations. See sftk_fipsCheck
+ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore
+ * service, let the caller perform the login with
+ * KeyStore::load. Keytool, for example, does this to pass a
+ * PIN from either the -srcstorepass or -deststorepass
+ * argument. In case of a non-KeyStore service, perform the
+ * login now with the PIN available in the fips.nssdb.pin
+ * property.
+ */
+ try {
+ if (System.getSecurityManager() != null) {
+ try {
+ AccessController.doPrivileged(
+ (PrivilegedExceptionAction<Void>) () -> {
+ token.ensureLoggedIn(null);
+ return null;
+ });
+ } catch (PrivilegedActionException pae) {
+ Exception e = pae.getException();
+ if (e instanceof LoginException le) {
+ throw le;
+ } else if (e instanceof PKCS11Exception p11e) {
+ throw p11e;
+ } else {
+ throw new RuntimeException(e);
+ }
+ }
+ } else {
+ token.ensureLoggedIn(null);
+ }
+ } catch (PKCS11Exception | LoginException e) {
+ throw new ProviderException("FIPS: error during the Token" +
+ " login required for the " + getType() +
+ " service.", e);
+ }
+ }
try {
return newInstance0(param);
} catch (PKCS11Exception e) {
@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider {
} else if (algorithm.endsWith("GCM/NoPadding") || } else if (algorithm.endsWith("GCM/NoPadding") ||
algorithm.startsWith("ChaCha20-Poly1305")) { algorithm.startsWith("ChaCha20-Poly1305")) {
return new P11AEADCipher(token, algorithm, mechanism); return new P11AEADCipher(token, algorithm, mechanism);
@ -4238,6 +4552,63 @@ index 112b639aa96..3e170b4c115 100644
} else { } else {
return new P11Cipher(token, algorithm, mechanism); return new P11Cipher(token, algorithm, mechanism);
} }
@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider {
try {
session = token.getOpSession();
p11.C_Logout(session.id());
+ if (systemFipsEnabled) {
+ token.fipsLoggedIn = false;
+ }
if (debug != null) {
debug.println("logout succeeded");
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
index 9858a5faedf..e63585486d9 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
@@ -33,6 +33,7 @@ import java.lang.ref.*;
import java.security.*;
import javax.security.auth.login.LoginException;
+import jdk.internal.access.SharedSecrets;
import sun.security.jca.JCAUtil;
import sun.security.pkcs11.wrapper.*;
@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
*/
class Token implements Serializable {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
// need to be serializable to allow SecureRandom to be serialized
private static final long serialVersionUID = 2541527649100571747L;
@@ -114,6 +118,10 @@ class Token implements Serializable {
// flag indicating whether we are logged in
private volatile boolean loggedIn;
+ // Flag indicating the login status for the NSS Software Token in FIPS mode.
+ // This Token is never asynchronously removed. Used from SunPKCS11.
+ volatile boolean fipsLoggedIn;
+
// time we last checked login status
private long lastLoginCheck;
@@ -232,7 +240,12 @@ class Token implements Serializable {
// call provider.login() if not
void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException {
if (isLoggedIn(session) == false) {
- provider.login(null, null);
+ if (systemFipsEnabled) {
+ provider.login(null, new FIPSTokenLoginHandler());
+ fipsLoggedIn = true;
+ } else {
+ provider.login(null, null);
+ }
}
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
index 88ff8a71fc3..47a2f97eddf 100644 index 88ff8a71fc3..47a2f97eddf 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
@ -4877,7 +5248,7 @@ index 5c0aacd1a67..5fbf8addcba 100644
+} +}
} }
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
index d22844cfba8..9e02958b4b0 100644 index 0d65ee26805..38fd4aff1f3 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
@@ -1104,17 +1104,6 @@ public interface PKCS11Constants { @@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
@ -4939,7 +5310,7 @@ index d22844cfba8..9e02958b4b0 100644
+ /* (CKM_NSS + 32) */ = 0xCE534370L; + /* (CKM_NSS + 32) */ = 0xCE534370L;
} }
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
index 666c5eb9b3b..5523dafcdb4 100644 index d941b574cc7..e2de13648be 100644
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam, @@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,

View File

@ -1,26 +0,0 @@
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
index 70903206ea0..09956084cf9 100644
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
ctx = getLdapCtxFromUrl(
r.getDomainName(), url, new LdapURL(u), env);
return ctx;
+ } catch (AuthenticationException e) {
+ // do not retry on a different endpoint to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
// try the next element
lastException = e;
@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
for (String u : urls) {
try {
return getUsingURL(u, env);
+ } catch (AuthenticationException e) {
+ // do not retry on a different URL to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
ex = e;
}

View File

@ -1,51 +0,0 @@
diff --git a/make/data/cldr/common/bcp47/timezone.xml b/make/data/cldr/common/bcp47/timezone.xml
index 41ff6d236c8..e703020dcdd 100644
--- a/make/data/cldr/common/bcp47/timezone.xml
+++ b/make/data/cldr/common/bcp47/timezone.xml
@@ -393,7 +393,7 @@ For terms of use, see http://www.unicode.org/copyright.html
<type name="tvfun" description="Funafuti, Tuvalu" alias="Pacific/Funafuti"/>
<type name="twtpe" description="Taipei, Taiwan" alias="Asia/Taipei ROC"/>
<type name="tzdar" description="Dar es Salaam, Tanzania" alias="Africa/Dar_es_Salaam"/>
- <type name="uaiev" description="Kiev, Ukraine" alias="Europe/Kiev"/>
+ <type name="uaiev" description="Kyiv, Ukraine" alias="Europe/Kiev Europe/Kyiv"/>
<type name="uaozh" description="Zaporizhia (Zaporozhye), Ukraine" alias="Europe/Zaporozhye"/>
<type name="uasip" description="Simferopol, Ukraine" alias="Europe/Simferopol"/>
<type name="uauzh" description="Uzhhorod (Uzhgorod), Ukraine" alias="Europe/Uzhgorod"/>
diff --git a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
index eb56c087ad6..e398af3c151 100644
--- a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
+++ b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 8181157 8202537 8234347 8236548 8261279
+ * @bug 8181157 8202537 8234347 8236548 8261279 8293834
* @modules jdk.localedata
* @summary Checks CLDR time zone names are generated correctly at runtime
* @run testng/othervm -Djava.locale.providers=CLDR TimeZoneNamesTest
@@ -102,6 +102,24 @@ public class TimeZoneNamesTest {
"UTC+04:00",
"heure : Astrakhan",
"UTC+04:00"},
+ {"Europe/Kyiv", Locale.US, "Eastern European Standard Time",
+ "GMT+02:00",
+ "Eastern European Summer Time",
+ "GMT+03:00",
+ "Eastern European Time",
+ "GMT+02:00"},
+ {"Europe/Kyiv", Locale.FRANCE, "heure normale d\u2019Europe de l\u2019Est",
+ "UTC+02:00",
+ "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est",
+ "UTC+03:00",
+ "heure d\u2019Europe de l\u2019Est",
+ "UTC+02:00"},
+ {"Europe/Kyiv", Locale.GERMANY, "Osteurop\u00e4ische Normalzeit",
+ "OEZ",
+ "Osteurop\u00e4ische Sommerzeit",
+ "OESZ",
+ "Osteurop\u00e4ische Zeit",
+ "OEZ"},
{"Europe/Saratov", Locale.US, "Saratov Standard Time",
"GMT+04:00",
"Saratov Daylight Time",

View File

@ -1,303 +0,0 @@
commit 3d93fdc583ed1c03ecf355b64d41c5f5fe4c07ce
Author: Goetz Lindenmaier <goetz@openjdk.org>
Date: Wed Oct 5 07:13:43 2022 +0000
8294357: (tz) Update Timezone Data to 2022d
Backport-of: f01573368f905f27d26f1d07d9cfd26dcc736a54
diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
index decb8716b22..889d0e6dad7 100644
--- a/make/data/tzdata/VERSION
+++ b/make/data/tzdata/VERSION
@@ -21,4 +21,4 @@
# or visit www.oracle.com if you need additional information or have any
# questions.
#
-tzdata2022c
+tzdata2022d
diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
index 3a150b0f36b..f9df7432947 100644
--- a/make/data/tzdata/asia
+++ b/make/data/tzdata/asia
@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
# The winter time in 2015 started on October 23 at 01:00.
# https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
# http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
-#
-# From Paul Eggert (2019-04-10):
-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
-# preceding March's last Sunday (i.e., Sat>=24).
# From P Chan (2021-10-18):
# http://wafa.ps/Pages/Details/34701
@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
# From Heba Hamad (2022-03-10):
# summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+# From Heba Hamad (2022-08-30):
+# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
+# 60 minutes backwards. Also the state of Palestine adopted the summer
+# and winter time for the years: 2023,2024,2025,2026 ...
+# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
+# (2022-08-31): ... the Saturday before the last Sunday in March and October
+# at 2:00 AM ,for the years from 2023 to 2026.
+# (2022-09-05): https://mtit.pna.ps/Site/New/1453
+#
+# From Paul Eggert (2022-08-31):
+# For now, assume that this rule will also be used after 2026.
+
# Rule NAME FROM TO - IN ON AT SAVE LETTER/S
Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 -
@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 -
Rule Palestine 2014 only - Oct 24 0:00 0 -
Rule Palestine 2015 only - Mar 28 0:00 1:00 S
Rule Palestine 2015 only - Oct 23 1:00 0 -
-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S
-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 -
+Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S
+Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 -
Rule Palestine 2019 only - Mar 29 0:00 1:00 S
-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 -
-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S
+Rule Palestine 2019 only - Oct Sat<=30 0:00 0 -
+Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S
Rule Palestine 2020 only - Oct 24 1:00 0 -
-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 -
-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S
+Rule Palestine 2021 only - Oct 29 1:00 0 -
+Rule Palestine 2022 only - Mar 27 0:00 1:00 S
+Rule Palestine 2022 max - Oct Sat<=30 2:00 0 -
+Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward
index d4a29e8cf29..7765d99aedf 100644
--- a/make/data/tzdata/backward
+++ b/make/data/tzdata/backward
@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT
Link Europe/London Europe/Belfast
Link Europe/Kyiv Europe/Kiev
Link Europe/Chisinau Europe/Tiraspol
+Link Europe/Kyiv Europe/Uzhgorod
+Link Europe/Kyiv Europe/Zaporozhye
Link Europe/London GB
Link Europe/London GB-Eire
Link Etc/GMT GMT+0
diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
index 879b5337536..accc845dbaf 100644
--- a/make/data/tzdata/europe
+++ b/make/data/tzdata/europe
@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880
# From Alexander Krivenyshev (2014-03-17):
# time change at 2:00 (2am) on March 30, 2014
# https://vz.ru/news/2014/3/17/677464.html
-# From Paul Eggert (2014-03-30):
-# Simferopol and Sevastopol reportedly changed their central town clocks
-# late the previous day, but this appears to have been ceremonial
-# and the discrepancies are small enough to not worry about.
+# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
+# The clocks at the railway station in Simferopol were put forward from 22:00
+# to 24:00 the previous day in a "symbolic ceremony"; however, per
+# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
+# time switch at 2am" on Sunday.
+# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
+# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
+# https://www.bbc.com/news/av/world-europe-26806583
2:00 EU EE%sT 2014 Mar 30 2:00
4:00 - MSK 2014 Oct 26 2:00s
3:00 - MSK
@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
# US colleague David Cochrane) are still trying to get more
# information upon these local deviations from Kiev rules.
#
-# From Paul Eggert (2022-02-08):
-# For now, assume that Ukraine's other three zones followed the same rules,
+# From Paul Eggert (2022-08-27):
+# For now, assume that Ukraine's zones all followed the same rules,
# except that Crimea switched to Moscow time in 1994 as described elsewhere.
# From Igor Karpov, who works for the Ukrainian Ministry of Justice,
@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
# * Ukrainian Government's Resolution of 20.03.1992, No. 139.
# http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
-# From Paul Eggert (2022-04-12):
-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev,
-# "Kyiv" is now more common due to widespread reporting of the current conflict.
-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
-# certainly wrong as a transliteration of the Czech "Praha".
-# English-language spelling of Ukrainian names is in flux, and
-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
-# common in English; in the meantime, do not change these
-# English spellings as that means less disruption for our users.
-
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-# This represents most of Ukraine. See above for the spelling of "Kyiv".
Zone Europe/Kyiv 2:02:04 - LMT 1880
2:02:04 - KMT 1924 May 2 # Kyiv Mean Time
2:00 - EET 1930 Jun 21
@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880
2:00 1:00 EEST 1991 Sep 29 3:00
2:00 C-Eur EE%sT 1996 May 13
2:00 EU EE%sT
-# Transcarpathia used CET 1990/1991.
-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
-# "Uzhgorod" is more common in English.
-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct
- 1:00 - CET 1940
- 1:00 C-Eur CE%sT 1944 Oct
- 1:00 1:00 CEST 1944 Oct 26
- 1:00 - CET 1945 Jun 29
- 3:00 Russia MSK/MSD 1990
- 3:00 - MSK 1990 Jul 1 2:00
- 1:00 - CET 1991 Mar 31 3:00
- 2:00 - EET 1992 Mar 20
- 2:00 C-Eur EE%sT 1996 May 13
- 2:00 EU EE%sT
-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
-# "Zaporozh'ye" is more common in English. Use the common English
-# spelling, except omit the apostrophe as it is not allowed in
-# portable Posix file names.
-Zone Europe/Zaporozhye 2:20:40 - LMT 1880
- 2:20 - +0220 1924 May 2
- 2:00 - EET 1930 Jun 21
- 3:00 - MSK 1941 Aug 25
- 1:00 C-Eur CE%sT 1943 Oct 25
- 3:00 Russia MSK/MSD 1991 Mar 31 2:00
- 2:00 E-Eur EE%sT 1992 Mar 20
- 2:00 C-Eur EE%sT 1996 May 13
- 2:00 EU EE%sT
# Vatican City
# See Europe/Rome.
diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica
index 13ec081c7e0..3c0e0e2061c 100644
--- a/make/data/tzdata/southamerica
+++ b/make/data/tzdata/southamerica
@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914
# for America/Santiago will start on midnight of September 11th;
# and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
# will keep UTC -3 "indefinitely"... This is because on September 4th
-# we will have a voting whether to approve a new Constitution....
-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
+# we will have a voting whether to approve a new Constitution.
+#
+# From Eduardo Romero Urra (2022-08-17):
+# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
+#
+# From Paul Eggert (2022-08-17):
+# Although the presidential decree stops at fall 2026, assume that
+# similar DST rules will continue thereafter.
# Rule NAME FROM TO - IN ON AT SAVE LETTER/S
Rule Chile 1927 1931 - Sep 1 0:00 1:00 -
diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab
index 51b65fa273c..ee025196e50 100644
--- a/make/data/tzdata/zone.tab
+++ b/make/data/tzdata/zone.tab
@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti
TW +2503+12130 Asia/Taipei
TZ -0648+03917 Africa/Dar_es_Salaam
UA +5026+03031 Europe/Kyiv Ukraine (most areas)
-UA +4837+02218 Europe/Uzhgorod Transcarpathia
-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
UG +0019+03225 Africa/Kampala
UM +2813-17722 Pacific/Midway Midway Islands
UM +1917+16637 Pacific/Wake Wake Island
diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
index 15c2f0d1275..6f6e190efcd 100644
--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
@@ -574,12 +574,8 @@ public final class ZoneInfoFile {
// we can then pass in the dom = -1, dow > 0 into ZoneInfo
//
// hacking, assume the >=24 is the result of ZRB optimization for
- // "last", it works for now. From tzdata2020d this hacking
- // will not work for Asia/Gaza and Asia/Hebron which follow
- // Palestine DST rules.
- if (dom < 0 || dom >= 24 &&
- !(zoneId.equals("Asia/Gaza") ||
- zoneId.equals("Asia/Hebron"))) {
+ // "last", it works for now.
+ if (dom < 0 || dom >= 24) {
params[1] = -1;
params[2] = toCalendarDOW[dow];
} else {
@@ -601,7 +597,6 @@ public final class ZoneInfoFile {
params[7] = 0;
} else {
// hacking: see comment above
- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e
if (dom < 0 || dom >= 24) {
params[6] = -1;
params[7] = toCalendarDOW[dow];
diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
index c32bee39fba..71470168456 100644
--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
@@ -1 +1 @@
-tzdata2022c
+tzdata2022d
diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
index a5e6428a3f5..e3ce742f887 100644
--- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
+++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT
Link Europe/London Europe/Belfast
Link Europe/Kyiv Europe/Kiev
Link Europe/Chisinau Europe/Tiraspol
+Link Europe/Kyiv Europe/Uzhgorod
+Link Europe/Kyiv Europe/Zaporozhye
Link Europe/London GB
Link Europe/London GB-Eire
Link Etc/GMT GMT+0
diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
index fc148537f1f..b3823958ae4 100644
--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
@@ -163,11 +163,9 @@ Europe/Simferopol MSK
Europe/Sofia EET EEST
Europe/Tallinn EET EEST
Europe/Tirane CET CEST
-Europe/Uzhgorod EET EEST
Europe/Vienna CET CEST
Europe/Vilnius EET EEST
Europe/Warsaw CET CEST
-Europe/Zaporozhye EET EEST
Europe/Zurich CET CEST
HST HST
MET MET MEST
diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
index 7b50c342a0d..a7d14f1aa21 100644
--- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
+++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
@@ -176,11 +176,12 @@ public class TestZoneInfo310 {
* save time in IANA tzdata. This bug is tracked via JDK-8223388.
*
* These are the zones/rules that employ negative DST in vanguard
- * format (as of 2019a):
+ * format (as of 2019a), Palestine added in 2022d:
*
* - Rule "Eire"
* - Rule "Morocco"
* - Rule "Namibia"
+ * - Rule "Palestine"
* - Zone "Europe/Prague"
*
* Tehran/Iran rule has rules beyond 2037, in which javazic assumes
@@ -196,6 +197,8 @@ public class TestZoneInfo310 {
zid.equals("Europe/Dublin") || // uses "Eire" rule
zid.equals("Europe/Prague") ||
zid.equals("Asia/Tehran") || // last rule mismatch
+ zid.equals("Asia/Gaza") || // uses "Palestine" rule
+ zid.equals("Asia/Hebron") || // uses "Palestine" rule
zid.equals("Iran")) { // last rule mismatch
continue;
}

View File

@ -1,420 +0,0 @@
commit d159a377e0243bd2c80593689fd7cd20b2b578f7
Author: duke <duke@openjdk.org>
Date: Fri Oct 14 03:37:19 2022 +0000
Backport 21407dec0156301871a83328615e4d975c4287c4
diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
index 889d0e6dad7..b8cb36e69f4 100644
--- a/make/data/tzdata/VERSION
+++ b/make/data/tzdata/VERSION
@@ -21,4 +21,4 @@
# or visit www.oracle.com if you need additional information or have any
# questions.
#
-tzdata2022d
+tzdata2022e
diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
index f9df7432947..5b2337fd0b6 100644
--- a/make/data/tzdata/asia
+++ b/make/data/tzdata/asia
@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u
# From the Arabic version, it seems to say it would be at midnight
# (assume 24:00) on the last Thursday in February, starting from 2022.
+# From Issam Al-Zuwairi (2022-10-05):
+# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
+# that daylight saving time (DST) will be throughout the year....
+#
+# From Brian Inglis (2022-10-06):
+# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
+#
+# From Paul Eggert (2022-10-05):
+# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
+# (non-DST) at the point where DST would otherwise have ended.
+
# Rule NAME FROM TO - IN ON AT SAVE LETTER/S
Rule Jordan 1973 only - Jun 6 0:00 1:00 S
Rule Jordan 1973 1975 - Oct 1 0:00 0 -
@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 -
Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 -
Rule Jordan 2013 only - Dec 20 0:00 0 -
Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S
-Rule Jordan 2014 max - Oct lastFri 0:00s 0 -
-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S
+Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 -
+Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
Zone Asia/Amman 2:23:44 - LMT 1931
- 2:00 Jordan EE%sT
+ 2:00 Jordan EE%sT 2022 Oct 28 0:00s
+ 3:00 - +03
# Kazakhstan
@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 -
# Our brief summary:
# https://www.timeanddate.com/news/time/syria-dst-2012.html
-# From Arthur David Olson (2012-03-27):
-# Assume last Friday in March going forward XXX.
+# From Steffen Thorsen (2022-10-05):
+# Syria is adopting year-round DST, starting this autumn....
+# From https://www.enabbaladi.net/archives/607812
+# "This [the decision] came after the weekly government meeting today,
+# Tuesday 4 October ..."
+#
+# From Paul Eggert (2022-10-05):
+# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
+# (non-DST) at the point where DST would otherwise have ended.
Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S
Rule Syria 2008 only - Nov 1 0:00 0 -
Rule Syria 2009 only - Mar lastFri 0:00 1:00 S
Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S
-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S
-Rule Syria 2009 max - Oct lastFri 0:00 0 -
+Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S
+Rule Syria 2009 2022 - Oct lastFri 0:00 0 -
# Zone NAME STDOFF RULES FORMAT [UNTIL]
Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq
- 2:00 Syria EE%sT
+ 2:00 Syria EE%sT 2022 Oct 28 0:00
+ 3:00 - +03
# Tajikistan
# From Shanks & Pottenger.
diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
index accc845dbaf..2832c4b9763 100644
--- a/make/data/tzdata/europe
+++ b/make/data/tzdata/europe
@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u
0:00 Spain WE%sT 1940 Mar 16 23:00
1:00 Spain CE%sT 1979
1:00 EU CE%sT
-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44
+Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u
0:00 - WET 1918 May 6 23:00
0:00 1:00 WEST 1918 Oct 7 23:00
0:00 - WET 1924
diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica
index 114cef14cce..ce4ee74582c 100644
--- a/make/data/tzdata/northamerica
+++ b/make/data/tzdata/northamerica
@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D
Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S
Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
+Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1920
-6:00 Chicago C%sT 1936 Mar 1 2:00
-5:00 - EST 1936 Nov 15 2:00
@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
-6:00 Chicago C%sT 1967
-6:00 US C%sT
# Oliver County, ND switched from mountain to central time on 1992-10-25.
-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
+Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u
-7:00 US M%sT 1992 Oct 25 2:00
-6:00 US C%sT
# Morton County, ND, switched from mountain to central time on
@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
# Jones, Mellette, and Todd Counties in South Dakota;
# but in practice these other counties were already observing central time.
# See <http://www.epa.gov/fedrgstr/EPA-IMPACT/2003/October/Day-28/i27056.htm>.
-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
+Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
-7:00 US M%sT 2003 Oct 26 2:00
-6:00 US C%sT
@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
# largest city in Mercer County). Google Maps places Beulah's city hall
# at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53
+Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u
-7:00 US M%sT 2010 Nov 7 2:00
-6:00 US C%sT
@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S
Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D
Rule Denver 1965 1966 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04
+Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u
-7:00 US M%sT 1920
-7:00 Denver M%sT 1942
-7:00 US M%sT 1946
@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D
Rule CA 1950 1961 - Sep lastSun 2:00 0 S
Rule CA 1962 1966 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02
+Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
-8:00 US P%sT 1946
-8:00 CA P%sT 1967
-8:00 US P%sT
@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00
# Go with the Arizona State Library instead.
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42
+Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u
-7:00 US M%sT 1944 Jan 1 0:01
-7:00 - MST 1944 Apr 1 0:01
-7:00 US M%sT 1944 Oct 1 0:01
@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
# switched four weeks late in 1974.
#
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11
+Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u
-8:00 US P%sT 1923 May 13 2:00
-7:00 US M%sT 1974
-7:00 - MST 1974 Feb 3 2:00
@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D
Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S
Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22
+Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1920
-6:00 Indianapolis C%sT 1942
-6:00 US C%sT 1946
@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S
Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D
Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37
+Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1951
-6:00 Marengo C%sT 1961 Apr 30 2:00
-5:00 - EST 1969
@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S
Rule Vincennes 1961 only - Sep lastSun 2:00 0 S
Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53
+Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1946
-6:00 Vincennes C%sT 1964 Apr 26 2:00
-5:00 - EST 1969
@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S
Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D
Rule Perry 1961 1963 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57
+Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1946
-6:00 Perry C%sT 1964 Apr 26 2:00
-5:00 - EST 1967 Oct 29 2:00
@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S
Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D
Rule Pike 1961 1964 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53
+Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1955
-6:00 Pike C%sT 1965 Apr 25 2:00
-5:00 - EST 1966 Oct 30 2:00
@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S
Rule Starke 1957 1958 - Sep lastSun 2:00 0 S
Rule Starke 1959 1961 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30
+Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1947
-6:00 Starke C%sT 1962 Apr 29 2:00
-5:00 - EST 1963 Oct 27 2:00
@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S
Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S
Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
+Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1946
-6:00 Pulaski C%sT 1961 Apr 30 2:00
-5:00 - EST 1969
@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
#
# Switzerland County, Indiana, did not observe DST from 1973 through 2005.
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44
+Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1954 Apr 25 2:00
-5:00 - EST 1969
-5:00 US E%sT 1973
@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D
Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S
Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
+Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1921
-6:00 Louisville C%sT 1942
-6:00 US C%sT 1946
@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
# Federal Register 65, 160 (2000-08-17), pp 50154-50158.
# https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
#
-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36
+Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1946
-6:00 - CST 1968
-6:00 US C%sT 2000 Oct 29 2:00
@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
# longitude they are located at.
# Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+Rule Mexico 1931 only - May 1 23:00 1:00 D
+Rule Mexico 1931 only - Oct 1 0:00 0 S
Rule Mexico 1939 only - Feb 5 0:00 1:00 D
Rule Mexico 1939 only - Jun 25 0:00 0 S
Rule Mexico 1940 only - Dec 9 0:00 1:00 D
@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D
Rule Mexico 2002 max - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
# Quintana Roo; represented by Cancún
-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56
+Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u
-6:00 - CST 1981 Dec 23
-5:00 Mexico E%sT 1998 Aug 2 2:00
-6:00 Mexico C%sT 2015 Feb 1 2:00
-5:00 - EST
# Campeche, Yucatán; represented by Mérida
-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
+Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u
-6:00 - CST 1981 Dec 23
-5:00 - EST 1982 Dec 2
-6:00 Mexico C%sT
@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
# See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
# 2016-03-12
# http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00
+Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u
-6:00 - CST 1988
-6:00 US C%sT 1989
-6:00 Mexico C%sT 2010
-6:00 US C%sT
# Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44
+Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u
-6:00 - CST 1988
-6:00 US C%sT 1989
-6:00 Mexico C%sT
# Central Mexico
-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
+Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 Mexico C%sT 2001 Sep 30 2:00
-6:00 - CST 2002 Feb 20
-6:00 Mexico C%sT
@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
# This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
# Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
# (See the 2016-03-12 El Universal source mentioned above.)
-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20
+Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 - CST 1996
-6:00 Mexico C%sT 1998
-6:00 - CST 1998 Apr Sun>=1 3:00
-7:00 Mexico M%sT 2010
-7:00 US M%sT
# Chihuahua (away from US border)
-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40
+Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 - CST 1996
-6:00 Mexico C%sT 1998
-6:00 - CST 1998 Apr Sun>=1 3:00
-7:00 Mexico M%sT
# Sonora
-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
+Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 - CST 1942 Apr 24
-7:00 - MST 1949 Jan 14
-8:00 - PST 1970
@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
# Use "Bahia_Banderas" to keep the name to fourteen characters.
# Mazatlán
-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20
+Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 - CST 1942 Apr 24
-7:00 - MST 1949 Jan 14
-8:00 - PST 1970
-7:00 Mexico M%sT
# Bahía de Banderas
-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
+Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 - CST 1942 Apr 24
-7:00 - MST 1949 Jan 14
-8:00 - PST 1970
@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
-6:00 Mexico C%sT
# Baja California
-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56
+Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1924
-8:00 - PST 1927 Jun 10 23:00
-7:00 - MST 1930 Nov 15
diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
index 71470168456..0cad939008f 100644
--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
@@ -1 +1 @@
-tzdata2022d
+tzdata2022e
diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
index b3823958ae4..2f2786f1c69 100644
--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
@@ -97,9 +97,7 @@ America/Winnipeg CST CDT
America/Yakutat AKST AKDT
America/Yellowknife MST MDT
Antarctica/Macquarie AEST AEDT
-Asia/Amman EET EEST
Asia/Beirut EET EEST
-Asia/Damascus EET EEST
Asia/Famagusta EET EEST
Asia/Gaza EET EEST
Asia/Hebron EET EEST

View File

@ -1,8 +0,0 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }

View File

@ -321,7 +321,7 @@
# New Version-String scheme-style defines # New Version-String scheme-style defines
%global featurever 17 %global featurever 17
%global interimver 0 %global interimver 0
%global updatever 5 %global updatever 6
%global patchver 0 %global patchver 0
# buildjdkver is usually same as %%{featurever}, # buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1, # but in time of bootstrap of next jdk, it is featurever-1,
@ -361,15 +361,15 @@
# Define IcedTea version used for SystemTap tapsets and desktop file # Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598 %global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches # Define current Git revision for the FIPS support patches
%global fipsver 0bd5ca9ccc5 %global fipsver 257d544b594
# Standard JPackage naming and versioning defines # Standard JPackage naming and versioning defines
%global origin openjdk %global origin openjdk
%global origin_nice OpenJDK %global origin_nice OpenJDK
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8 %global buildver 10
%global rpmrelease 1 %global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -1118,9 +1118,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package # Require zone-info data provided by tzdata-java sub-package
# 2022d required as of JDK-8294357 # 2022g required as of JDK-8297804
# Should be bumped to 2022e once available (JDK-8295173) Requires: tzdata-java >= 2022g
Requires: tzdata-java >= 2022d
# for support of kernel stream control # for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand # libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa} Requires: lksctp-tools%{?_isa}
@ -1312,9 +1311,6 @@ Source15: TestSecurityProperties.java
# Ensure vendor settings are correct # Ensure vendor settings are correct
Source16: CheckVendor.java Source16: CheckVendor.java
# nss fips configuration file
Source17: nss.fips.cfg.in
# Ensure translations are available for new timezones # Ensure translations are available for new timezones
Source18: TestTranslations.java Source18: TestTranslations.java
@ -1366,6 +1362,10 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
# Build the systemconf library on all platforms # Build the systemconf library on all platforms
# RH2048582: Support PKCS#12 keystores # RH2048582: Support PKCS#12 keystores
# RH2020290: Support TLS 1.3 in FIPS mode # RH2020290: Support TLS 1.3 in FIPS mode
# Add nss.fips.cfg support to OpenJDK tree
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
# Remove forgotten dead code from RH2020290 and RH2104724
# OJ1357: Fix issue on FIPS with a SecurityManager in place
Patch1001: fips-17u-%{fipsver}.patch Patch1001: fips-17u-%{fipsver}.patch
############################################# #############################################
@ -1373,20 +1373,12 @@ Patch1001: fips-17u-%{fipsver}.patch
# OpenJDK patches in need of upstreaming # OpenJDK patches in need of upstreaming
# #
############################################# #############################################
# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
Patch2000: jdk8275535-rh2053256-ldap_auth.patch
############################################# #############################################
# #
# OpenJDK patches appearing in 17.0.6 # OpenJDK patches appearing in 17.0.6
# #
############################################# #############################################
# JDK-8293834: Update CLDR data following tzdata 2022c update
Patch2001: jdk8293834-kyiv_cldr_update.patch
# JDK-8294357: (tz) Update Timezone Data to 2022d
Patch2002: jdk8294357-tzdata2022d.patch
# JDK-8295173: (tz) Update Timezone Data to 2022e
Patch2003: jdk8295173-tzdata2022e.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -1420,9 +1412,8 @@ BuildRequires: java-17-openjdk-devel
%ifarch %{zero_arches} %ifarch %{zero_arches}
BuildRequires: libffi-devel BuildRequires: libffi-devel
%endif %endif
# 2022d required as of JDK-8294357 # 2022g required as of JDK-8297804
# Should be bumped to 2022e once available (JDK-8295173) BuildRequires: tzdata-java >= 2022g
BuildRequires: tzdata-java >= 2022d
# Earlier versions have a bug in tree vectorization on PPC # Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8 BuildRequires: gcc >= 4.8.3-8
@ -1820,16 +1811,10 @@ pushd %{top_level_dir_name}
%patch1001 -p1 %patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security # nss.cfg PKCS11 support; must come last as it also alters java.security
%patch1000 -p1 %patch1000 -p1
# tzdata updates targetted for 17.0.6
%patch2001 -p1
%patch2002 -p1
%patch2003 -p1
popd # openjdk popd # openjdk
%patch600 %patch600
%patch2000
# The OpenJDK version file includes the current # The OpenJDK version file includes the current
# upstream version information. For some reason, # upstream version information. For some reason,
# configure does not automatically use the # configure does not automatically use the
@ -1847,8 +1832,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
echo "WARNING: Designator mismatch"; echo "WARNING: Designator mismatch";
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
# Don't fail at present as upstream are not maintaining the value correctly exit 17
#exit 17
fi fi
# Extract systemtap tapsets # Extract systemtap tapsets
@ -1900,9 +1884,6 @@ done
# Setup nss.cfg # Setup nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build %build
# How many CPU's do we have? # How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
@ -2036,9 +2017,6 @@ function installjdk() {
# Install nss.cfg right away as we will be using the JRE above # Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/ install -m 644 nss.cfg ${imagepath}/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Turn on system security properties # Turn on system security properties
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
${imagepath}/conf/security/java.security ${imagepath}/conf/security/java.security
@ -2178,10 +2156,14 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif %endif
# Check translations are available for new timezones %if ! 0%{?flatpak}
# Check translations are available for new timezones (during flatpak builds, the
# tzdb.dat used by this test is not where the test expects it, so this is
# disabled for flatpak builds)
$JAVA_HOME/bin/javac -d . %{SOURCE18} $JAVA_HOME/bin/javac -d . %{SOURCE18}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
%endif
%if %{include_staticlibs} %if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test) # Check debug symbols in static libraries (smoke test)
@ -2638,6 +2620,52 @@ require "copy_jdk_configs.lua"
%endif %endif
%changelog %changelog
* Sat Jan 14 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-3
- Add missing release note for JDK-8295687
- Resolves: rhbz#2160111
* Fri Jan 13 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-3
- Update FIPS support to bring in latest changes
- * OJ1357: Fix issue on FIPS with a SecurityManager in place
- Related: rhbz#2147473
* Fri Jan 13 2023 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.6.0.10-3
- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat
- Related: rhbz#2160111
* Wed Jan 11 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-2
- Update to jdk-17.0.6.0+10
- Update release notes to 17.0.6.0+10
- Switch to GA mode for release
- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. **
- Related: rhbz#2153010
* Wed Jan 04 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.2.ea
- Update to jdk-17.0.6+9
- Update release notes to 17.0.6+9
- Drop local copy of JDK-8293834 now this is upstream
- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
- Resolves: rhbz#2153010
* Sat Dec 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.1-0.2.ea
- Update to jdk-17.0.6+1
- Update release notes to 17.0.6+1
- Switch to EA mode for 17.0.6 pre-release builds.
- Re-enable EA upstream status check now it is being actively maintained.
- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
- Drop JDK-8275535 local patch now this has been accepted and backported upstream
- Bump tzdata requirement to 2022e now the package is available in RHEL
- Related: rhbz#2153010
* Wed Nov 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-4
- Update FIPS support to bring in latest changes
- * Add nss.fips.cfg support to OpenJDK tree
- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
- * Remove forgotten dead code from RH2020290 and RH2104724
- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
- Resolves: rhbz#2147473
* Wed Oct 26 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-1 * Wed Oct 26 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-1
- Update to jdk-17.0.5+8 (GA) - Update to jdk-17.0.5+8 (GA)
- Update release notes to 17.0.5+8 (GA) - Update release notes to 17.0.5+8 (GA)