rpms/java-17-openjdk
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-17-openjdk-17.0.5.0.8-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-11-08 12:10:50 +00:00 committed by Stepan Oksanichenko
parent 52fa1f379d
commit 3603a0d088
31 changed files with 7668 additions and 4241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-jdk17u-jdk-17.0.3+7.tar.xz
SOURCES/openjdk-jdk17u-jdk-17.0.5+8.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

2
.java-17-openjdk.metadata
View File

@ -1,2 +1,2 @@
48b4c7e58395ac81d19dae67b0f4d1cfe52c4e45 SOURCES/openjdk-jdk17u-jdk-17.0.3+7.tar.xz
7d985db5968fb24fbeb9ff2cd2819d63ab9ca64e SOURCES/openjdk-jdk17u-jdk-17.0.5+8.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

65
SOURCES/CheckVendor.java Normal file
View File

@ -0,0 +1,65 @@
/* CheckVendor -- Check the vendor properties match specified values.
Copyright (C) 2020 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* @test
*/
public class CheckVendor {
public static void main(String[] args) {
if (args.length < 4) {
System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>");
System.exit(1);
}
String vendor = System.getProperty("java.vendor");
String expectedVendor = args[0];
String vendorURL = System.getProperty("java.vendor.url");
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
String vendorVersionString = System.getProperty("java.vendor.version");
String expectedVendorVersionString = args[3];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
vendor, expectedVendor);
System.exit(2);
}
if (!expectedVendorURL.equals(vendorURL)) {
System.err.printf("Invalid vendor URL %s, expected %s\n",
vendorURL, expectedVendorURL);
System.exit(3);
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
System.err.printf("Invalid vendor bug URL %s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
if (!expectedVendorVersionString.equals(vendorVersionString)) {
System.err.printf("Invalid vendor version string %s, expected %s\n",
vendorVersionString, expectedVendorVersionString);
System.exit(5);
}
System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
vendor, vendorURL, vendorBugURL, vendorVersionString);
}
}

685
SOURCES/NEWS
View File

@ -3,6 +3,691 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 17.0.5 (2022-10-18):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1705
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html
* Security fixes
- JDK-8282252: Improve BigInteger/Decimal validation
- JDK-8285662: Better permission resolution
- JDK-8286077, CVE-2022-21618: Wider MultiByte conversions
- JDK-8286511: Improve macro allocation
- JDK-8286519: Better memory handling
- JDK-8286526, CVE-2022-21619: Improve NTLM support
- JDK-8286910, CVE-2022-21624: Improve JNDI lookups
- JDK-8286918, CVE-2022-21628: Better HttpServer service
- JDK-8287446: Enhance icon presentations
- JDK-8288508: Enhance ECDSA usage
- JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage
- JDK-8289853: Update HarfBuzz to 4.4.1
- JDK-8290334: Update FreeType to 2.12.1
* Other changes
- JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider
- JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7
- JDK-7131823: bug in GIFImageReader
- JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac
- JDK-8028265: Add legacy tz tests to OpenJDK
- JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed
- JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails
- JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java
- JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes!
- JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad"
- JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test.
- JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values
- JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch
- JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues
- JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled.
- JDK-8227651: Tests fail with SSLProtocolException: Input record too big
- JDK-8240903: Add test to check that jmod hashes are reproducible
- JDK-8254318: Remove .hgtags
- JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline
- JDK-8256844: Make NMT late-initializable
- JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom"
- JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class
- JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly.
- JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled"
- JDK-8269039: Disable SHA-1 Signed JARs
- JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr
- JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections
- JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java
- JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest
- JDK-8271344: Windows product version issue
- JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8
- JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData
- JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals
- JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null]
- JDK-8273040: Turning off JpAllowDowngrades (or Upgrades)
- JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts
- JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12
- JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms
- JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false]
- JDK-8274597: Some of the dnd tests time out and fail intermittently
- JDK-8274856: Failing jpackage tests with fastdebug/release build
- JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test
- JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
- JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold
- JDK-8276837: [macos]: Error when signing the additional launcher
- JDK-8277429: Conflicting jpackage static library name
- JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged"
- JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
- JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript
- JDK-8278311: Debian packaging doesn't work
- JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS
- JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS
- JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4
- JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0
- JDK-8279622: C2: miscompilation of map pattern as a vector reduction
- JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl
- JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound
- JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed
- JDK-8280863: Update build README to reflect that MSYS2 is supported
- JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method
- JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism
- JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
- JDK-8281181: Do not use CPU Shares to compute active processor count
- JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
- JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted)
- JDK-8281535: Create a regression test for JDK-4670051
- JDK-8281569: Create tests for Frame.setMinimumSize() method
- JDK-8281628: KeyAgreement : generateSecret intermittently not resetting
- JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button
- JDK-8281745: Create a regression test for JDK-4514331
- JDK-8281988: Create a regression test for JDK-4618767
- JDK-8282007: Assorted enhancements to jpackage testing framework
- JDK-8282046: Create a regression test for JDK-8000326
- JDK-8282214: Upgrade JQuery to version 3.6.0
- JDK-8282234: Create a regression test for JDK-4532513
- JDK-8282280: Update Xerces to Version 2.12.2
- JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access
- JDK-8282343: Create a regression test for JDK-4518432
- JDK-8282351: jpackage does not work if class file has `$$` in the name on windows
- JDK-8282407: Missing ')' in MacResources.properties
- JDK-8282467: add extra diagnostics for JDK-8268184
- JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler
- JDK-8282538: PKCS11 tests fail on CentOS Stream 9
- JDK-8282548: Create a regression test for JDK-4330998
- JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc
- JDK-8282640: Create a test for JDK-4740761
- JDK-8282778: Create a regression test for JDK-4699544
- JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767
- JDK-8282860: Write a regression test for JDK-4164779
- JDK-8282933: Create a test for JDK-4529616
- JDK-8282936: Write a regression test for JDK-4615365
- JDK-8282937: Write a regression test for JDK-4820080
- JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
- JDK-8283015: Create a test for JDK-4715496
- JDK-8283087: Create a test or JDK-4715503
- JDK-8283245: Create a test for JDK-4670319
- JDK-8283277: ISO 4217 Amendment 171 Update
- JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
- JDK-8283457: [macos] libpng build failures with Xcode13.3
- JDK-8283493: Create an automated regression test for RFE 4231298
- JDK-8283507: Create a regression test for RFE 4287690
- JDK-8283562: JDK-8282306 breaks gtests on zero
- JDK-8283597: [REDO] Invalid generic signature for redefined classes
- JDK-8283621: Write a regression test for CCC4400728
- JDK-8283623: Create an automated regression test for JDK-4525475
- JDK-8283624: Create an automated regression test for RFE-4390885
- JDK-8283712: Create a manual test framework class
- JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows
- JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test
- JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
- JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
- JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
- JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS
- JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt
- JDK-8284077: Create an automated test for JDK-4170173
- JDK-8284294: Create an automated regression test for RFE 4138746
- JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph
- JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1
- JDK-8284521: Write an automated regression test for RFE 4371575
- JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception
- JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest
- JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset
- JDK-8284686: Interval of < 1 ms disables ExecutionSample events
- JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice
- JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512
- JDK-8284898: Enhance PassFailJFrame
- JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization
- JDK-8284950: CgroupV1 detection code should consider memory.swappiness
- JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment
- JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist
- JDK-8285081: Improve XPath operators count accuracy
- JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java
- JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity
- JDK-8285380: Fix typos in security
- JDK-8285398: Cache the results of constraint checks
- JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test
- JDK-8285693: Create an automated test for JDK-4702199
- JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null
- JDK-8285730: unify _WIN32_WINNT settings
- JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
- JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities
- JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java
- JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe
- JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure
- JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5
- JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes
- JDK-8286277: CDS VerifyError when calling clone() on object array
- JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache
- JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45]
- JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage
- JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
- JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect
- JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis
- JDK-8286869: unify os::dir_is_empty across posix platforms
- JDK-8286870: Memory leak with RepeatCompilation
- JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5
- JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
- JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
- JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
- JDK-8287113: JFR: Periodic task thread uses period for method sampling events
- JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host
- JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event
- JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver
- JDK-8287366: Improve test failure reporting in GHA
- JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number
- JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node
- JDK-8287463: JFR: Disable TestDevNull.java on Windows
- JDK-8287663: Add a regression test for JDK-8287073
- JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run
- JDK-8287724: Fix various issues with msys2
- JDK-8287735: Provide separate event category for dll operations
- JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
- JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag
- JDK-8287895: Some langtools tests fail on msys2
- JDK-8287896: PropertiesTest.sh fail on msys2
- JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows
- JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests
- JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
- JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs
- JDK-8288003: log events for os::dll_unload
- JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic
- JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes
- JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds
- JDK-8288467: remove memory_operand assert for spilled instructions
- JDK-8288499: Restore cancel-in-progress in GHA
- JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ...
- JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp
- JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small
- JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305
- JDK-8288992: AArch64: CMN should be handled the same way as CMP
- JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible
- JDK-8289147: unify os::infinite_sleep on posix platforms
- JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion
- JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java
- JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc
- JDK-8289486: Improve XSLT XPath operators count efficiency
- JDK-8289549: ISO 4217 Amendment 172 Update
- JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl
- JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun
- JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad
- JDK-8289799: Build warning in methodData.cpp memset zero-length parameter
- JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060
- JDK-8289910: unify os::message_box across posix platforms
- JDK-8290000: Bump macOS GitHub actions to macOS 11
- JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
- JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown
- JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers
- JDK-8290246: test fails "assert(init != __null) failed: initialization not found"
- JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle
- JDK-8290456: remove os::print_statistics()
- JDK-8291595: [17u] Delete files missed in backport of 8269039
- JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr
- JDK-8292579: (tz) Update Timezone Data to 2022c
- JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5
Notes on individual issues:
===========================
core-libs/java.net:
JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
===========================================================================
Two system properties have been added which control the keep alive
behavior of HttpURLConnection in the case where the server does not
specify a keep alive time. Two properties are defined for controlling
connections to servers and proxies separately. They are:
* `http.keepAlive.time.server`
* `http.keepAlive.time.proxy`
respectively. More information about them can be found on the
Networking Properties page:
https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html.
security-libs/javax.crypto:
JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location
=====================================================================================
The Windows KeyStore support in the SunMSCAPI provider has been
expanded to include access to the local machine location. The new
keystore types are:
* "Windows-MY-LOCALMACHINE"
* "Windows-ROOT-LOCALMACHINE"
The following keystore types were also added, allowing developers to
make it clear they map to the current user:
* "Windows-MY-CURRENTUSER" (same as "Windows-MY")
* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT")
JDK-8286918: Better HttpServer service
======================================
The HttpServer can be optionally configured with a maximum connection
limit by setting the jdk.httpserver.maxConnections system property. A
value of 0 or a negative integer is ignored and considered to
represent no connection limit. In the case of a positive integer
value, any newly accepted connections will be first checked against
the current count of established connections and, if the configured
limit has been reached, then the newly accepted connection will be
closed immediately.
hotspot/runtime:
JDK-8281181: CPU Shares Ignored When Computing Active Processor Count
=====================================================================
Previous JDK releases used an incorrect interpretation of the Linux
cgroups parameter "cpu.shares". This might cause the JVM to use fewer
CPUs than available, leading to an under utilization of CPU resources
when the JVM is used inside a container.
Starting from this JDK release, by default, the JVM no longer
considers "cpu.shares" when deciding the number of threads to be used
by the various thread pools. The `-XX:+UseContainerCpuShares`
command-line option can be used to revert to the previous
behavior. This option is deprecated and may be removed in a future JDK
release.
security-libs/java.security:
JDK-8269039: Disabled SHA-1 Signed JARs
=======================================
JARs signed with SHA-1 algorithms are now restricted by default and
treated as if they were unsigned. This applies to the algorithms used
to digest, sign, and optionally timestamp the JAR. It also applies to
the signature and digest algorithms of the certificates in the
certificate chain of the code signer and the Timestamp Authority, and
any CRLs or OCSP responses that are used to verify if those
certificates have been revoked. These restrictions also apply to
signed JCE providers.
To reduce the compatibility risk for JARs that have been previously
timestamped, there is one exception to this policy:
- Any JAR signed with SHA-1 algorithms and timestamped prior to
January 01, 2019 will not be restricted.
This exception may be removed in a future JDK release. To determine if
your signed JARs are affected by this change, run:
$ jarsigner -verify -verbose -certs`
on the signed JAR, and look for instances of "SHA1" or "SHA-1" and
"disabled" and a warning that the JAR will be treated as unsigned in
the output.
For example:
Signed by "CN="Signer""
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
JARs affected by these new restrictions should be replaced or
re-signed with stronger algorithms.
Users can, *at their own risk*, remove these restrictions by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) and removing "SHA1 usage
SignedJAR & denyAfter 2019-01-01" from the
`jdk.certpath.disabledAlgorithms` security property and "SHA1
denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security
property.
New in release OpenJDK 17.0.4.1 (2022-08-16):
===========================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk17041
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.1.txt
* Other changes
- JDK-8292258: Bump update version for OpenJDK: jdk-17.0.4.1
- JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large
Notes on individual issues:
===========================
hotspot/compiler:
JDK-8292396: C2 Compilation Errors Unpredictably Crashes JVM
============================================================
Fixes a regression in the C2 JIT compiler which caused the Java
Runtime to crash unpredictably.
New in release OpenJDK 17.0.4 (2022-07-19):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1704
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt
* Security fixes
- JDK-8272243: Improve DER parsing
- JDK-8272249: Better properties of loaded Properties
- JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions
- JDK-8277608: Address IP Addressing
- JDK-8281859, CVE-2022-21540: Improve class compilation
- JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
- JDK-8283190: Improve MIDI processing
- JDK-8284370: Improve zlib usage
- JDK-8285407, CVE-2022-34169: Improve Xalan supports
* Other changes
- JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
- JDK-8181571: printing to CUPS fails on mac sandbox app
- JDK-8193682: Infinite loop in ZipOutputStream.close()
- JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use
- JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test
- JDK-8214733: runtime/8176717/TestInheritFD.java timed out
- JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel
- JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
- JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
- JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR
- JDK-8255266: Update Public Suffix List to 3c213aa
- JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers
- JDK-8258814: Compilation logging crashes for thread suspension / debugging tests
- JDK-8263461: jdk/jfr/event/gc/detailed/TestEvacuationFailedEvent.java uses wrong mechanism to cause evacuation failure
- JDK-8263538: SharedArchiveConsistency.java should test -Xshare:auto as well
- JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/suspendthrd003/TestDescription.java failed with "agent_tools.cpp, 471: (foundThread = (jthread) jni_env->NewGlobalRef(foundThread)) != NULL"
- JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
- JDK-8265317: [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL
- JDK-8267163: Rename anonymous loader tests to hidden loader tests
- JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo
- JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
- JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout
- JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN)
- JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum
- JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest
- JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs
- JDK-8269135: TestDifferentProtectionDomains runs into timeout in client VM
- JDK-8269373: some tests in jdk/tools/launcher/ fails on localized Windows platform
- JDK-8269753: Misplaced caret in PatternSyntaxException's detail message
- JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support
- JDK-8270021: Incorrect log decorators in gc/g1/plab/TestPLABEvacuationFailure.java
- JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree
- JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed: did not find too_many string in output
- JDK-8270468: TestRangeCheckEliminated fails because methods are not compiled
- JDK-8270797: ShortECDSA.java test is not complete
- JDK-8270837: fix typos in test TestSigParse.java
- JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom
- JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
- JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code
- JDK-8271302: Regex Test Refresh
- JDK-8272146: Disable Fibonacci test on memory constrained systems
- JDK-8272168: some hotspot runtime/logging tests don't check exit code
- JDK-8272169: runtime/logging/LoaderConstraintsTest.java doesn't build test.Empty
- JDK-8272358: Some tests may fail when executed with other locales than the US
- JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
- JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
- JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
- JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME"
- JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
- JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests
- JDK-8273169: java/util/regex/NegativeArraySize.java failed after JDK-8271302
- JDK-8273804: Platform.isTieredSupported should handle the no-compiler case
- JDK-8274172: Convert JavadocTester to use NIO
- JDK-8274233: Minor cleanup for ToolBox
- JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun
- JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines
- JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend
- JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
- JDK-8274751: Drag And Drop hangs on Windows
- JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed
- JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS
- JDK-8274983: C1 optimizes the invocation of private interface methods
- JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/btree011/btree011.java crashes with memory exhaustion on Windows
- JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
- JDK-8275638: GraphKit::combine_exception_states fails with "matching stack sizes" assert
- JDK-8275745: Reproducible copyright headers
- JDK-8275830: C2: Receiver downcast is missing when inlining through method handle linkers
- JDK-8275854: C2: assert(stride_con != 0) failed: missed some peephole opt
- JDK-8276260: (se) Remove java/nio/channels/Selector/Wakeup.java from ProblemList (win)
- JDK-8276657: XSLT compiler tries to define a class with empty name
- JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC
- JDK-8276825: hotspot/runtime/SelectionResolution test errors
- JDK-8276863: Remove test/jdk/sun/security/ec/ECDSAJavaVerify.java
- JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary
- JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations
- JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics
- JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
- JDK-8277087: ZipException: zip END header not found at ZipFile#Source.findEND
- JDK-8277123: jdeps does not report some exceptions correctly
- JDK-8277165: jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories
- JDK-8277166: Data race in jdeps VersionHelper
- JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread
- JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch
- JDK-8277893: Arraycopy stress tests
- JDK-8277906: Incorrect type for IV phi of long counted loops after CCP
- JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge
- JDK-8278014: [vectorapi] Remove test run script
- JDK-8278065: Refactor subclassAudits to use ClassValue
- JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
- JDK-8278472: Invalid value set to CANDIDATEFORM structure
- JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null"
- JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15
- JDK-8278766: Enable OpenJDK build support for reproducible jars and jmods using --date
- JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
- JDK-8278796: Incorrect behavior of FloatVector.withLane on X86
- JDK-8278851: Correct signer logic for jars signed with multiple digestalgs
- JDK-8278948: compiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler
- JDK-8278966: two microbenchmarks tests fail "assert(!jvms->method()->has_exception_handlers()) failed: no exception handler expected" after JDK-8275638
- JDK-8279182: MakeZipReproducible ZipEntry timestamps not localized to UTC
- JDK-8279219: [REDO] C2 crash when allocating array of size too large
- JDK-8279227: Access Bridge: Wrong frame position and hit test result on HiDPI display
- JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
- JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM
- JDK-8279515: C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked
- JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism
- JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64
- JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
- JDK-8279560: AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment
- JDK-8279586: [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking
- JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails with -XX:TieredStopAtLevel=1 on machines with many cores
- JDK-8279668: x86: AVX2 versions of vpxor should be asserted
- JDK-8279822: CI: Constant pool entries in error state are not supported
- JDK-8279834: Alpine Linux fails to build when --with-source-date enabled
- JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region
- JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
- JDK-8279958: Provide configure hints for Alpine/apk package managers
- JDK-8280004: DCmdArgument<jlong>::parse_value() should handle NULL input
- JDK-8280041: Retry loop issues in java.io.ClassCache
- JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN
- JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized
- JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
- JDK-8280543: Update the "java" and "jcmd" tool specification for CDS
- JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor
- JDK-8280600: C2: assert(!had_error) failed: bad dominance
- JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
- JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
- JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
- JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint
- JDK-8280940: gtest os.release_multi_mappings_vm is racy
- JDK-8280941: os::print_memory_mappings() prints segment preceeding the inclusion range
- JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y
- JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly
- JDK-8281043: Intrinsify recursive ObjectMonitor locking for PPC64
- JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter
- JDK-8281262: Windows builds in different directories are not fully reproducible
- JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly
- JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
- JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
- JDK-8281318: Improve jfr/event/allocation tests reliability
- JDK-8281338: NSAccessibilityPressAction action for tree node and NSAccessibilityShowMenuAcgtion action not working
- JDK-8281450: Remove unnecessary operator new and delete from ObjectMonitor
- JDK-8281522: Rename ADLC classes which have the same name as hotspot variants
- JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/
- JDK-8281615: Deadlock caused by jdwp agent
- JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions
- JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature
- JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
- JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling
- JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder
- JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway
- JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1
- JDK-8282170: JVMTI SetBreakpoint metaspace allocation test
- JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
- JDK-8282225: GHA: Allow one concurrent run per PR only
- JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
- JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive
- JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert
- JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
- JDK-8282345: handle latest VS2022 in abstract_vm_version
- JDK-8282382: Report glibc malloc tunables in error reports
- JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale
- JDK-8282444: Module finder incorrectly assumes default file system path-separator character
- JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4
- JDK-8282509: [exploded image] ResolvedClassTest fails with similar output
- JDK-8282551: Properly initialize L32X64MixRandom state
- JDK-8282583: Update BCEL md to include the copyright notice
- JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes
- JDK-8282592: C2: assert(false) failed: graph should be schedulable
- JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig()
- JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap
- JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
- JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value
- JDK-8283017: GHA: Workflows break with update release versions
- JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails
- JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
- JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing
- JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize
- JDK-8283315: jrt-fs.jar not always deterministically built
- JDK-8283323: libharfbuzz optimization level results in extreme build times
- JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled
- JDK-8283350: (tz) Update Timezone Data to 2022a
- JDK-8283408: Fix a C2 crash when filling arrays with unsafe
- JDK-8283422: Create a new test for JDK-8254790
- JDK-8283451: C2: assert(_base == Long) failed: Not a Long
- JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
- JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
- JDK-8283641: Large value for CompileThresholdScaling causes assert
- JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM
- JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
- JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
- JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
- JDK-8284094: Memory leak in invoker_completeInvokeRequest()
- JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
- JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
- JDK-8284437: Building from different users/workspace is not always deterministic
- JDK-8284458: CodeHeapState::aggregate() leaks blob_name
- JDK-8284507: GHA: Only check test results if testing was not skipped
- JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler
- JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
- JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2
- JDK-8284620: CodeBuffer may leak _overflow_arena
- JDK-8284622: Update versions of some Github Actions used in JDK workflow
- JDK-8284661: Reproducible assembly builds without relative linking
- JDK-8284754: print more interesting env variables in hs_err and VM.info
- JDK-8284758: [linux] improve print_container_info
- JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping
- JDK-8284866: Add test to JDK-8273056
- JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java
- JDK-8284992: Fix misleading Vector API doc for LSHR operator
- JDK-8285342: Zero build failure with clang due to values not handled in switch
- JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id()
- JDK-8285397: JNI exception pending in CUPSfuncs.c:250
- JDK-8285445: cannot open file "NUL:"
- JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
- JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
- JDK-8285686: Update FreeType to 2.12.0
- JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head
- JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
- JDK-8285728: Alpine Linux build fails with busybox tar
- JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
- JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine
- JDK-8285956: (fs) Excessive default poll interval in PollingWatchService
- JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
- JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc
- JDK-8286198: [linux] Fix process-memory information
- JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources
- JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
- JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
- JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk
- JDK-8286855: javac error on invalid jar should only print filename
- JDK-8287109: Distrust.java failed with CertificateExpiredException
- JDK-8287119: Add Distrust.java to ProblemList
- JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions
- JDK-8287336: GHA: Workflows break on patch versions
- JDK-8287362: FieldAccessWatch testcase failed on AIX platform
- JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
Notes on individual issues:
===========================
core-libs/java.net:
JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos
================================================================
Support has been added for TLS channel binding tokens for
Negotiate/Kerberos authentication over HTTPS through
javax.net.HttpsURLConnection.
Channel binding tokens are increasingly required as an enhanced form
of security which can mitigate certain kinds of socially engineered,
man in the middle (MITM) attacks. They work by communicating from a
client to a server the client's understanding of the binding between
connection security (as represented by a TLS server cert) and higher
level authentication credentials (such as a username and
password). The server can then detect if the client has been fooled by
a MITM and shutdown the session/connection.
The feature is controlled through a new system property
`jdk.https.negotiate.cbt` which is described fully at the following
page:
https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt
core-libs/java.lang:
JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder
=====================================================================
ProcessBuilder on Windows is restored to address a regression caused
by JDK-8250568. Previously, an argument to ProcessBuilder that
started with a double-quote and ended with a backslash followed by a
double-quote was passed to a command incorrectly and may cause the
command to fail. For example the argument `"C:\\Program Files\"`,
would be seen by the command with extra double-quotes. This update
restores the long standing behavior that does not treat the backslash
before the final double-quote specially.
core-libs/java.util.jar:
JDK-8278386: Default JDK compressor will be closed when IOException is encountered
==================================================================================
`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods
have been modified to close out the associated default JDK compressor
before propagating a Throwable up the
stack. `ZIPOutputStream.closeEntry()` method has been modified to
close out the associated default JDK compressor before propagating an
IOException, not of type ZipException, up the stack.
core-libs/java.io:
JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File
=================================================================================================
The Windows implementation of `java.io.File` allows access to NTFS
Alternate Data Streams (ADS) by default. Such streams have a structure
like “filename:streamname”. A system property `jdk.io.File.enableADS`
has been added to control this behavior. To disable ADS support in
`java.io.File`, the system property `jdk.io.File.enableADS` should be
set to `false` (case ignored). Stricter path checking however prevents
the use of special devices such as `NUL:`
New in release OpenJDK 17.0.3 (2022-04-19):
===========================================
Live versions of these release notes can be found at:

51
SOURCES/TestSecurityProperties.java
View File

@ -1,3 +1,20 @@
/* TestSecurityProperties -- Ensure system security properties can be used to
enable the crypto policies.
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
@ -9,35 +26,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
private static final String MSG_PREFIX = "DEBUG: ";
public static void main(String[] args) {
if (args.length == 0) {
System.err.println("TestSecurityProperties <true|false>");
System.err.println("Invoke with 'true' if system security properties should be enabled.");
System.err.println("Invoke with 'false' if system security properties should be disabled.");
System.exit(1);
}
boolean enabled = Boolean.valueOf(args[0]);
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
if (enabled) {
loadPolicy(jdkProps);
}
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
String msg = "Expected value '" + jdkSecVal + "' for key '" +
String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
System.out.println("Debug: Java version is " + javaVersion);
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
private static void loadPolicy(Properties props) {
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
}

140
SOURCES/TestTranslations.java Normal file
View File

@ -0,0 +1,140 @@
/* TestTranslations -- Ensure translations are available for new timezones
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.text.DateFormatSymbols;
import java.time.ZoneId;
import java.time.format.TextStyle;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Locale;
import java.util.Objects;
import java.util.TimeZone;
public class TestTranslations {
private static Map<Locale,String[]> KYIV;
static {
Map<Locale,String[]> map = new HashMap<Locale,String[]>();
map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET",
"Eastern European Summer Time", "GMT+03:00", "EEST",
"Eastern European Time", "GMT+02:00", "EET"});
map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET",
"heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST",
"heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"});
map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ",
"Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
"Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
KYIV = Collections.unmodifiableMap(map);
}
public static void main(String[] args) {
if (args.length < 1) {
System.err.println("Test must be started with the name of the locale provider.");
System.exit(1);
}
String localeProvider = args[0];
System.out.println("Checking sanity of full zone string set...");
boolean invalid = Arrays.stream(Locale.getAvailableLocales())
.peek(l -> System.out.println("Locale: " + l))
.map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
.flatMap(zs -> Arrays.stream(zs))
.flatMap(names -> Arrays.stream(names))
.filter(name -> Objects.isNull(name) || name.isEmpty())
.findAny()
.isPresent();
if (invalid) {
System.err.println("Zone string for a locale returned null or empty string");
System.exit(2);
}
for (Locale l : KYIV.keySet()) {
String[] expected = KYIV.get(l);
for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) {
String expectedShortStd = null;
String expectedShortDST = null;
String expectedShortGen = null;
System.out.printf("Checking locale %s for %s...\n", l, id);
if ("JRE".equals(localeProvider)) {
expectedShortStd = expected[2];
expectedShortDST = expected[5];
expectedShortGen = expected[8];
} else if ("CLDR".equals(localeProvider)) {
expectedShortStd = expected[1];
expectedShortDST = expected[4];
expectedShortGen = expected[7];
} else {
System.err.printf("Invalid locale provider %s\n", localeProvider);
System.exit(3);
}
System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
if (!expected[0].equals(longStd)) {
System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
id, l, longStd, expected[0]);
System.exit(4);
}
if (!expectedShortStd.equals(shortStd)) {
System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
id, l, shortStd, expectedShortStd);
System.exit(5);
}
if (!expected[3].equals(longDST)) {
System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
id, l, longDST, expected[3]);
System.exit(6);
}
if (!expectedShortDST.equals(shortDST)) {
System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
id, l, shortDST, expectedShortDST);
System.exit(7);
}
if (!expected[6].equals(longGen)) {
System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
id, l, longGen, expected[6]);
System.exit(8);
}
if (!expectedShortGen.equals(shortGen)) {
System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
id, l, shortGen, expectedShortGen);
System.exit(9);
}
}
}
}
}

5585
SOURCES/fips-17u-0bd5ca9ccc5.patch Normal file
View File

File diff suppressed because it is too large Load Diff

51
SOURCES/jdk8293834-kyiv_cldr_update.patch Normal file
View File

@ -0,0 +1,51 @@
diff --git a/make/data/cldr/common/bcp47/timezone.xml b/make/data/cldr/common/bcp47/timezone.xml
index 41ff6d236c8..e703020dcdd 100644
--- a/make/data/cldr/common/bcp47/timezone.xml
+++ b/make/data/cldr/common/bcp47/timezone.xml
@@ -393,7 +393,7 @@ For terms of use, see http://www.unicode.org/copyright.html
<type name="tvfun" description="Funafuti, Tuvalu" alias="Pacific/Funafuti"/>
<type name="twtpe" description="Taipei, Taiwan" alias="Asia/Taipei ROC"/>
<type name="tzdar" description="Dar es Salaam, Tanzania" alias="Africa/Dar_es_Salaam"/>
- <type name="uaiev" description="Kiev, Ukraine" alias="Europe/Kiev"/>
+ <type name="uaiev" description="Kyiv, Ukraine" alias="Europe/Kiev Europe/Kyiv"/>
<type name="uaozh" description="Zaporizhia (Zaporozhye), Ukraine" alias="Europe/Zaporozhye"/>
<type name="uasip" description="Simferopol, Ukraine" alias="Europe/Simferopol"/>
<type name="uauzh" description="Uzhhorod (Uzhgorod), Ukraine" alias="Europe/Uzhgorod"/>
diff --git a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
index eb56c087ad6..e398af3c151 100644
--- a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
+++ b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 8181157 8202537 8234347 8236548 8261279
+ * @bug 8181157 8202537 8234347 8236548 8261279 8293834
* @modules jdk.localedata
* @summary Checks CLDR time zone names are generated correctly at runtime
* @run testng/othervm -Djava.locale.providers=CLDR TimeZoneNamesTest
@@ -102,6 +102,24 @@ public class TimeZoneNamesTest {
"UTC+04:00",
"heure : Astrakhan",
"UTC+04:00"},
+ {"Europe/Kyiv", Locale.US, "Eastern European Standard Time",
+ "GMT+02:00",
+ "Eastern European Summer Time",
+ "GMT+03:00",
+ "Eastern European Time",
+ "GMT+02:00"},
+ {"Europe/Kyiv", Locale.FRANCE, "heure normale d\u2019Europe de l\u2019Est",
+ "UTC+02:00",
+ "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est",
+ "UTC+03:00",
+ "heure d\u2019Europe de l\u2019Est",
+ "UTC+02:00"},
+ {"Europe/Kyiv", Locale.GERMANY, "Osteurop\u00e4ische Normalzeit",
+ "OEZ",
+ "Osteurop\u00e4ische Sommerzeit",
+ "OESZ",
+ "Osteurop\u00e4ische Zeit",
+ "OEZ"},
{"Europe/Saratov", Locale.US, "Saratov Standard Time",
"GMT+04:00",
"Saratov Daylight Time",

303
SOURCES/jdk8294357-tzdata2022d.patch Normal file
View File

@ -0,0 +1,303 @@
commit 3d93fdc583ed1c03ecf355b64d41c5f5fe4c07ce
Author: Goetz Lindenmaier <goetz@openjdk.org>
Date: Wed Oct 5 07:13:43 2022 +0000
8294357: (tz) Update Timezone Data to 2022d
Backport-of: f01573368f905f27d26f1d07d9cfd26dcc736a54
diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
index decb8716b22..889d0e6dad7 100644
--- a/make/data/tzdata/VERSION
+++ b/make/data/tzdata/VERSION
@@ -21,4 +21,4 @@
# or visit www.oracle.com if you need additional information or have any
# questions.
#
-tzdata2022c
+tzdata2022d
diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
index 3a150b0f36b..f9df7432947 100644
--- a/make/data/tzdata/asia
+++ b/make/data/tzdata/asia
@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
# The winter time in 2015 started on October 23 at 01:00.
# https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
# http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
-#
-# From Paul Eggert (2019-04-10):
-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
-# preceding March's last Sunday (i.e., Sat>=24).
# From P Chan (2021-10-18):
# http://wafa.ps/Pages/Details/34701
@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
# From Heba Hamad (2022-03-10):
# summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+# From Heba Hamad (2022-08-30):
+# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
+# 60 minutes backwards. Also the state of Palestine adopted the summer
+# and winter time for the years: 2023,2024,2025,2026 ...
+# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
+# (2022-08-31): ... the Saturday before the last Sunday in March and October
+# at 2:00 AM ,for the years from 2023 to 2026.
+# (2022-09-05): https://mtit.pna.ps/Site/New/1453
+#
+# From Paul Eggert (2022-08-31):
+# For now, assume that this rule will also be used after 2026.
+
# Rule NAME FROM TO - IN ON AT SAVE LETTER/S
Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 -
@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 -
Rule Palestine 2014 only - Oct 24 0:00 0 -
Rule Palestine 2015 only - Mar 28 0:00 1:00 S
Rule Palestine 2015 only - Oct 23 1:00 0 -
-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S
-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 -
+Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S
+Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 -
Rule Palestine 2019 only - Mar 29 0:00 1:00 S
-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 -
-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S
+Rule Palestine 2019 only - Oct Sat<=30 0:00 0 -
+Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S
Rule Palestine 2020 only - Oct 24 1:00 0 -
-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 -
-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S
+Rule Palestine 2021 only - Oct 29 1:00 0 -
+Rule Palestine 2022 only - Mar 27 0:00 1:00 S
+Rule Palestine 2022 max - Oct Sat<=30 2:00 0 -
+Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward
index d4a29e8cf29..7765d99aedf 100644
--- a/make/data/tzdata/backward
+++ b/make/data/tzdata/backward
@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT
Link Europe/London Europe/Belfast
Link Europe/Kyiv Europe/Kiev
Link Europe/Chisinau Europe/Tiraspol
+Link Europe/Kyiv Europe/Uzhgorod
+Link Europe/Kyiv Europe/Zaporozhye
Link Europe/London GB
Link Europe/London GB-Eire
Link Etc/GMT GMT+0
diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
index 879b5337536..accc845dbaf 100644
--- a/make/data/tzdata/europe
+++ b/make/data/tzdata/europe
@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880
# From Alexander Krivenyshev (2014-03-17):
# time change at 2:00 (2am) on March 30, 2014
# https://vz.ru/news/2014/3/17/677464.html
-# From Paul Eggert (2014-03-30):
-# Simferopol and Sevastopol reportedly changed their central town clocks
-# late the previous day, but this appears to have been ceremonial
-# and the discrepancies are small enough to not worry about.
+# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
+# The clocks at the railway station in Simferopol were put forward from 22:00
+# to 24:00 the previous day in a "symbolic ceremony"; however, per
+# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
+# time switch at 2am" on Sunday.
+# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
+# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
+# https://www.bbc.com/news/av/world-europe-26806583
2:00 EU EE%sT 2014 Mar 30 2:00
4:00 - MSK 2014 Oct 26 2:00s
3:00 - MSK
@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
# US colleague David Cochrane) are still trying to get more
# information upon these local deviations from Kiev rules.
#
-# From Paul Eggert (2022-02-08):
-# For now, assume that Ukraine's other three zones followed the same rules,
+# From Paul Eggert (2022-08-27):
+# For now, assume that Ukraine's zones all followed the same rules,
# except that Crimea switched to Moscow time in 1994 as described elsewhere.
# From Igor Karpov, who works for the Ukrainian Ministry of Justice,
@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
# * Ukrainian Government's Resolution of 20.03.1992, No. 139.
# http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
-# From Paul Eggert (2022-04-12):
-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev,
-# "Kyiv" is now more common due to widespread reporting of the current conflict.
-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
-# certainly wrong as a transliteration of the Czech "Praha".
-# English-language spelling of Ukrainian names is in flux, and
-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
-# common in English; in the meantime, do not change these
-# English spellings as that means less disruption for our users.
-
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-# This represents most of Ukraine. See above for the spelling of "Kyiv".
Zone Europe/Kyiv 2:02:04 - LMT 1880
2:02:04 - KMT 1924 May 2 # Kyiv Mean Time
2:00 - EET 1930 Jun 21
@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880
2:00 1:00 EEST 1991 Sep 29 3:00
2:00 C-Eur EE%sT 1996 May 13
2:00 EU EE%sT
-# Transcarpathia used CET 1990/1991.
-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
-# "Uzhgorod" is more common in English.
-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct
- 1:00 - CET 1940
- 1:00 C-Eur CE%sT 1944 Oct
- 1:00 1:00 CEST 1944 Oct 26
- 1:00 - CET 1945 Jun 29
- 3:00 Russia MSK/MSD 1990
- 3:00 - MSK 1990 Jul 1 2:00
- 1:00 - CET 1991 Mar 31 3:00
- 2:00 - EET 1992 Mar 20
- 2:00 C-Eur EE%sT 1996 May 13
- 2:00 EU EE%sT
-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
-# "Zaporozh'ye" is more common in English. Use the common English
-# spelling, except omit the apostrophe as it is not allowed in
-# portable Posix file names.
-Zone Europe/Zaporozhye 2:20:40 - LMT 1880
- 2:20 - +0220 1924 May 2
- 2:00 - EET 1930 Jun 21
- 3:00 - MSK 1941 Aug 25
- 1:00 C-Eur CE%sT 1943 Oct 25
- 3:00 Russia MSK/MSD 1991 Mar 31 2:00
- 2:00 E-Eur EE%sT 1992 Mar 20
- 2:00 C-Eur EE%sT 1996 May 13
- 2:00 EU EE%sT
# Vatican City
# See Europe/Rome.
diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica
index 13ec081c7e0..3c0e0e2061c 100644
--- a/make/data/tzdata/southamerica
+++ b/make/data/tzdata/southamerica
@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914
# for America/Santiago will start on midnight of September 11th;
# and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
# will keep UTC -3 "indefinitely"... This is because on September 4th
-# we will have a voting whether to approve a new Constitution....
-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
+# we will have a voting whether to approve a new Constitution.
+#
+# From Eduardo Romero Urra (2022-08-17):
+# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
+#
+# From Paul Eggert (2022-08-17):
+# Although the presidential decree stops at fall 2026, assume that
+# similar DST rules will continue thereafter.
# Rule NAME FROM TO - IN ON AT SAVE LETTER/S
Rule Chile 1927 1931 - Sep 1 0:00 1:00 -
diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab
index 51b65fa273c..ee025196e50 100644
--- a/make/data/tzdata/zone.tab
+++ b/make/data/tzdata/zone.tab
@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti
TW +2503+12130 Asia/Taipei
TZ -0648+03917 Africa/Dar_es_Salaam
UA +5026+03031 Europe/Kyiv Ukraine (most areas)
-UA +4837+02218 Europe/Uzhgorod Transcarpathia
-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
UG +0019+03225 Africa/Kampala
UM +2813-17722 Pacific/Midway Midway Islands
UM +1917+16637 Pacific/Wake Wake Island
diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
index 15c2f0d1275..6f6e190efcd 100644
--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
@@ -574,12 +574,8 @@ public final class ZoneInfoFile {
// we can then pass in the dom = -1, dow > 0 into ZoneInfo
//
// hacking, assume the >=24 is the result of ZRB optimization for
- // "last", it works for now. From tzdata2020d this hacking
- // will not work for Asia/Gaza and Asia/Hebron which follow
- // Palestine DST rules.
- if (dom < 0 || dom >= 24 &&
- !(zoneId.equals("Asia/Gaza") ||
- zoneId.equals("Asia/Hebron"))) {
+ // "last", it works for now.
+ if (dom < 0 || dom >= 24) {
params[1] = -1;
params[2] = toCalendarDOW[dow];
} else {
@@ -601,7 +597,6 @@ public final class ZoneInfoFile {
params[7] = 0;
} else {
// hacking: see comment above
- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e
if (dom < 0 || dom >= 24) {
params[6] = -1;
params[7] = toCalendarDOW[dow];
diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
index c32bee39fba..71470168456 100644
--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
@@ -1 +1 @@
-tzdata2022c
+tzdata2022d
diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
index a5e6428a3f5..e3ce742f887 100644
--- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
+++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT
Link Europe/London Europe/Belfast
Link Europe/Kyiv Europe/Kiev
Link Europe/Chisinau Europe/Tiraspol
+Link Europe/Kyiv Europe/Uzhgorod
+Link Europe/Kyiv Europe/Zaporozhye
Link Europe/London GB
Link Europe/London GB-Eire
Link Etc/GMT GMT+0
diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
index fc148537f1f..b3823958ae4 100644
--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
@@ -163,11 +163,9 @@ Europe/Simferopol MSK
Europe/Sofia EET EEST
Europe/Tallinn EET EEST
Europe/Tirane CET CEST
-Europe/Uzhgorod EET EEST
Europe/Vienna CET CEST
Europe/Vilnius EET EEST
Europe/Warsaw CET CEST
-Europe/Zaporozhye EET EEST
Europe/Zurich CET CEST
HST HST
MET MET MEST
diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
index 7b50c342a0d..a7d14f1aa21 100644
--- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
+++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
@@ -176,11 +176,12 @@ public class TestZoneInfo310 {
* save time in IANA tzdata. This bug is tracked via JDK-8223388.
*
* These are the zones/rules that employ negative DST in vanguard
- * format (as of 2019a):
+ * format (as of 2019a), Palestine added in 2022d:
*
* - Rule "Eire"
* - Rule "Morocco"
* - Rule "Namibia"
+ * - Rule "Palestine"
* - Zone "Europe/Prague"
*
* Tehran/Iran rule has rules beyond 2037, in which javazic assumes
@@ -196,6 +197,8 @@ public class TestZoneInfo310 {
zid.equals("Europe/Dublin") || // uses "Eire" rule
zid.equals("Europe/Prague") ||
zid.equals("Asia/Tehran") || // last rule mismatch
+ zid.equals("Asia/Gaza") || // uses "Palestine" rule
+ zid.equals("Asia/Hebron") || // uses "Palestine" rule
zid.equals("Iran")) { // last rule mismatch
continue;
}

420
SOURCES/jdk8295173-tzdata2022e.patch Normal file
View File

@ -0,0 +1,420 @@
commit d159a377e0243bd2c80593689fd7cd20b2b578f7
Author: duke <duke@openjdk.org>
Date: Fri Oct 14 03:37:19 2022 +0000
Backport 21407dec0156301871a83328615e4d975c4287c4
diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
index 889d0e6dad7..b8cb36e69f4 100644
--- a/make/data/tzdata/VERSION
+++ b/make/data/tzdata/VERSION
@@ -21,4 +21,4 @@
# or visit www.oracle.com if you need additional information or have any
# questions.
#
-tzdata2022d
+tzdata2022e
diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
index f9df7432947..5b2337fd0b6 100644
--- a/make/data/tzdata/asia
+++ b/make/data/tzdata/asia
@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u
# From the Arabic version, it seems to say it would be at midnight
# (assume 24:00) on the last Thursday in February, starting from 2022.
+# From Issam Al-Zuwairi (2022-10-05):
+# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
+# that daylight saving time (DST) will be throughout the year....
+#
+# From Brian Inglis (2022-10-06):
+# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
+#
+# From Paul Eggert (2022-10-05):
+# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
+# (non-DST) at the point where DST would otherwise have ended.
+
# Rule NAME FROM TO - IN ON AT SAVE LETTER/S
Rule Jordan 1973 only - Jun 6 0:00 1:00 S
Rule Jordan 1973 1975 - Oct 1 0:00 0 -
@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 -
Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 -
Rule Jordan 2013 only - Dec 20 0:00 0 -
Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S
-Rule Jordan 2014 max - Oct lastFri 0:00s 0 -
-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S
+Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 -
+Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
Zone Asia/Amman 2:23:44 - LMT 1931
- 2:00 Jordan EE%sT
+ 2:00 Jordan EE%sT 2022 Oct 28 0:00s
+ 3:00 - +03
# Kazakhstan
@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 -
# Our brief summary:
# https://www.timeanddate.com/news/time/syria-dst-2012.html
-# From Arthur David Olson (2012-03-27):
-# Assume last Friday in March going forward XXX.
+# From Steffen Thorsen (2022-10-05):
+# Syria is adopting year-round DST, starting this autumn....
+# From https://www.enabbaladi.net/archives/607812
+# "This [the decision] came after the weekly government meeting today,
+# Tuesday 4 October ..."
+#
+# From Paul Eggert (2022-10-05):
+# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
+# (non-DST) at the point where DST would otherwise have ended.
Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S
Rule Syria 2008 only - Nov 1 0:00 0 -
Rule Syria 2009 only - Mar lastFri 0:00 1:00 S
Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S
-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S
-Rule Syria 2009 max - Oct lastFri 0:00 0 -
+Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S
+Rule Syria 2009 2022 - Oct lastFri 0:00 0 -
# Zone NAME STDOFF RULES FORMAT [UNTIL]
Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq
- 2:00 Syria EE%sT
+ 2:00 Syria EE%sT 2022 Oct 28 0:00
+ 3:00 - +03
# Tajikistan
# From Shanks & Pottenger.
diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
index accc845dbaf..2832c4b9763 100644
--- a/make/data/tzdata/europe
+++ b/make/data/tzdata/europe
@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u
0:00 Spain WE%sT 1940 Mar 16 23:00
1:00 Spain CE%sT 1979
1:00 EU CE%sT
-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44
+Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u
0:00 - WET 1918 May 6 23:00
0:00 1:00 WEST 1918 Oct 7 23:00
0:00 - WET 1924
diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica
index 114cef14cce..ce4ee74582c 100644
--- a/make/data/tzdata/northamerica
+++ b/make/data/tzdata/northamerica
@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D
Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S
Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
+Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1920
-6:00 Chicago C%sT 1936 Mar 1 2:00
-5:00 - EST 1936 Nov 15 2:00
@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
-6:00 Chicago C%sT 1967
-6:00 US C%sT
# Oliver County, ND switched from mountain to central time on 1992-10-25.
-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
+Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u
-7:00 US M%sT 1992 Oct 25 2:00
-6:00 US C%sT
# Morton County, ND, switched from mountain to central time on
@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
# Jones, Mellette, and Todd Counties in South Dakota;
# but in practice these other counties were already observing central time.
# See <http://www.epa.gov/fedrgstr/EPA-IMPACT/2003/October/Day-28/i27056.htm>.
-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
+Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
-7:00 US M%sT 2003 Oct 26 2:00
-6:00 US C%sT
@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
# largest city in Mercer County). Google Maps places Beulah's city hall
# at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53
+Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u
-7:00 US M%sT 2010 Nov 7 2:00
-6:00 US C%sT
@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S
Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D
Rule Denver 1965 1966 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04
+Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u
-7:00 US M%sT 1920
-7:00 Denver M%sT 1942
-7:00 US M%sT 1946
@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D
Rule CA 1950 1961 - Sep lastSun 2:00 0 S
Rule CA 1962 1966 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02
+Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
-8:00 US P%sT 1946
-8:00 CA P%sT 1967
-8:00 US P%sT
@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00
# Go with the Arizona State Library instead.
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42
+Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u
-7:00 US M%sT 1944 Jan 1 0:01
-7:00 - MST 1944 Apr 1 0:01
-7:00 US M%sT 1944 Oct 1 0:01
@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
# switched four weeks late in 1974.
#
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11
+Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u
-8:00 US P%sT 1923 May 13 2:00
-7:00 US M%sT 1974
-7:00 - MST 1974 Feb 3 2:00
@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D
Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S
Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22
+Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1920
-6:00 Indianapolis C%sT 1942
-6:00 US C%sT 1946
@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S
Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D
Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37
+Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1951
-6:00 Marengo C%sT 1961 Apr 30 2:00
-5:00 - EST 1969
@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S
Rule Vincennes 1961 only - Sep lastSun 2:00 0 S
Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53
+Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1946
-6:00 Vincennes C%sT 1964 Apr 26 2:00
-5:00 - EST 1969
@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S
Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D
Rule Perry 1961 1963 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57
+Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1946
-6:00 Perry C%sT 1964 Apr 26 2:00
-5:00 - EST 1967 Oct 29 2:00
@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S
Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D
Rule Pike 1961 1964 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53
+Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1955
-6:00 Pike C%sT 1965 Apr 25 2:00
-5:00 - EST 1966 Oct 30 2:00
@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S
Rule Starke 1957 1958 - Sep lastSun 2:00 0 S
Rule Starke 1959 1961 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30
+Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1947
-6:00 Starke C%sT 1962 Apr 29 2:00
-5:00 - EST 1963 Oct 27 2:00
@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S
Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S
Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
+Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1946
-6:00 Pulaski C%sT 1961 Apr 30 2:00
-5:00 - EST 1969
@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
#
# Switzerland County, Indiana, did not observe DST from 1973 through 2005.
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44
+Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1954 Apr 25 2:00
-5:00 - EST 1969
-5:00 US E%sT 1973
@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D
Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S
Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
+Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1921
-6:00 Louisville C%sT 1942
-6:00 US C%sT 1946
@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
# Federal Register 65, 160 (2000-08-17), pp 50154-50158.
# https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
#
-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36
+Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u
-6:00 US C%sT 1946
-6:00 - CST 1968
-6:00 US C%sT 2000 Oct 29 2:00
@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
# longitude they are located at.
# Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+Rule Mexico 1931 only - May 1 23:00 1:00 D
+Rule Mexico 1931 only - Oct 1 0:00 0 S
Rule Mexico 1939 only - Feb 5 0:00 1:00 D
Rule Mexico 1939 only - Jun 25 0:00 0 S
Rule Mexico 1940 only - Dec 9 0:00 1:00 D
@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D
Rule Mexico 2002 max - Oct lastSun 2:00 0 S
# Zone NAME STDOFF RULES FORMAT [UNTIL]
# Quintana Roo; represented by Cancún
-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56
+Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u
-6:00 - CST 1981 Dec 23
-5:00 Mexico E%sT 1998 Aug 2 2:00
-6:00 Mexico C%sT 2015 Feb 1 2:00
-5:00 - EST
# Campeche, Yucatán; represented by Mérida
-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
+Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u
-6:00 - CST 1981 Dec 23
-5:00 - EST 1982 Dec 2
-6:00 Mexico C%sT
@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
# See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
# 2016-03-12
# http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00
+Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u
-6:00 - CST 1988
-6:00 US C%sT 1989
-6:00 Mexico C%sT 2010
-6:00 US C%sT
# Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44
+Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u
-6:00 - CST 1988
-6:00 US C%sT 1989
-6:00 Mexico C%sT
# Central Mexico
-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
+Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 Mexico C%sT 2001 Sep 30 2:00
-6:00 - CST 2002 Feb 20
-6:00 Mexico C%sT
@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
# This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
# Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
# (See the 2016-03-12 El Universal source mentioned above.)
-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20
+Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 - CST 1996
-6:00 Mexico C%sT 1998
-6:00 - CST 1998 Apr Sun>=1 3:00
-7:00 Mexico M%sT 2010
-7:00 US M%sT
# Chihuahua (away from US border)
-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40
+Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 - CST 1996
-6:00 Mexico C%sT 1998
-6:00 - CST 1998 Apr Sun>=1 3:00
-7:00 Mexico M%sT
# Sonora
-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
+Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 - CST 1942 Apr 24
-7:00 - MST 1949 Jan 14
-8:00 - PST 1970
@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
# Use "Bahia_Banderas" to keep the name to fourteen characters.
# Mazatlán
-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20
+Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 - CST 1942 Apr 24
-7:00 - MST 1949 Jan 14
-8:00 - PST 1970
-7:00 Mexico M%sT
# Bahía de Banderas
-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
+Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1927 Jun 10 23:00
-6:00 - CST 1930 Nov 15
- -7:00 - MST 1931 May 1 23:00
- -6:00 - CST 1931 Oct
- -7:00 - MST 1932 Apr 1
+ -7:00 Mexico M%sT 1932 Apr 1
-6:00 - CST 1942 Apr 24
-7:00 - MST 1949 Jan 14
-8:00 - PST 1970
@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
-6:00 Mexico C%sT
# Baja California
-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56
+Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u
-7:00 - MST 1924
-8:00 - PST 1927 Jun 10 23:00
-7:00 - MST 1930 Nov 15
diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
index 71470168456..0cad939008f 100644
--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
@@ -1 +1 @@
-tzdata2022d
+tzdata2022e
diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
index b3823958ae4..2f2786f1c69 100644
--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
@@ -97,9 +97,7 @@ America/Winnipeg CST CDT
America/Yakutat AKST AKDT
America/Yellowknife MST MDT
Antarctica/Macquarie AEST AEDT
-Asia/Amman EET EEST
Asia/Beirut EET EEST
-Asia/Damascus EET EEST
Asia/Famagusta EET EEST
Asia/Gaza EET EEST
Asia/Hebron EET EEST

2
SOURCES/nss.fips.cfg.in
View File

@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }

88
SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
View File

@ -1,88 +0,0 @@
# HG changeset patch
# User andrew
# Date 1478057514 0
# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
PR3183: Support Fedora/RHEL system crypto policy
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
+++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
@@ -43,6 +43,9 @@
* implementation-specific location, which is typically the properties file
* {@code conf/security/java.security} in the Java installation directory.
*
+ * <p>Additional default values of security properties are read from a
+ * system-specific location, if available.</p>
+ *
* @author Benjamin Renaud
* @since 1.1
*/
@@ -52,6 +55,10 @@
private static final Debug sdebug =
Debug.getInstance("properties");
+ /* System property file*/
+ private static final String SYSTEM_PROPERTIES =
+ "/etc/crypto-policies/back-ends/java.config";
+
/* The java.security properties */
private static Properties props;
@@ -93,6 +100,7 @@
if (sdebug != null) {
sdebug.println("reading security properties file: " +
propFile);
+ sdebug.println(props.toString());
}
} catch (IOException e) {
if (sdebug != null) {
@@ -114,6 +122,31 @@
}
if ("true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
("security.overridePropertiesFile"))) {
String extraPropFile = System.getProperty
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
+++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
@@ -276,6 +276,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=true
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#

78
SOURCES/pr3695-toggle_system_crypto_policy.patch
View File

@ -1,78 +0,0 @@
# HG changeset patch
# User andrew
# Date 1545198926 0
# Wed Dec 19 05:55:26 2018 +0000
# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
PR3695: Allow use of system crypto policy to be disabled by the user
Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
@@ -125,31 +125,6 @@
}
if ("true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
- loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
- }
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
("security.overridePropertiesFile"))) {
String extraPropFile = System.getProperty
@@ -215,6 +190,33 @@
}
}
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
+
if (!loadedProps) {
initializeStatic();
if (sdebug != null) {

11
SOURCES/remove-intree-libraries.sh
View File

@ -5,6 +5,7 @@ TREE=${1}
TYPE=${2}
ZIP_SRC=src/java.base/share/native/libzip/zlib/
FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
@ -31,15 +32,21 @@ cd ${TREE}
echo "Removing built-in libs (they will be linked)"
# On full runs, allow for zlib having already been deleted by minimal
# On full runs, allow for zlib & freetype having already been deleted by minimal
echo "Removing zlib"
if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
echo "${ZIP_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${ZIP_SRC}
echo "Removing freetype"
if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${FREETYPE_SRC}
# Minimal is limited to just zlib so finish here
# Minimal is limited to just zlib and freetype so finish here
if test "x${TYPE}" = "xminimal"; then
echo "Finished.";
exit 0;

10
SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
View File

@ -1,7 +1,7 @@
diff --git openjdk/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
index 534bdae5a16..2df2b59cbf6 100644
--- openjdk/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index adfaf57d29e..abf89bbf327 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
security.provider.tbd=Apple
#endif
@ -9,4 +9,4 @@ index 534bdae5a16..2df2b59cbf6 100644
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# A list of preferred providers for specific algorithms. These providers will
# Security providers used when FIPS mode support is active

205
SOURCES/rh1655466-global_crypto_and_fips.patch
View File

@ -1,205 +0,0 @@
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -196,26 +196,8 @@
if (disableSystemProps == null &&
"true".equalsIgnoreCase(props.getProperty
("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
+ if (SystemConfigurator.configure(props)) {
loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
}
}
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
new file mode 100644
--- /dev/null
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.security;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import java.util.Iterator;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.function.Consumer;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import sun.security.util.Debug;
+
+/**
+ * Internal class to align OpenJDK with global crypto-policies.
+ * Called from java.security.Security class initialization,
+ * during startup.
+ *
+ */
+
+class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
+ private static final String CRYPTO_POLICIES_BASE_DIR =
+ "/etc/crypto-policies";
+
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+ private static final String CRYPTO_POLICIES_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/config";
+
+ private static final class SecurityProviderInfo {
+ int number;
+ String key;
+ String value;
+ SecurityProviderInfo(int number, String key, String value) {
+ this.number = number;
+ this.key = key;
+ this.value = value;
+ }
+ }
+
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
+ * security.useSystemPropertiesFile is true.
+ */
+ static boolean configure(Properties props) {
+ boolean loadedProps = false;
+
+ try (BufferedInputStream bis =
+ new BufferedInputStream(
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+ props.load(bis);
+ loadedProps = true;
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties from " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ e.printStackTrace();
+ }
+ }
+
+ try {
+ if (enableFips()) {
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+ loadedProps = false;
+ // Remove all security providers
+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+ while (i.hasNext()) {
+ Entry<Object, Object> e = i.next();
+ if (((String) e.getKey()).startsWith("security.provider")) {
+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
+ i.remove();
+ }
+ }
+ // Add FIPS security providers
+ String fipsProviderValue = null;
+ for (int n = 1;
+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
+ String fipsProviderKey = "security.provider." + n;
+ if (sdebug != null) {
+ sdebug.println("Adding provider " + n + ": " +
+ fipsProviderKey + "=" + fipsProviderValue);
+ }
+ props.put(fipsProviderKey, fipsProviderValue);
+ }
+ loadedProps = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load FIPS configuration");
+ e.printStackTrace();
+ }
+ }
+ return loadedProps;
+ }
+
+ /*
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (fipsEnabled) {
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+ return pattern.matcher(cryptoPoliciesConfig).find();
+ } else {
+ return false;
+ }
+ }
+}
diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
--- openjdk.orig/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
@@ -87,6 +87,14 @@
#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
+# Security providers used when global crypto-policies are set to FIPS.
+#
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
+fips.provider.2=SUN
+fips.provider.3=SunEC
+fips.provider.4=SunJSSE
+
+#
# A list of preferred providers for specific algorithms. These providers will
# be searched for matching algorithms before the list of registered providers.
# Entries containing errors (parsing, etc) will be ignored. Use the

52
SOURCES/rh1818909-fips_default_keystore_type.patch
View File

@ -1,52 +0,0 @@
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
@@ -123,6 +123,33 @@
}
props.put(fipsProviderKey, fipsProviderValue);
}
+ // Add other security properties
+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
+ if (keystoreTypeValue != null) {
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+ // previous keystore.type under FIPS mode. In
+ // a default configuration, the Trust Store will
+ // be 'cacerts' (JKS type).
+ System.setProperty("javax.net.ssl.trustStoreType",
+ nonFipsKeystoreType);
+ }
+ if (sdebug != null) {
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
loadedProps = true;
}
} catch (Exception e) {
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
@@ -299,6 +299,11 @@
keystore.type=pkcs12
#
+# Default keystore type used when global crypto-policies are set to FIPS.
+#
+fips.keystore.type=PKCS11
+
+#
# Controls compatibility mode for JKS and PKCS12 keystore types.
#
# When set to 'true', both JKS and PKCS12 keystore types support loading

318
SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
View File

@ -1,318 +0,0 @@
diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index f9baf8c9742..60fa75cab45 100644
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -1,11 +1,13 @@
/*
- * Copyright (c) 2019, Red Hat, Inc.
+ * Copyright (c) 2019, 2020, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
@@ -34,10 +36,10 @@ import java.nio.file.Path;
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.function.Consumer;
-import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
+import jdk.internal.access.SharedSecrets;
import sun.security.util.Debug;
/**
@@ -47,7 +49,7 @@ import sun.security.util.Debug;
*
*/
-class SystemConfigurator {
+final class SystemConfigurator {
private static final Debug sdebug =
Debug.getInstance("properties");
@@ -61,15 +63,16 @@ class SystemConfigurator {
private static final String CRYPTO_POLICIES_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/config";
- private static final class SecurityProviderInfo {
- int number;
- String key;
- String value;
- SecurityProviderInfo(int number, String key, String value) {
- this.number = number;
- this.key = key;
- this.value = value;
- }
+ private static boolean systemFipsEnabled = false;
+
+ static {
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
}
/*
@@ -128,9 +131,9 @@ class SystemConfigurator {
String nonFipsKeystoreType = props.getProperty("keystore.type");
props.put("keystore.type", keystoreTypeValue);
if (keystoreTypeValue.equals("PKCS11")) {
- // If keystore.type is PKCS11, javax.net.ssl.keyStore
- // must be "NONE". See JDK-8238264.
- System.setProperty("javax.net.ssl.keyStore", "NONE");
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
}
if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
// If no trustStoreType has been set, use the
@@ -144,12 +147,13 @@ class SystemConfigurator {
sdebug.println("FIPS mode default keystore.type = " +
keystoreTypeValue);
sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
- System.getProperty("javax.net.ssl.keyStore", ""));
+ System.getProperty("javax.net.ssl.keyStore", ""));
sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
System.getProperty("javax.net.ssl.trustStoreType", ""));
}
}
loadedProps = true;
+ systemFipsEnabled = true;
}
} catch (Exception e) {
if (sdebug != null) {
@@ -160,13 +164,30 @@ class SystemConfigurator {
return loadedProps;
}
+ /**
+ * Returns whether or not global system FIPS alignment is enabled.
+ *
+ * Value is always 'false' before java.security.Security class is
+ * initialized.
+ *
+ * Call from out of this package through SharedSecrets:
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ * .isSystemFipsEnabled();
+ *
+ * @return a boolean value indicating whether or not global
+ * system FIPS alignment is enabled.
+ */
+ static boolean isSystemFipsEnabled() {
+ return systemFipsEnabled;
+ }
+
/*
* FIPS is enabled only if crypto-policies are set to "FIPS"
* and the com.redhat.fips property is true.
*/
private static boolean enableFips() throws Exception {
- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (fipsEnabled) {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
new file mode 100644
index 00000000000..a31e93ec02e
--- /dev/null
+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2020, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.internal.access;
+
+public interface JavaSecuritySystemConfiguratorAccess {
+ boolean isSystemFipsEnabled();
+}
diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
index f6d3638c3dd..5a2c9eb0c46 100644
--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
@@ -81,6 +81,7 @@ public class SharedSecrets {
private static JavaSecuritySpecAccess javaSecuritySpecAccess;
private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
private static JavaxCryptoSpecAccess javaxCryptoSpecAccess;
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
javaUtilCollectionAccess = juca;
@@ -442,4 +443,12 @@ public class SharedSecrets {
MethodHandles.lookup().ensureInitialized(c);
} catch (IllegalAccessException e) {}
}
+
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
+ javaSecuritySystemConfiguratorAccess = jssca;
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ return javaSecuritySystemConfiguratorAccess;
+ }
}
diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
index 6ffdfeda18d..775b185fb06 100644
--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -32,6 +32,7 @@ import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import javax.net.ssl.*;
+import jdk.internal.access.SharedSecrets;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private static final List<CipherSuite> serverDefaultCipherSuites;
static {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30,
- ProtocolVersion.SSL20Hello
- );
-
- serverDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.SSL30,
+ ProtocolVersion.SSL20Hello
+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ }
supportedCipherSuites = getApplicableSupportedCipherSuites(
supportedProtocols);
@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
ProtocolVersion[] candidates;
if (refactored.isEmpty()) {
// Client and server use the same default protocols.
- candidates = new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- };
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ } else {
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
} else {
// Use the customized TLS protocols.
candidates =
diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
index 894e26dfad8..8b16378b96b 100644
--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
@@ -27,6 +27,8 @@ package sun.security.ssl;
import java.security.*;
import java.util.*;
+
+import jdk.internal.access.SharedSecrets;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
/**
@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider {
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
ps("SSLContext", "TLSv1.2",
"sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
- ps("SSLContext", "TLSv1.3",
- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ ps("SSLContext", "TLSv1.3",
+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ }
ps("SSLContext", "TLS",
"sun.security.ssl.SSLContextImpl$TLSContext",
List.of("SSL"), null);

70
SOURCES/rh1915071-always_initialise_configurator_access.patch
View File

@ -1,70 +0,0 @@
diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index f1633afb627..ce32c939253 100644
--- openjdk/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -32,6 +32,7 @@ import java.net.URL;
import jdk.internal.event.EventHelper;
import jdk.internal.event.SecurityPropertyModificationEvent;
+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
import jdk.internal.access.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.util.Debug;
@@ -74,6 +75,15 @@ public final class Security {
}
static {
+ // Initialise here as used by code with system properties disabled
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
+
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
@@ -194,9 +204,8 @@ public final class Security {
}
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if (disableSystemProps == null &&
- "true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
if (SystemConfigurator.configure(props)) {
loadedProps = true;
}
diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 60fa75cab45..10b54aa4ce4 100644
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -38,8 +38,6 @@ import java.util.Map.Entry;
import java.util.Properties;
import java.util.regex.Pattern;
-import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
-import jdk.internal.access.SharedSecrets;
import sun.security.util.Debug;
/**
@@ -65,16 +63,6 @@ final class SystemConfigurator {
private static boolean systemFipsEnabled = false;
- static {
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
- new JavaSecuritySystemConfiguratorAccess() {
- @Override
- public boolean isSystemFipsEnabled() {
- return SystemConfigurator.isSystemFipsEnabled();
- }
- });
- }
-
/*
* Invoked when java.security.Security class is initialized, if
* java.security.disableSystemPropertiesFile property is not set and

69
SOURCES/rh1929465-dont_define_unused_throwioexception.patch
View File

@ -1,69 +0,0 @@
commit 90e344e7d4987af610fa0054c92d18fe1c2edd41
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Sat Aug 28 01:15:28 2021 +0100
RH1929465: Don't define unused throwIOException function when using NSS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 6f4656bfcb6..38919d6bb0f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -34,14 +34,34 @@
#include "java_security_SystemConfigurator.h"
-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
#define MSG_MAX_SIZE 96
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-static void throwIOException(JNIEnv *env, const char *msg);
-static void dbgPrint(JNIEnv *env, const char* msg);
+// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
+#ifndef SYSCONF_NSS
+
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+#endif
+
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
/*
* Class: java_security_SystemConfigurator
@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
#endif // SYSCONF_NSS
}
-
-static void throwIOException(JNIEnv *env, const char *msg)
-{
- jclass cls = (*env)->FindClass(env, "java/io/IOException");
- if (cls != 0)
- (*env)->ThrowNew(env, cls, msg);
-}
-
-static void dbgPrint(JNIEnv *env, const char* msg)
-{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
- }
-}

428
SOURCES/rh1929465-improve_system_FIPS_detection.patch
View File

@ -1,428 +0,0 @@
diff --git openjdk/make/autoconf/lib-sysconf.m4 openjdk/make/autoconf/lib-sysconf.m4
new file mode 100644
index 00000000000..b2b1c1787da
--- /dev/null
+++ openjdk/make/autoconf/lib-sysconf.m4
@@ -0,0 +1,84 @@
+#
+# Copyright (c) 2021, Red Hat, Inc.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation. Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+################################################################################
+# Setup system configuration libraries
+################################################################################
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
+[
+ ###############################################################################
+ #
+ # Check for the NSS library
+ #
+
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
+
+ # default is not available
+ DEFAULT_SYSCONF_NSS=no
+
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
+ [
+ case "${enableval}" in
+ yes)
+ sysconf_nss=yes
+ ;;
+ *)
+ sysconf_nss=no
+ ;;
+ esac
+ ],
+ [
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
+ ])
+ AC_MSG_RESULT([$sysconf_nss])
+
+ USE_SYSCONF_NSS=false
+ if test "x${sysconf_nss}" = "xyes"; then
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
+ if test "x${NSS_FOUND}" = "xyes"; then
+ AC_MSG_CHECKING([for system FIPS support in NSS])
+ saved_libs="${LIBS}"
+ saved_cflags="${CFLAGS}"
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
+ LIBS="${LIBS} ${NSS_LIBS}"
+ AC_LANG_PUSH([C])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
+ [[SECMOD_GetSystemFIPSEnabled()]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
+ AC_LANG_POP([C])
+ CFLAGS="${saved_cflags}"
+ LIBS="${saved_libs}"
+ USE_SYSCONF_NSS=true
+ else
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
+ dnl in nss3/pk11pub.h.
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
+ fi
+ fi
+ AC_SUBST(USE_SYSCONF_NSS)
+])
diff --git openjdk/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
index a65d91ee974..a8f054c1397 100644
--- openjdk/make/autoconf/libraries.m4
+++ openjdk/make/autoconf/libraries.m4
@@ -33,6 +33,7 @@ m4_include([lib-std.m4])
m4_include([lib-x11.m4])
m4_include([lib-fontconfig.m4])
m4_include([lib-tests.m4])
+m4_include([lib-sysconf.m4])
################################################################################
# Determine which libraries are needed for this configuration
@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
LIB_SETUP_BUNDLED_LIBS
LIB_SETUP_MISC_LIBS
LIB_TESTS_SETUP_GTEST
+ LIB_SETUP_SYSCONF_LIBS
BASIC_JDKLIB_LIBS=""
if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
diff --git openjdk/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
index 29445c8c24f..9b1b512a34a 100644
--- openjdk/make/autoconf/spec.gmk.in
+++ openjdk/make/autoconf/spec.gmk.in
@@ -834,6 +834,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
# Libraries
#
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
+NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@
+
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
LCMS_CFLAGS:=@LCMS_CFLAGS@
LCMS_LIBS:=@LCMS_LIBS@
diff --git openjdk/make/modules/java.base/Lib.gmk openjdk/make/modules/java.base/Lib.gmk
index 5658ff342e5..cb7a56852f7 100644
--- openjdk/make/modules/java.base/Lib.gmk
+++ openjdk/make/modules/java.base/Lib.gmk
@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true)
endif
endif
+################################################################################
+# Create the systemconf library
+
+LIBSYSTEMCONF_CFLAGS :=
+LIBSYSTEMCONF_CXXFLAGS :=
+
+ifeq ($(USE_SYSCONF_NSS), true)
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+endif
+
+ifeq ($(OPENJDK_BUILD_OS), linux)
+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
+ NAME := systemconf, \
+ OPTIMIZATION := LOW, \
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
+ ))
+
+ TARGETS += $(BUILD_LIBSYSTEMCONF)
+endif
+
################################################################################
# Create the symbols file for static builds.
diff --git openjdk/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
new file mode 100644
index 00000000000..6f4656bfcb6
--- /dev/null
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <dlfcn.h>
+#include <jni.h>
+#include <jni_util.h>
+#include <stdio.h>
+
+#ifdef SYSCONF_NSS
+#include <nss3/pk11pub.h>
+#endif //SYSCONF_NSS
+
+#include "java_security_SystemConfigurator.h"
+
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+#define MSG_MAX_SIZE 96
+
+static jmethodID debugPrintlnMethodID = NULL;
+static jobject debugObj = NULL;
+
+static void throwIOException(JNIEnv *env, const char *msg);
+static void dbgPrint(JNIEnv *env, const char* msg);
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnLoad
+ */
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+ jclass sysConfCls, debugCls;
+ jfieldID sdebugFld;
+
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return JNI_EVERSION; /* JNI version not supported */
+ }
+
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
+ if (sysConfCls == NULL) {
+ printf("libsystemconf: SystemConfigurator class not found\n");
+ return JNI_ERR;
+ }
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
+ "sdebug", "Lsun/security/util/Debug;");
+ if (sdebugFld == NULL) {
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
+ if (debugObj != NULL) {
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
+ if (debugCls == NULL) {
+ printf("libsystemconf: Debug class not found\n");
+ return JNI_ERR;
+ }
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
+ "println", "(Ljava/lang/String;)V");
+ if (debugPrintlnMethodID == NULL) {
+ printf("libsystemconf: Debug::println(String) method not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
+ return (*env)->GetVersion(env);
+}
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnUnload
+ */
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+
+ if (debugObj != NULL) {
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+}
+
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
+ (JNIEnv *env, jclass cls)
+{
+ int fips_enabled;
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+#ifdef SYSCONF_NSS
+
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " SECMOD_GetSystemFIPSEnabled return value");
+ }
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+
+#else // SYSCONF_NSS
+
+ FILE *fe;
+
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " read character");
+ }
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+
+#endif // SYSCONF_NSS
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 10b54aa4ce4..6aa1419dfd0 100644
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, 2020, Red Hat, Inc.
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
@@ -30,13 +30,9 @@ import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.regex.Pattern;
import sun.security.util.Debug;
@@ -58,11 +54,23 @@ final class SystemConfigurator {
private static final String CRYPTO_POLICIES_JAVA_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
- private static final String CRYPTO_POLICIES_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/config";
-
private static boolean systemFipsEnabled = false;
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
+
+ private static native boolean getSystemFIPSEnabled()
+ throws IOException;
+
+ static {
+ @SuppressWarnings("removal")
+ var dummy = AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
+ return null;
+ }
+ });
+ }
+
/*
* Invoked when java.security.Security class is initialized, if
* java.security.disableSystemPropertiesFile property is not set and
@@ -170,16 +178,34 @@ final class SystemConfigurator {
}
/*
- * FIPS is enabled only if crypto-policies are set to "FIPS"
- * and the com.redhat.fips property is true.
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
+ * system property is true (default) and the system is in FIPS mode.
+ *
+ * There are 2 possible ways in which OpenJDK detects that the system
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
+ * /proc/sys/crypto/fips_enabled file is read.
*/
private static boolean enableFips() throws Exception {
boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
if (shouldEnable) {
- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
- return pattern.matcher(cryptoPoliciesConfig).find();
+ if (sdebug != null) {
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
+ }
+ try {
+ shouldEnable = getSystemFIPSEnabled();
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
+ + shouldEnable);
+ }
+ return shouldEnable;
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
+ sdebug.println(e.getMessage());
+ }
+ throw e;
+ }
} else {
return false;
}

579
SOURCES/rh1991003-enable_fips_keys_import.patch
View File

@ -1,579 +0,0 @@
commit abcd0954643eddbf826d96291d44a143038ab750
Author: Martin Balao <mbalao@redhat.com>
Date: Sun Oct 10 18:14:01 2021 +0100
RH1991003: Enable the import of plain keys into the NSS software token.
This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index ce32c939253..dc7020ce668 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -82,6 +82,10 @@ public final class Security {
public boolean isSystemFipsEnabled() {
return SystemConfigurator.isSystemFipsEnabled();
}
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
});
// doPrivileged here because there are multiple
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 6aa1419dfd0..ecab722848e 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -55,6 +55,7 @@ final class SystemConfigurator {
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
@@ -150,6 +151,16 @@ final class SystemConfigurator {
}
loadedProps = true;
systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
}
} catch (Exception e) {
if (sdebug != null) {
@@ -177,6 +188,19 @@ final class SystemConfigurator {
return systemFipsEnabled;
}
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
/*
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
* system property is true (default) and the system is in FIPS mode.
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
index a31e93ec02e..3f3caac64dc 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
@@ -27,4 +27,5 @@ package jdk.internal.access;
public interface JavaSecuritySystemConfiguratorAccess {
boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
index 00000000000..bee3a1e1537
--- /dev/null
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,291 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 5d3963ea893..42c72b393fd 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider {
private static final boolean systemFipsEnabled = SharedSecrets
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider {
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
index 5c0aacd1a67..4d80145cb91 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -152,16 +153,28 @@ public class PKCS11 {
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
} else {
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
index e2d6d371bec..dc5e7eefdd3 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception {
return "0x" + Functions.toFullHexString((int)errorCode);
}
+ /**
+ * Constructor taking the error code (the CKR_* constants in PKCS#11) with
+ * no extra info for the error message.
+ */
+ public PKCS11Exception(long errorCode) {
+ this(errorCode, null);
+ }
+
/**
* Constructor taking the error code (the CKR_* constants in PKCS#11) and
* extra info for error message.

591
SOURCES/rh1995150-disable_non-fips_crypto.patch
View File

@ -1,591 +0,0 @@
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 63bb580eb3a..238735c0c8c 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java
@@ -152,6 +152,7 @@ module java.base {
java.naming,
java.rmi,
jdk.charsets,
+ jdk.crypto.ec,
jdk.jartool,
jdk.jlink,
jdk.net,
diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
index 912cad59714..7cb5ebcde51 100644
--- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java
+++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
@@ -30,6 +30,7 @@ import java.net.*;
import java.util.*;
import java.security.*;
+import jdk.internal.access.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.action.GetPropertyAction;
import sun.security.util.SecurityProviderConstants;
@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
public final class SunEntries {
+ private static final boolean systemFipsEnabled =
+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled();
+
// the default algo used by SecureRandom class for new SecureRandom() calls
public static final String DEF_SECURE_RANDOM_ALGO;
@@ -94,147 +99,149 @@ public final class SunEntries {
// common attribute map
HashMap<String, String> attrs = new HashMap<>(3);
- /*
- * SecureRandom engines
- */
- attrs.put("ThreadSafe", "true");
- if (NativePRNG.isAvailable()) {
- add(p, "SecureRandom", "NativePRNG",
- "sun.security.provider.NativePRNG", attrs);
- }
- if (NativePRNG.Blocking.isAvailable()) {
- add(p, "SecureRandom", "NativePRNGBlocking",
- "sun.security.provider.NativePRNG$Blocking", attrs);
- }
- if (NativePRNG.NonBlocking.isAvailable()) {
- add(p, "SecureRandom", "NativePRNGNonBlocking",
- "sun.security.provider.NativePRNG$NonBlocking", attrs);
- }
- attrs.put("ImplementedIn", "Software");
- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
- add(p, "SecureRandom", "SHA1PRNG",
- "sun.security.provider.SecureRandom", attrs);
-
- /*
- * Signature engines
- */
- attrs.clear();
- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
- "|java.security.interfaces.DSAPrivateKey";
- attrs.put("SupportedKeyClasses", dsaKeyClasses);
- attrs.put("ImplementedIn", "Software");
-
- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
-
- addWithAlias(p, "Signature", "SHA1withDSA",
- "sun.security.provider.DSA$SHA1withDSA", attrs);
- addWithAlias(p, "Signature", "NONEwithDSA",
- "sun.security.provider.DSA$RawDSA", attrs);
-
- // for DSA signatures with 224/256-bit digests
- attrs.put("KeySize", "2048");
-
- addWithAlias(p, "Signature", "SHA224withDSA",
- "sun.security.provider.DSA$SHA224withDSA", attrs);
- addWithAlias(p, "Signature", "SHA256withDSA",
- "sun.security.provider.DSA$SHA256withDSA", attrs);
-
- addWithAlias(p, "Signature", "SHA3-224withDSA",
- "sun.security.provider.DSA$SHA3_224withDSA", attrs);
- addWithAlias(p, "Signature", "SHA3-256withDSA",
- "sun.security.provider.DSA$SHA3_256withDSA", attrs);
-
- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
-
- addWithAlias(p, "Signature", "SHA384withDSA",
- "sun.security.provider.DSA$SHA384withDSA", attrs);
- addWithAlias(p, "Signature", "SHA512withDSA",
- "sun.security.provider.DSA$SHA512withDSA", attrs);
- addWithAlias(p, "Signature", "SHA3-384withDSA",
- "sun.security.provider.DSA$SHA3_384withDSA", attrs);
- addWithAlias(p, "Signature", "SHA3-512withDSA",
- "sun.security.provider.DSA$SHA3_512withDSA", attrs);
-
- attrs.remove("KeySize");
-
- add(p, "Signature", "SHA1withDSAinP1363Format",
- "sun.security.provider.DSA$SHA1withDSAinP1363Format");
- add(p, "Signature", "NONEwithDSAinP1363Format",
- "sun.security.provider.DSA$RawDSAinP1363Format");
- add(p, "Signature", "SHA224withDSAinP1363Format",
- "sun.security.provider.DSA$SHA224withDSAinP1363Format");
- add(p, "Signature", "SHA256withDSAinP1363Format",
- "sun.security.provider.DSA$SHA256withDSAinP1363Format");
- add(p, "Signature", "SHA384withDSAinP1363Format",
- "sun.security.provider.DSA$SHA384withDSAinP1363Format");
- add(p, "Signature", "SHA512withDSAinP1363Format",
- "sun.security.provider.DSA$SHA512withDSAinP1363Format");
- add(p, "Signature", "SHA3-224withDSAinP1363Format",
- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
- add(p, "Signature", "SHA3-256withDSAinP1363Format",
- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
- add(p, "Signature", "SHA3-384withDSAinP1363Format",
- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
- add(p, "Signature", "SHA3-512withDSAinP1363Format",
- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
- /*
- * Key Pair Generator engines
- */
- attrs.clear();
- attrs.put("ImplementedIn", "Software");
- attrs.put("KeySize", "2048"); // for DSA KPG and APG only
+ if (!systemFipsEnabled) {
+ /*
+ * SecureRandom engines
+ */
+ attrs.put("ThreadSafe", "true");
+ if (NativePRNG.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNG",
+ "sun.security.provider.NativePRNG", attrs);
+ }
+ if (NativePRNG.Blocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGBlocking",
+ "sun.security.provider.NativePRNG$Blocking", attrs);
+ }
+ if (NativePRNG.NonBlocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGNonBlocking",
+ "sun.security.provider.NativePRNG$NonBlocking", attrs);
+ }
+ attrs.put("ImplementedIn", "Software");
+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
+ add(p, "SecureRandom", "SHA1PRNG",
+ "sun.security.provider.SecureRandom", attrs);
- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
+ /*
+ * Signature engines
+ */
+ attrs.clear();
+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+ "|java.security.interfaces.DSAPrivateKey";
+ attrs.put("SupportedKeyClasses", dsaKeyClasses);
+ attrs.put("ImplementedIn", "Software");
+
+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+
+ addWithAlias(p, "Signature", "SHA1withDSA",
+ "sun.security.provider.DSA$SHA1withDSA", attrs);
+ addWithAlias(p, "Signature", "NONEwithDSA",
+ "sun.security.provider.DSA$RawDSA", attrs);
+
+ // for DSA signatures with 224/256-bit digests
+ attrs.put("KeySize", "2048");
+
+ addWithAlias(p, "Signature", "SHA224withDSA",
+ "sun.security.provider.DSA$SHA224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA256withDSA",
+ "sun.security.provider.DSA$SHA256withDSA", attrs);
+
+ addWithAlias(p, "Signature", "SHA3-224withDSA",
+ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-256withDSA",
+ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
+
+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
+
+ addWithAlias(p, "Signature", "SHA384withDSA",
+ "sun.security.provider.DSA$SHA384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA512withDSA",
+ "sun.security.provider.DSA$SHA512withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-384withDSA",
+ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-512withDSA",
+ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
+
+ attrs.remove("KeySize");
+
+ add(p, "Signature", "SHA1withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+ add(p, "Signature", "NONEwithDSAinP1363Format",
+ "sun.security.provider.DSA$RawDSAinP1363Format");
+ add(p, "Signature", "SHA224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+ add(p, "Signature", "SHA256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+ add(p, "Signature", "SHA384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+ add(p, "Signature", "SHA512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+ add(p, "Signature", "SHA3-224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+ add(p, "Signature", "SHA3-256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+ add(p, "Signature", "SHA3-384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+ add(p, "Signature", "SHA3-512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+ /*
+ * Key Pair Generator engines
+ */
+ attrs.clear();
+ attrs.put("ImplementedIn", "Software");
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
- /*
- * Algorithm Parameter Generator engines
- */
- addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
- "sun.security.provider.DSAParameterGenerator", attrs);
- attrs.remove("KeySize");
+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
- /*
- * Algorithm Parameter engines
- */
- addWithAlias(p, "AlgorithmParameters", "DSA",
- "sun.security.provider.DSAParameters", attrs);
+ /*
+ * Algorithm Parameter Generator engines
+ */
+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
+ "sun.security.provider.DSAParameterGenerator", attrs);
+ attrs.remove("KeySize");
- /*
- * Key factories
- */
- addWithAlias(p, "KeyFactory", "DSA",
- "sun.security.provider.DSAKeyFactory", attrs);
+ /*
+ * Algorithm Parameter engines
+ */
+ addWithAlias(p, "AlgorithmParameters", "DSA",
+ "sun.security.provider.DSAParameters", attrs);
- /*
- * Digest engines
- */
- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
- attrs);
+ /*
+ * Key factories
+ */
+ addWithAlias(p, "KeyFactory", "DSA",
+ "sun.security.provider.DSAKeyFactory", attrs);
- addWithAlias(p, "MessageDigest", "SHA-224",
- "sun.security.provider.SHA2$SHA224", attrs);
- addWithAlias(p, "MessageDigest", "SHA-256",
- "sun.security.provider.SHA2$SHA256", attrs);
- addWithAlias(p, "MessageDigest", "SHA-384",
- "sun.security.provider.SHA5$SHA384", attrs);
- addWithAlias(p, "MessageDigest", "SHA-512",
- "sun.security.provider.SHA5$SHA512", attrs);
- addWithAlias(p, "MessageDigest", "SHA-512/224",
- "sun.security.provider.SHA5$SHA512_224", attrs);
- addWithAlias(p, "MessageDigest", "SHA-512/256",
- "sun.security.provider.SHA5$SHA512_256", attrs);
- addWithAlias(p, "MessageDigest", "SHA3-224",
- "sun.security.provider.SHA3$SHA224", attrs);
- addWithAlias(p, "MessageDigest", "SHA3-256",
- "sun.security.provider.SHA3$SHA256", attrs);
- addWithAlias(p, "MessageDigest", "SHA3-384",
- "sun.security.provider.SHA3$SHA384", attrs);
- addWithAlias(p, "MessageDigest", "SHA3-512",
- "sun.security.provider.SHA3$SHA512", attrs);
+ /*
+ * Digest engines
+ */
+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
+ attrs);
+
+ addWithAlias(p, "MessageDigest", "SHA-224",
+ "sun.security.provider.SHA2$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-256",
+ "sun.security.provider.SHA2$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-384",
+ "sun.security.provider.SHA5$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512",
+ "sun.security.provider.SHA5$SHA512", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/224",
+ "sun.security.provider.SHA5$SHA512_224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/256",
+ "sun.security.provider.SHA5$SHA512_256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-224",
+ "sun.security.provider.SHA3$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-256",
+ "sun.security.provider.SHA3$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-384",
+ "sun.security.provider.SHA3$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-512",
+ "sun.security.provider.SHA3$SHA512", attrs);
+ }
/*
* Certificates
diff --git openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
index 8c9e4f9dbe6..883dc04758e 100644
--- openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
@@ -38,6 +38,7 @@ import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
+import jdk.internal.access.SharedSecrets;
import sun.security.ec.ed.EdDSAAlgorithmParameters;
import sun.security.ec.ed.EdDSAKeyFactory;
import sun.security.ec.ed.EdDSAKeyPairGenerator;
@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
private static final long serialVersionUID = -2279741672933606418L;
+ private static final boolean systemFipsEnabled =
+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled();
+
private static class ProviderServiceA extends ProviderService {
ProviderServiceA(Provider p, String type, String algo, String cn,
HashMap<String, String> attrs) {
@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
putXDHEntries();
putEdDSAEntries();
-
- /*
- * Signature engines
- */
- putService(new ProviderService(this, "Signature",
- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
- null, ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
- ATTRS));
-
- putService(new ProviderService(this, "Signature",
- "NONEwithECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$RawinP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA1withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA224withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA256withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA384withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA512withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
-
- putService(new ProviderService(this, "Signature",
- "SHA3-224withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA3-256withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA3-384withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA3-512withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
-
- /*
- * Key Pair Generator engine
- */
- putService(new ProviderService(this, "KeyPairGenerator",
- "EC", "sun.security.ec.ECKeyPairGenerator",
- List.of("EllipticCurve"), ATTRS));
-
- /*
- * Key Agreement engine
- */
- putService(new ProviderService(this, "KeyAgreement",
- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
+ if (!systemFipsEnabled) {
+ /*
+ * Signature engines
+ */
+ putService(new ProviderService(this, "Signature",
+ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+ null, ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+ ATTRS));
+
+ putService(new ProviderService(this, "Signature",
+ "NONEwithECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$RawinP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA1withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA224withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA256withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA384withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA512withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+
+ putService(new ProviderService(this, "Signature",
+ "SHA3-224withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA3-256withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA3-384withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA3-512withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+
+ /*
+ * Key Pair Generator engine
+ */
+ putService(new ProviderService(this, "KeyPairGenerator",
+ "EC", "sun.security.ec.ECKeyPairGenerator",
+ List.of("EllipticCurve"), ATTRS));
+
+ /*
+ * Key Agreement engine
+ */
+ putService(new ProviderService(this, "KeyAgreement",
+ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
+ }
}
private void putXDHEntries() {
@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
"X448", "sun.security.ec.XDHKeyFactory.X448",
ATTRS));
- putService(new ProviderService(this, "KeyPairGenerator",
- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
- putService(new ProviderServiceA(this, "KeyPairGenerator",
- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
- ATTRS));
- putService(new ProviderServiceA(this, "KeyPairGenerator",
- "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
- ATTRS));
-
- putService(new ProviderService(this, "KeyAgreement",
- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
- putService(new ProviderServiceA(this, "KeyAgreement",
- "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
- ATTRS));
- putService(new ProviderServiceA(this, "KeyAgreement",
- "X448", "sun.security.ec.XDHKeyAgreement.X448",
- ATTRS));
+ if (!systemFipsEnabled) {
+ putService(new ProviderService(this, "KeyPairGenerator",
+ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+ putService(new ProviderServiceA(this, "KeyPairGenerator",
+ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+ ATTRS));
+ putService(new ProviderServiceA(this, "KeyPairGenerator",
+ "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+ ATTRS));
+
+ putService(new ProviderService(this, "KeyAgreement",
+ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+ putService(new ProviderServiceA(this, "KeyAgreement",
+ "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+ ATTRS));
+ putService(new ProviderServiceA(this, "KeyAgreement",
+ "X448", "sun.security.ec.XDHKeyAgreement.X448",
+ ATTRS));
+ }
}
private void putEdDSAEntries() {
@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
putService(new ProviderServiceA(this, "KeyFactory",
"Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
- putService(new ProviderService(this, "KeyPairGenerator",
- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
- putService(new ProviderServiceA(this, "KeyPairGenerator",
- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
- ATTRS));
- putService(new ProviderServiceA(this, "KeyPairGenerator",
- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
- ATTRS));
-
- putService(new ProviderService(this, "Signature",
- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
+ if (!systemFipsEnabled) {
+ putService(new ProviderService(this, "KeyPairGenerator",
+ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+ putService(new ProviderServiceA(this, "KeyPairGenerator",
+ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+ ATTRS));
+ putService(new ProviderServiceA(this, "KeyPairGenerator",
+ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+ ATTRS));
+
+ putService(new ProviderService(this, "Signature",
+ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
+ }
}
}

18
SOURCES/rh1996182-extend_security_policy.patch
View File

@ -1,18 +0,0 @@
commit bfd7c5dae9c15266799cb885b8c60199217b65b9
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Aug 30 16:14:14 2021 +0100
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
index 8356e56367b..23925f048be 100644
--- openjdk.orig/src/java.base/share/lib/security/default.policy
+++ openjdk/src/java.base/share/lib/security/default.policy
@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
grant codeBase "jrt:/jdk.crypto.cryptoki" {
permission java.lang.RuntimePermission
"accessClassInPackage.com.sun.crypto.provider";
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";

65
SOURCES/rh1996182-login_to_nss_software_token.patch
View File

@ -1,65 +0,0 @@
commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923
Author: Martin Balao <mbalao@redhat.com>
Date: Sat Aug 28 00:35:44 2021 +0100
RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 238735c0c8c..dbbf11bbb22 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java
@@ -152,6 +152,7 @@ module java.base {
java.naming,
java.rmi,
jdk.charsets,
+ jdk.crypto.cryptoki,
jdk.crypto.ec,
jdk.jartool,
jdk.jlink,
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 112b639aa96..5d3963ea893 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback;
import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+import jdk.internal.access.SharedSecrets;
import jdk.internal.misc.InnocuousThread;
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException

28
SOURCES/rh2021263-fips_ensure_security_initialised.patch
View File

@ -1,28 +0,0 @@
commit 4ac1a03b3ec73358988553fe9e200130847ea3b4
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Jan 10 20:19:40 2022 +0000
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
index 5a2c9eb0c46..a1ee182d913 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
@@ -39,6 +39,7 @@ import java.io.FilePermission;
import java.io.ObjectInputStream;
import java.io.RandomAccessFile;
import java.security.ProtectionDomain;
+import java.security.Security;
import java.security.Signature;
/** A repository of "shared secrets", which are a mechanism for
@@ -449,6 +450,9 @@ public class SharedSecrets {
}
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ if (javaSecuritySystemConfiguratorAccess == null) {
+ ensureClassInitialized(Security.class);
+ }
return javaSecuritySystemConfiguratorAccess;
}
}

24
SOURCES/rh2021263-fips_missing_native_returns.patch
View File

@ -1,24 +0,0 @@
commit 8f6e35dc9e9289aed290b36e260beeda76986bb5
Author: Fridrich Strba <fstrba@suse.com>
Date: Mon Jan 10 19:32:01 2022 +0000
RH2021263: Return in C code after having generated Java exception
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 38919d6bb0f..caf678a7dd6 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
fips_enabled = fgetc(fe);
fclose(fe);
if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
" read character is '%c'", fips_enabled);

99
SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
View File

@ -1,99 +0,0 @@
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:09:27 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 28ab1846173..f9726741afd 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
}
}
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties " +
+ "-- using defaults");
+ }
+ }
+
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
}
}
- if (!loadedProps) {
- initializeStatic();
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
if (sdebug != null) {
- sdebug.println("unable to load security properties " +
- "-- using defaults");
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
}
}
-
}
/*
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 874c6221ebe..b7ed41acf0f 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {

1182
SOURCES/rh2052070-enable_algorithmparameters_in_fips_mode.patch
View File

File diff suppressed because it is too large Load Diff

213
SOURCES/rh2052829-fips_runtime_nss_detection.patch
View File

@ -1,213 +0,0 @@
commit 090ea0389db5c2e0c8ee13652bccd544b17872c2
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Feb 7 15:33:27 2022 +0000
RH2051605: Detect NSS at Runtime for FIPS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index caf678a7dd6..8dcb7d9073f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,26 +23,37 @@
* questions.
*/
-#include <dlfcn.h>
#include <jni.h>
#include <jni_util.h>
+#include "jvm_md.h"
#include <stdio.h>
#ifdef SYSCONF_NSS
#include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
#endif //SYSCONF_NSS
#include "java_security_SystemConfigurator.h"
-#define MSG_MAX_SIZE 96
+#define MSG_MAX_SIZE 256
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
-#ifndef SYSCONF_NSS
-
-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
static void throwIOException(JNIEnv *env, const char *msg)
{
@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg)
(*env)->ThrowNew(env, cls, msg);
}
-#endif
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "systemconf: cannot render message");
+ }
+}
-static void dbgPrint(JNIEnv *env, const char* msg)
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
- }
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+ if (nss_handle == NULL) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ dlerror(); /* Clear errors */
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+ if ((errmsg = dlerror()) != NULL) {
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ if (dlclose(nss_handle) != 0) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ }
}
+#endif
+
/*
* Class: java_security_SystemConfigurator
* Method: JNI_OnLoad
@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
debugObj = (*env)->NewGlobalRef(env, debugObj);
}
+#ifdef SYSCONF_NSS
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+ if (loadNSS(env) == JNI_FALSE) {
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+ }
+#endif
+
return (*env)->GetVersion(env);
}
@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
return; /* Should not happen */
}
+#ifndef SYSCONF_NSS
+ closeNSS(env);
+#endif
(*env)->DeleteGlobalRef(env, debugObj);
}
}
@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
char msg[MSG_MAX_SIZE];
int msg_bytes;
-#ifdef SYSCONF_NSS
-
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
+ if (getSystemFIPSEnabled != NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = (*getSystemFIPSEnabled)();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
} else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " SECMOD_GetSystemFIPSEnabled return value");
- }
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+ FILE *fe;
-#else // SYSCONF_NSS
-
- FILE *fe;
-
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
return JNI_FALSE;
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
}
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
- } else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " read character");
- }
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-
-#endif // SYSCONF_NSS
}

475
SPECS/java-17-openjdk.spec
View File

@ -23,6 +23,8 @@
%bcond_without staticlibs
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
# Build with system libraries
%bcond_with system_libs
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@ -39,6 +41,16 @@
%global build_hotspot_first 0
%endif
%if %{with system_libs}
%global system_libs 1
%global link_type system
%global freetype_lib %{nil}
%else
%global system_libs 0
%global link_type bundled
%global freetype_lib |libfreetype[.]so.*
%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -190,11 +202,15 @@
%global staticlibs_loop %{nil}
%endif
%if 0%{?flatpak}
%global bootstrap_build false
%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
@ -305,12 +321,8 @@
# New Version-String scheme-style defines
%global featurever 17
%global interimver 0
%global updatever 3
%global updatever 5
%global patchver 0
# If you bump featurever, you must also bump vendor_version_string
# Used via new version scheme. JDK 17 was
# GA'ed in September 2021 => 21.9
%global vendor_version_string 21.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@ -325,16 +337,39 @@
%global lts_designator_zip ""
%endif
# Define vendor information used by OpenJDK
%global oj_vendor Red Hat, Inc.
%global oj_vendor_url https://www.redhat.com/
# Define what url should JVM offer in case of a crash report
# order may be important, epel may have rhel declared
%if 0%{?epel}
%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
%else
%if 0%{?fedora}
# Does not work for rawhide, keeps the version field empty
%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
%else
%if 0%{?rhel}
%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
%else
%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
%endif
%endif
%endif
%global oj_vendor_version (Red_Hat-%{version}-%{release})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
%global fipsver 0bd5ca9ccc5
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
%global rpmrelease 1
%global buildver 8
%global rpmrelease 2
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -363,35 +398,18 @@
%global is_ga 1
%if %{is_ga}
%global build_type GA
%global expected_ea_designator ""
%global ea_designator ""
%global ea_designator_zip ""
%global extraver %{nil}
%global eaprefix %{nil}
%else
%global build_type EA
%global expected_ea_designator ea
%global ea_designator_zip -%{expected_ea_designator}
%global extraver .%{expected_ea_designator}
%global ea_designator ea
%global ea_designator_zip -%{ea_designator}
%global extraver .%{ea_designator}
%global eaprefix 0.
%endif
# Define what url should JVM offer in case of a crash report
# order may be important, epel may have rhel declared
%if 0%{?epel}
%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
%else
%if 0%{?fedora}
# Does not work for rawhide, keeps the version field empty
%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
%else
%if 0%{?rhel}
%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
%else
%global bugs https://bugzilla.redhat.com/enter_bug.cgi
%endif
%endif
%endif
# parametrized macros are order-sensitive
%global compatiblename java-%{featurever}-%{origin}
%global fullversion %{compatiblename}-%{version}-%{release}
@ -409,7 +427,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$
@ -813,6 +831,9 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
%if ! %{system_libs}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@ -931,7 +952,7 @@ exit 0
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
%endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
@ -970,11 +991,11 @@ exit 0
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
%if %{with_systemtap}
%dir %{tapsetroot}
@ -1097,7 +1118,9 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
Requires: tzdata-java >= 2015d
# 2022d required as of JDK-8294357
# Should be bumped to 2022e once available (JDK-8295173)
Requires: tzdata-java >= 2022d
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@ -1110,6 +1133,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
# for system security properties
Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@ -1284,9 +1309,15 @@ Source14: TestECDSA.java
# Verify system crypto (policy) can be disabled via a property
Source15: TestSecurityProperties.java
# Ensure vendor settings are correct
Source16: CheckVendor.java
# nss fips configuration file
Source17: nss.fips.cfg.in
# Ensure translations are available for new timezones
Source18: TestTranslations.java
############################################
#
# RPM/distribution specific patches
@ -1304,41 +1335,38 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
# Restrict access to java-atk-wrapper classes
Patch2: rh1648644-java_access_bridge_privileged_security.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# Follow system wide crypto policy RHBZ#1249083
Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# PR3695: Allow use of system crypto policy to be disabled by the user
Patch5: pr3695-toggle_system_crypto_policy.patch
# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
# FIPS support patches
# Crypto policy and FIPS support patches
# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
# Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included:
# PR3183, RH1340845: Follow system wide crypto policy
# PR3695: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
Patch1001: rh1655466-global_crypto_and_fips.patch
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
Patch1002: rh1818909-fips_default_keystore_type.patch
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
Patch1008: rh1929465-improve_system_FIPS_detection.patch
Patch1011: rh1929465-dont_define_unused_throwioexception.patch
# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
Patch1009: rh1995150-disable_non-fips_crypto.patch
# RH1996182: Login to the NSS software token in FIPS mode
Patch1010: rh1996182-login_to_nss_software_token.patch
Patch1012: rh1996182-extend_security_policy.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
Patch1013: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch
# RH2052819: Fix FIPS reliance on crypto policies
Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
# RH2052829: Detect NSS at Runtime for FIPS detection
Patch1017: rh2052829-fips_runtime_nss_detection.patch
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch
# RH2023467: Enable FIPS keys export
# RH2094027: SunEC runtime permission for FIPS
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
# RH2090378: Revert to disabling system security properties and FIPS mode support together
# RH2104724: Avoid import/export of DH private keys
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
# Build the systemconf library on all platforms
# RH2048582: Support PKCS#12 keystores
# RH2020290: Support TLS 1.3 in FIPS mode
Patch1001: fips-17u-%{fipsver}.patch
#############################################
#
@ -1350,10 +1378,22 @@ Patch2000: jdk8275535-rh2053256-ldap_auth.patch
#############################################
#
# OpenJDK patches appearing in 17.0.3
# OpenJDK patches appearing in 17.0.5
#
#############################################
#############################################
#
# OpenJDK patches targetted for 17.0.6
#
#############################################
# JDK-8293834: Update CLDR data following tzdata 2022c update
Patch2001: jdk8293834-kyiv_cldr_update.patch
# JDK-8294357: (tz) Update Timezone Data to 2022d
Patch2002: jdk8294357-tzdata2022d.patch
# JDK-8295173: (tz) Update Timezone Data to 2022e
Patch2003: jdk8295173-tzdata2022e.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: alsa-lib-devel
@ -1363,14 +1403,8 @@ BuildRequires: desktop-file-utils
# elfutils only are OK for build without AOT
BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
BuildRequires: harfbuzz-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXi-devel
@ -1381,6 +1415,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
# Requirement for system security property test
BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@ -1390,7 +1426,9 @@ BuildRequires: java-17-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
BuildRequires: tzdata-java >= 2015d
# 2022d required as of JDK-8294357
# Should be bumped to 2022e once available (JDK-8295173)
BuildRequires: tzdata-java >= 2022d
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@ -1399,6 +1437,30 @@ BuildRequires: systemtap-sdt-devel
%endif
BuildRequires: make
%if %{system_libs}
BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: harfbuzz-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
%else
# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
Provides: bundled(freetype) = 2.12.1
# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
Provides: bundled(giflib) = 5.2.1
# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
Provides: bundled(harfbuzz) = 4.4.1
# Version in src/java.desktop/share/native/liblcms/lcms2.h
Provides: bundled(lcms2) = 2.12.0
# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
Provides: bundled(libjpeg) = 6b
# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
Provides: bundled(libpng) = 1.6.37
# We link statically against libstdc++ to increase portability
BuildRequires: libstdc++-static
%endif
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}}
@ -1708,6 +1770,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
echo "Preparing %{oj_vendor_version}"
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@ -1746,39 +1810,53 @@ if [ $prioritylength -ne 8 ] ; then
fi
# OpenJDK patches
%if %{system_libs}
# Remove libraries that are linked by both static and dynamic builds
sh %{SOURCE12} %{top_level_dir_name}
%endif
# Patch the JDK
pushd %{top_level_dir_name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
# Add crypto policy and FIPS support
%patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security
%patch1000 -p1
# tzdata updates targetted for 17.0.6
%patch2001 -p1
%patch2002 -p1
%patch2003 -p1
popd # openjdk
%patch1000
%patch600
%patch1001
%patch1002
%patch1004
%patch1007
%patch1008
%patch1009
%patch1010
%patch1011
%patch1012
%patch1013
%patch1014
%patch1015
%patch1016
%patch1017
%patch1018
%patch2000
# The OpenJDK version file includes the current
# upstream version information. For some reason,
# configure does not automatically use the
# default pre-version supplied there (despite
# what the file claims), so we pass it manually
# to configure
VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
if [ -f ${VERSION_FILE} ] ; then
UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
else
echo "Could not find OpenJDK version file.";
exit 16
fi
if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
echo "WARNING: Designator mismatch";
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
# Don't fail at present as upstream are not maintaining the value correctly
#exit 17
fi
# Extract systemtap tapsets
%if %{with_systemtap}
tar --strip-components=1 -x -I xz -f %{SOURCE8}
@ -1874,22 +1952,12 @@ function buildjdk() {
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
# The OpenJDK version file includes the current
# upstream version information. For some reason,
# configure does not automatically use the
# default pre-version supplied there (despite
# what the file claims), so we pass it manually
# to configure
VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf
if [ -f ${VERSION_FILE} ] ; then
EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
# This must be set using the global, so that the
# static libraries still use a dynamic stdc++lib
if [ "x%{link_type}" = "xbundled" ] ; then
libc_link_opt="static";
else
echo "Could not find OpenJDK version file.";
exit 16
fi
if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then
echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}";
exit 17
libc_link_opt="dynamic";
fi
echo "Using output directory: ${outputdir}";
@ -1898,11 +1966,15 @@ function buildjdk() {
echo "Using make targets: ${maketargets}"
echo "Using debuglevel: ${debuglevel}"
echo "Using link_opt: ${link_opt}"
echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}"
echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
mkdir -p ${outputdir}
pushd ${outputdir}
# Note: zlib and freetype use %{link_type}
# rather than ${link_opt} as the system versions
# are always used in a system_libs build, even
# for the static library build
bash ${top_dir_abs_src_path}/configure \
%ifarch %{zero_arches}
--with-jvm-variants=zero \
@ -1911,25 +1983,26 @@ function buildjdk() {
--with-jobs=1 \
%endif
--with-version-build=%{buildver} \
--with-version-pre="${EA_DESIGNATOR}" \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
--with-vendor-version-string="%{vendor_version_string}" \
--with-vendor-name="Red Hat, Inc." \
--with-vendor-url="https://www.redhat.com/" \
--with-vendor-bug-url="%{bugs}" \
--with-vendor-vm-bug-url="%{bugs}" \
--with-vendor-version-string="%{oj_vendor_version}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
--with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
--disable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-zlib=%{link_type} \
--with-freetype=%{link_type} \
--with-libjpeg=${link_opt} \
--with-giflib=${link_opt} \
--with-libpng=${link_opt} \
--with-lcms=${link_opt} \
--with-harfbuzz=${link_opt} \
--with-stdc++lib=dynamic \
--with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-ldflags="%{ourldflags}" \
@ -1972,6 +2045,10 @@ function installjdk() {
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Turn on system security properties
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
${imagepath}/conf/security/java.security
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
@ -2011,12 +2088,13 @@ for suffix in %{build_loop} ; do
bootbuilddir=boot${builddir}
if test "x${loop}" = "x%{main_suffix}" ; then
link_opt="%{link_type}"
%if %{system_libs}
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
# Use system libraries
link_opt="system"
%endif
# Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these
# slower builds.
@ -2034,9 +2112,11 @@ for suffix in %{build_loop} ; do
else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
fi
%if %{system_libs}
# Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name}
%endif
else
# Use bundled libraries for building statically
link_opt="bundled"
@ -2052,6 +2132,9 @@ for suffix in %{build_loop} ; do
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
# Print release information
cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
# build cycles
done # end of release / debug cycle loop
@ -2067,6 +2150,8 @@ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticli
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Pre-test setup
#check Shenandoah is enabled
%if %{use_shenandoah_hotspot}
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
@ -2080,9 +2165,14 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
# Check system crypto (policy) can be disabled
# Check system crypto (policy) is active and can be disabled
# Test takes a single argument - true or false - to state whether system
# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
export SEC_DEBUG="-Djava.security.debug=properties"
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@ -2094,6 +2184,11 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
# Check translations are available for new timezones
$JAVA_HOME/bin/javac -d . %{SOURCE18}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
@ -2110,14 +2205,6 @@ do
# All these tests rely on RPM failing the build if the exit code of any set
# of piped commands is non-zero.
# If this is the empty library, libsyslookup.so, of the foreign function and memory
# API incubation module (JEP 412), skip the debuginfo check as this seems unreliable
# on s390x. It's not very useful for other arches either, so skip unconditionally.
if [ "`basename $lib`" = "libsyslookup.so" ]; then
echo "Skipping debuginfo check for empty library 'libsyslookup.so'"
continue
fi
# Test for .debug_* sections in the shared object. This is the main test
# Stripped objects will not contain these
eu-readelf -S "$lib" | grep "] .debug_"
@ -2132,7 +2219,7 @@ do
do
# We expect to see .cpp files, except for architectures like aarch64 and
# s390 where we expect .o and .oS files
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
done
IFS="$old_IFS"
@ -2557,6 +2644,154 @@ require "copy_jdk_configs.lua"
%endif
%changelog
* Wed Oct 26 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-2
- Update to jdk-17.0.5+8 (GA)
- Update release notes to 17.0.5+8 (GA)
- Switch to GA mode for final release.
- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
- Update CLDR data with Europe/Kyiv (JDK-8293834)
- Drop JDK-8292223 patch which we found to be unnecessary
- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
- Remove freetype sources along with zlib sources
- Resolves: rhbz#2133695
* Tue Oct 04 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.7-0.2.ea
- Update to jdk-17.0.5+7
- Update release notes to 17.0.5+7
- Drop JDK-8288985 patch that is now upstream
- Resolves: rhbz#2130617
* Mon Oct 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.1-0.2.ea
- Update to jdk-17.0.5+1
- Update release notes to 17.0.5+1
- Switch to EA mode for 17.0.5 pre-release builds.
- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
- Bump FreeType bundled version to 2.12.1 following JDK-8290334
- Related: rhbz#2130617
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-6
- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider
- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650
- Resolves: rhbz#2006351
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-5
- Switch to static builds, reducing system dependencies and making build more portable
- Resolves: rhbz#2121263
* Mon Aug 29 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.4.1.1-4
- Fix flatpak builds (catering for their uncompressed manual pages)
- Fix flatpak builds by exempting them from bootstrap
- Resolves: rhbz#2102734
* Mon Aug 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-3
- Update FIPS support to bring in latest changes
- * RH2104724: Avoid import/export of DH private keys
- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
- * Build the systemconf library on all platforms
- * RH2048582: Support PKCS#12 keystores
- * RH2020290: Support TLS 1.3 in FIPS mode
- Resolves: rhbz#2104724
- Resolves: rhbz#2092507
- Resolves: rhbz#2048582
- Resolves: rhbz#2020290
* Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2
- Update to jdk-17.0.4.1+1
- Update release notes to 17.0.4.1+1
- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
- Add test to ensure timezones can be translated
- Resolves: rhbz#2119531
* Fri Jul 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-3
- Update to jdk-17.0.4.0+8
- Update release notes to 17.0.4.0+8
- Switch to GA mode for release
- Resolves: rhbz#2106522
* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.2.ea
- Revert the following changes until copy-java-configs has adapted to relative symlinks:
- * Move cacerts replacement to install section and retain original of this and tzdb.dat
- * Run tests on the installed image, rather than the build image
- * Introduce variables to refer to the static library installation directories
- * Use relative symlinks so they work within the image
- * Run debug symbols check during build stage, before the install strips them
- The move of turning on system security properties is retained so we don't ship with them off
- Related: rhbz#2100674
* Wed Jul 20 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.4.0.7-0.2.ea
- retutrned absolute symlinks
- relative symlinks are breaking cjc, and deeper investigations are necessary
-- why cjc intentionally skips relative symllinks
- images have to be workarounded differently
- Related: rhbz#2100674
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.1.ea
- Update to jdk-17.0.4.0+7
- Update release notes to 17.0.4.0+7
- Switch to EA mode for 17.0.4 pre-release builds.
- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
- Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation
- Include script to generate bug list for release notes
- Update tzdata requirement to 2022a to match JDK-8283350
- Move EA designator check to prep so failures can be caught earlier
- Make EA designator check non-fatal while upstream is not maintaining it
- Explicitly require crypto-policies during build and runtime for system security properties
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
- Resolves: rhbz#2083316
* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.
- Related: rhbz#2083316
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
- Fix whitespace in spec file
- Related: rhbz#2100674
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
- Sequence spec file sections as they are run by rpmbuild (build, install then test)
- Related: rhbz#2100674
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
- Turn on system security properties as part of the build's install section
- Move cacerts replacement to install section and retain original of this and tzdb.dat
- Run tests on the installed image, rather than the build image
- Introduce variables to refer to the static library installation directories
- Use relative symlinks so they work within the image
- Run debug symbols check during build stage, before the install strips them
- Related: rhbz#2100674
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-5
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
- Resolves: rhbz#2007331
* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-4
- Update FIPS support to bring in latest changes
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
- Resolves: rhbz#2099840
- Resolves: rhbz#2100674
* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-3
- Add rpminspect.yaml to turn off Java bytecode inspections
- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
- Resolves: rhbz#2101524
* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- RH2023467: Enable FIPS keys export
- RH2094027: SunEC runtime permission for FIPS
- Resolves: rhbz#2023467
- Resolves: rhbz#2094027
* Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
- April 2022 security update to jdk 17.0.3+7
- Update to jdk-17.0.3.0+7 release tarball