Additional default values of security properties are read from a ++ * system-specific location, if available.
++ * + * @author Benjamin Renaud + * @since 1.1 + */ + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -67,6 +76,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -84,6 +106,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -99,6 +122,7 @@ public final class Security { + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -193,6 +217,61 @@ public final class Security { + } + } + ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + } + + /* +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..98ffced455b +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,249 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction+ * PKCS#11 structure: + *
+ * typedef struct CK_PBE_PARAMS {
+- * CK_CHAR_PTR pInitVector;
+- * CK_CHAR_PTR pPassword;
++ * CK_BYTE_PTR pInitVector;
++ * CK_UTF8CHAR_PTR pPassword;
+ * CK_ULONG ulPasswordLen;
+- * CK_CHAR_PTR pSalt;
++ * CK_BYTE_PTR pSalt;
+ * CK_ULONG ulSaltLen;
+ * CK_ULONG ulIteration;
+ * } CK_PBE_PARAMS;
+@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pInitVector;
++ * CK_BYTE_PTR pInitVector;
+ *
+ */
+- public char[] pInitVector;
++ public byte[] pInitVector;
+
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pPassword;
++ * CK_UTF8CHAR_PTR pPassword;
+ * CK_ULONG ulPasswordLen;
+ *
+ */
+@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pSalt
++ * CK_BYTE_PTR pSalt
+ * CK_ULONG ulSaltLen;
+ *
+ */
+- public char[] pSalt;
++ public byte[] pSalt;
+
+ /**
+ * PKCS#11:
+@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
+ */
+ public long ulIteration;
+
++ public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
++ this.pPassword = pPassword;
++ this.pSalt = pSalt;
++ this.ulIteration = ulIteration;
++ }
++
+ /**
+ * Returns the string representation of CK_PBE_PARAMS.
+ *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+index fb90bfced27..a01beb0753a 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+@@ -47,7 +47,7 @@
+
+ package sun.security.pkcs11.wrapper;
+
+-
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+
+ /**
+ * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
+@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
+ * PKCS#11 structure:
+ *
+ * typedef struct CK_PKCS5_PBKD2_PARAMS {
+- * CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+ * CK_VOID_PTR pSaltSourceData;
+ * CK_ULONG ulSaltSourceDataLen;
+ * CK_ULONG iterations;
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+ * CK_VOID_PTR pPrfData;
+ * CK_ULONG ulPrfDataLen;
++ * CK_UTF8CHAR_PTR pPassword;
++ * CK_ULONG_PTR ulPasswordLen;
+ * } CK_PKCS5_PBKD2_PARAMS;
+ *
+ *
+@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
+ */
+ public byte[] pPrfData;
+
++ /**
++ * PKCS#11:
++ *
++ * CK_UTF8CHAR_PTR pPassword
++ * CK_ULONG_PTR ulPasswordLen;
++ *
++ */
++ public char[] pPassword;
++
++ public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
++ long iterations, long prf) {
++ this.pPassword = pPassword;
++ this.pSaltSourceData = pSalt;
++ this.iterations = iterations;
++ this.prf = prf;
++ this.saltSource = CKZ_SALT_SPECIFIED;
++ }
++
+ /**
+ * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
+ *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+new file mode 100644
+index 00000000000..935db656639
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+@@ -0,0 +1,156 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11.wrapper;
++
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++
++/**
++ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
++ * mechanism.
++ * PKCS#11 structure:
++ *
++ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ * CK_VOID_PTR pSaltSourceData;
++ * CK_ULONG ulSaltSourceDataLen;
++ * CK_ULONG iterations;
++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ * CK_VOID_PTR pPrfData;
++ * CK_ULONG ulPrfDataLen;
++ * CK_UTF8CHAR_PTR pPassword;
++ * CK_ULONG ulPasswordLen;
++ * } CK_PKCS5_PBKD2_PARAMS2;
++ *
++ *
++ */
++public class CK_PKCS5_PBKD2_PARAMS2 {
++
++ /**
++ * PKCS#11:
++ *
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ *
++ */
++ public long saltSource;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_VOID_PTR pSaltSourceData;
++ * CK_ULONG ulSaltSourceDataLen;
++ *
++ */
++ public byte[] pSaltSourceData;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_ULONG iterations;
++ *
++ */
++ public long iterations;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ *
++ */
++ public long prf;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_VOID_PTR pPrfData;
++ * CK_ULONG ulPrfDataLen;
++ *
++ */
++ public byte[] pPrfData;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_UTF8CHAR_PTR pPassword
++ * CK_ULONG ulPasswordLen;
++ *
++ */
++ public char[] pPassword;
++
++ public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
++ long iterations, long prf) {
++ this.pPassword = pPassword;
++ this.pSaltSourceData = pSalt;
++ this.iterations = iterations;
++ this.prf = prf;
++ this.saltSource = CKZ_SALT_SPECIFIED;
++ }
++
++ /**
++ * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
++ *
++ * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
++ */
++ public String toString() {
++ StringBuilder sb = new StringBuilder();
++
++ sb.append(Constants.INDENT);
++ sb.append("saltSource: ");
++ sb.append(saltSource);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("pSaltSourceData: ");
++ sb.append(Functions.toHexString(pSaltSourceData));
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("ulSaltSourceDataLen: ");
++ sb.append(pSaltSourceData.length);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("iterations: ");
++ sb.append(iterations);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("prf: ");
++ sb.append(prf);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("pPrfData: ");
++ sb.append(Functions.toHexString(pPrfData));
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("ulPrfDataLen: ");
++ sb.append(pPrfData.length);
++
++ return sb.toString();
++ }
++
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+index 1f9c4d39f57..5e3c1b9d29f 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
+ public byte[] pPublicData;
+
+ /**
+- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
++ * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
+ *
+- * @return the string representation of CK_PKCS5_PBKD2_PARAMS
++ * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
+ */
+ public String toString() {
+ StringBuilder sb = new StringBuilder();
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 5c0aacd1a67..5fbf8addcba 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -113,6 +116,8 @@ public class PKCS11 {
+
+ private long pNativeData;
+
++ private CK_INFO pInfo;
++
+ /**
+ * This method does the initialization of the native library. It is called
+ * exactly once for this class.
+@@ -145,23 +150,49 @@ public class PKCS11 {
+ * @postconditions
+ */
+ PKCS11(String pkcs11ModulePath, String functionListName)
+- throws IOException {
++ throws IOException, PKCS11Exception {
+ connect(pkcs11ModulePath, functionListName);
+ this.pkcs11ModulePath = pkcs11ModulePath;
++ pInfo = C_GetInfo();
++ }
++
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null, null);
+ }
+
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter,
++ MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null &&
++ fipsKeyExporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter, fipsKeyExporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter, fipsKeyExporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -179,6 +210,14 @@ public class PKCS11 {
+ return pkcs11;
+ }
+
++ /**
++ * Returns the CK_INFO structure fetched at initialization with
++ * C_GetInfo. This structure represent Cryptoki library information.
++ */
++ public CK_INFO getInfo() {
++ return pInfo;
++ }
++
+ /**
+ * Connects this object to the specified PKCS#11 library. This method is for
+ * internal use only.
+@@ -1625,7 +1664,7 @@ public class PKCS11 {
+ static class SynchronizedPKCS11 extends PKCS11 {
+
+ SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
+- throws IOException {
++ throws IOException, PKCS11Exception {
+ super(pkcs11ModulePath, functionListName);
+ }
+
+@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(PKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ FIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.PKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
++ }
++
++ public long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++
++ public void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ SynchronizedFIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++
++ public synchronized void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
++ MethodHandle fipsKeyExporter, long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ Map sensitiveAttrs = new HashMap<>();
++ List nonSensitiveAttrs = new LinkedList<>();
++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
++ sensitiveAttrs, nonSensitiveAttrs);
++ try {
++ if (sensitiveAttrs.size() > 0) {
++ long keyClass = -1L;
++ long keyType = -1L;
++ try {
++ // Secret and private keys have both class and type
++ // attributes, so we can query them at once.
++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
++ new CK_ATTRIBUTE(CKA_CLASS),
++ new CK_ATTRIBUTE(CKA_KEY_TYPE),
++ };
++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
++ keyClass = queryAttrs[0].getLong();
++ keyType = queryAttrs[1].getLong();
++ } catch (PKCS11Exception e) {
++ // If the query fails, the object is neither a secret nor a
++ // private key. As this case won't be handled with the FIPS
++ // Key Exporter, we keep keyClass initialized to -1L.
++ }
++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
++ sensitiveAttrs);
++ if (nonSensitiveAttrs.size() > 0) {
++ CK_ATTRIBUTE[] pNonSensitiveAttrs =
++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
++ int i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ pNonSensitiveAttrs[i++] = nonSensAttr;
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject,
++ pNonSensitiveAttrs);
++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
++ // update the reference on the previous CK_ATTRIBUTEs
++ i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
++ }
++ }
++ return;
++ }
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
++ Map sensitiveAttrs,
++ List nonSensitiveAttrs) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ long type = attr.type;
++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
++ type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
++ type == CKA_COEFFICIENT) {
++ sensitiveAttrs.put(type, attr);
++ } else {
++ nonSensitiveAttrs.add(attr);
++ }
++ }
++ }
++}
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+index d22844cfba8..9e02958b4b0 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
+ public static final long CKD_BLAKE2B_384_KDF = 0x00000019L;
+ public static final long CKD_BLAKE2B_512_KDF = 0x0000001aL;
+
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008L;
+-
+- public static final long CKZ_SALT_SPECIFIED = 0x00000001L;
+-
+ public static final long CK_OTP_VALUE = 0x00000000L;
+ public static final long CK_OTP_PIN = 0x00000001L;
+ public static final long CK_OTP_CHALLENGE = 0x00000002L;
+@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
+ public static final long CKF_HKDF_SALT_KEY = 0x00000004L;
+ */
+
++ // PBKDF2 support, used in P11Util
++ public static final long CKZ_SALT_SPECIFIED = 0x00000001L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008L;
++
+ // private NSS attribute (for DSA and DH private keys)
+ public static final long CKA_NETSCAPE_DB = 0xD5A0DB00L;
+
+ // base number of NSS private attributes
+ public static final long CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
+- = 0xCE534350L;
++ /* now known as CKM_NSS ^ */ = 0xCE534350L;
+
+ // object type for NSS trust
+ public static final long CKO_NETSCAPE_TRUST = 0xCE534353L;
+@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
+ = 0xCE534355L;
+ public static final long CKT_NETSCAPE_VALID = 0xCE53435AL;
+ public static final long CKT_NETSCAPE_VALID_DELEGATOR = 0xCE53435BL;
++
++ // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
++ public static final long CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
++ /* (CKM_NSS + 29) */ = 0xCE53436DL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
++ /* (CKM_NSS + 30) */ = 0xCE53436EL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
++ /* (CKM_NSS + 31) */ = 0xCE53436FL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
++ /* (CKM_NSS + 32) */ = 0xCE534370L;
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+index 666c5eb9b3b..5523dafcdb4 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+ ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
+ break;
+ case CKM_PKCS5_PBKD2:
+@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ // retrieve java values
+ jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
+ if (jPbeParamsClass == NULL) { return NULL; }
+- fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
++ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
+ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
+ if (fieldID == NULL) { return NULL; }
+ jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+- fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
++ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jSalt = (*env)->GetObjectField(env, jParam, fieldID);
+ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
+@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+
+ // populate using java values
+ ckParamPtr->ulIteration = jLongToCKULong(jIteration);
+- jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
++ jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
++ jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
++ jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
+ }
+ }
+
++#define PBKD2_PARAM_SET(member, value) \
++ do { \
++ if(ckParamPtr->version == PARAMS) { \
++ ckParamPtr->params.v1.member = value; \
++ } else { \
++ ckParamPtr->params.v2.member = value; \
++ } \
++ } while(0)
++
++#define PBKD2_PARAM_ADDR(member) \
++ ( \
++ (ckParamPtr->version == PARAMS) ? \
++ (void*) &ckParamPtr->params.v1.member : \
++ (void*) &ckParamPtr->params.v2.member \
++ )
++
+ /*
+- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
+ * pointer
+ *
+- * @param env - used to call JNI funktions to get the Java classes and objects
+- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
++ * @param env - used to call JNI functions to get the Java classes and objects
++ * @param jParam - the Java object to convert
+ * @param pLength - length of the allocated memory of the returned pointer
+- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
++ * @return pointer to the new structure
+ */
+-CK_PKCS5_PBKD2_PARAMS_PTR
++CK_VOID_PTR
+ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ {
+- CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
++ VersionedPbkd2ParamsPtr ckParamPtr;
++ ParamVersion paramVersion;
++ CK_ULONG_PTR pUlPasswordLen;
+ jclass jPkcs5Pbkd2ParamsClass;
+ jfieldID fieldID;
+ jlong jSaltSource, jIteration, jPrf;
+- jobject jSaltSourceData, jPrfData;
++ jobject jSaltSourceData, jPrfData, jPassword;
+
+ if (pLength != NULL) {
+ *pLength = 0L;
+ }
+
+ // retrieve java values
+- jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
+- if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
++ if ((jPkcs5Pbkd2ParamsClass =
++ (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
++ && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++ paramVersion = PARAMS;
++ } else if ((jPkcs5Pbkd2ParamsClass =
++ (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
++ && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++ paramVersion = PARAMS2;
++ } else {
++ return NULL;
++ }
+ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
+ if (fieldID == NULL) { return NULL; }
+ jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
+@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
+ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
++ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
++ if (fieldID == NULL) { return NULL; }
++ jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+
+- // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
+- ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
++ // allocate memory for VersionedPbkd2Params and store the structure version
++ ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
+ if (ckParamPtr == NULL) {
+ throwOutOfMemoryError(env, 0);
+ return NULL;
+ }
++ ckParamPtr->version = paramVersion;
+
+ // populate using java values
+- ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
+- jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
+- &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
++ PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
++ jByteArrayToCKByteArray(env, jSaltSourceData,
++ (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
++ PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- ckParamPtr->iterations = jLongToCKULong(jIteration);
+- ckParamPtr->prf = jLongToCKULong(jPrf);
+- jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
+- &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
++ PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
++ PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
++ jByteArrayToCKByteArray(env, jPrfData,
++ (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
++ PBKD2_PARAM_ADDR(ulPrfDataLen));
++ if ((*env)->ExceptionCheck(env)) {
++ goto cleanup;
++ }
++ if (ckParamPtr->version == PARAMS) {
++ pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
++ if (pUlPasswordLen == NULL) {
++ throwOutOfMemoryError(env, 0);
++ goto cleanup;
++ }
++ ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
++ } else {
++ pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
++ }
++ jCharArrayToCKUTF8CharArray(env, jPassword,
++ (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
++ pUlPasswordLen);
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+
+ if (pLength != NULL) {
+- *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
++ *pLength = (ckParamPtr->version == PARAMS ?
++ sizeof(ckParamPtr->params.v1) :
++ sizeof(ckParamPtr->params.v2));
+ }
++ // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
+ return ckParamPtr;
+ cleanup:
+- free(ckParamPtr->pSaltSourceData);
+- free(ckParamPtr->pPrfData);
++ FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
+ free(ckParamPtr);
+ return NULL;
+
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+index 520bd52a2cd..aa76945283d 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
+ case CKM_CAMELLIA_CTR:
+ // params do not contain pointers
+ break;
++ case CKM_PKCS5_PBKD2:
++ // get the versioned structure from behind memory
++ TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
++ "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
++ "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
++ FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
++ break;
++ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
++ free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
++ free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
++ free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
++ break;
+ default:
+ // currently unsupported mechs by SunPKCS11 provider
+ // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
+ // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
+- // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
++ // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
+ // PBE mechs, WTLS mechs, CMS mechs,
+ // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
+ // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
+@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
+ jboolean* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
+ jbyte* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
+ jlong* jTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
+ if (jTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
+ jchar* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
+ jchar* jTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+ if (jTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+index eb6d01b9e47..450e4d27d62 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+@@ -68,6 +68,7 @@
+ /* extra PKCS#11 constants not in the standard include files */
+
+ #define CKA_NETSCAPE_BASE (0x80000000 + 0x4E534350)
++/* ^ now known as CKM_NSS (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
+ #define CKA_NETSCAPE_TRUST_BASE (CKA_NETSCAPE_BASE + 0x2000)
+ #define CKA_NETSCAPE_TRUST_SERVER_AUTH (CKA_NETSCAPE_TRUST_BASE + 8)
+ #define CKA_NETSCAPE_TRUST_CLIENT_AUTH (CKA_NETSCAPE_TRUST_BASE + 9)
+@@ -76,6 +77,12 @@
+ #define CKA_NETSCAPE_DB 0xD5A0DB00
+ #define CKM_NSS_TLS_PRF_GENERAL 0x80000373
+
++/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 29)
++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 30)
++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 31)
++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 32)
++
+ /*
+
+ Define the PKCS#11 functions to include and exclude. Reduces the size
+@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
+ #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
+ #define PBE_INIT_VECTOR_SIZE 8
+ #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
++#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
+ #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
+
+ #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
+@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
+ CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
+ jobject jParam, CK_ULONG* pLength);
+ CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+-CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
++CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
+@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
+ CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+
++/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
++typedef enum {PARAMS=0, PARAMS2} ParamVersion;
++
++typedef struct {
++ union {
++ CK_PKCS5_PBKD2_PARAMS v1;
++ CK_PKCS5_PBKD2_PARAMS2 v2;
++ } params;
++ ParamVersion version;
++} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
++
++#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr) \
++ do { \
++ if ((verParamsPtr)->version == PARAMS) { \
++ free((verParamsPtr)->params.v1.pSaltSourceData); \
++ free((verParamsPtr)->params.v1.pPrfData); \
++ free((verParamsPtr)->params.v1.pPassword); \
++ free((verParamsPtr)->params.v1.ulPasswordLen); \
++ } else { \
++ free((verParamsPtr)->params.v2.pSaltSourceData); \
++ free((verParamsPtr)->params.v2.pPrfData); \
++ free((verParamsPtr)->params.v2.pPassword); \
++ } \
++ } while(0)
++
+ /* functions to copy the returned values inside CK-mechanism back to Java object */
+
+ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
+diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+index 8c9e4f9dbe6..883dc04758e 100644
+--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -38,6 +38,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.List;
+
++import jdk.internal.access.SharedSecrets;
+ import sun.security.ec.ed.EdDSAAlgorithmParameters;
+ import sun.security.ec.ed.EdDSAKeyFactory;
+ import sun.security.ec.ed.EdDSAKeyPairGenerator;
+@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
+
+ private static final long serialVersionUID = -2279741672933606418L;
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private static class ProviderServiceA extends ProviderService {
+ ProviderServiceA(Provider p, String type, String algo, String cn,
+ HashMap attrs) {
+@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
+
+ putXDHEntries();
+ putEdDSAEntries();
+-
+- /*
+- * Signature engines
+- */
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+- null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$RawinP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA1withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+-
+- putService(new ProviderService(this, "Signature",
+- "SHA3-224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+-
+- /*
+- * Key Pair Generator engine
+- */
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EC", "sun.security.ec.ECKeyPairGenerator",
+- List.of("EllipticCurve"), ATTRS));
+-
+- /*
+- * Key Agreement engine
+- */
+- putService(new ProviderService(this, "KeyAgreement",
+- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ if (!systemFipsEnabled) {
++ /*
++ * Signature engines
++ */
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
++ null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$RawinP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA1withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
++
++ putService(new ProviderService(this, "Signature",
++ "SHA3-224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
++
++ /*
++ * Key Pair Generator engine
++ */
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EC", "sun.security.ec.ECKeyPairGenerator",
++ List.of("EllipticCurve"), ATTRS));
++
++ /*
++ * Key Agreement engine
++ */
++ putService(new ProviderService(this, "KeyAgreement",
++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ }
+ }
+
+ private void putXDHEntries() {
+@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
+ "X448", "sun.security.ec.XDHKeyFactory.X448",
+ ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "KeyAgreement",
+- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X448", "sun.security.ec.XDHKeyAgreement.X448",
+- ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
++ ATTRS));
++
++ putService(new ProviderService(this, "KeyAgreement",
++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X448", "sun.security.ec.XDHKeyAgreement.X448",
++ ATTRS));
++ }
+ }
+
+ private void putEdDSAEntries() {
+@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
+ putService(new ProviderServiceA(this, "KeyFactory",
+ "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ }
+
+ }
+ }
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
new file mode 100644
index 0000000..2b6c729
--- /dev/null
+++ b/java-17-openjdk.spec
@@ -0,0 +1,3551 @@
+# RPM conditionals so as to be able to dynamically produce
+# slowdebug/release builds. See:
+# http://rpm.org/user_doc/conditional_builds.html
+#
+# Examples:
+#
+# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
+# $ rpmbuild -ba java-17-openjdk.spec
+#
+# Produce only release builds (no debug builds) on x86_64:
+# $ rpmbuild -ba java-17-openjdk.spec --without slowdebug --without fastdebug
+#
+# Only produce a release build on x86_64:
+# $ fedpkg mockbuild --without slowdebug --without fastdebug
+
+# Enable fastdebug builds by default on relevant arches.
+%bcond_without fastdebug
+# Enable slowdebug builds by default on relevant arches.
+%bcond_without slowdebug
+# Enable release builds by default on relevant arches.
+%bcond_without release
+# Enable static library builds by default.
+%bcond_without staticlibs
+# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
+%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
+
+# Workaround for stripping of debug symbols from static libraries
+%if %{with staticlibs}
+%define __brp_strip_static_archive %{nil}
+%global include_staticlibs 1
+%else
+%global include_staticlibs 0
+%endif
+
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+%if %{with fresh_libjvm}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
+
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# This fixes detailed NMT and other tools which need minimal debug info.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
+%global _find_debuginfo_opts -g
+
+# With LTO flags enabled, debuginfo checks fail for some reason. Disable
+# LTO for a passing build. This really needs to be looked at.
+%define _lto_cflags %{nil}
+
+# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
+# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
+# see the difference between global and define:
+# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017"
+# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
+%global debug_suffix_unquoted -slowdebug
+%global fastdebug_suffix_unquoted -fastdebug
+%global main_suffix_unquoted -main
+%global staticlibs_suffix_unquoted -staticlibs
+# quoted one for shell operations
+%global debug_suffix "%{debug_suffix_unquoted}"
+%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
+%global normal_suffix ""
+%global main_suffix "%{main_suffix_unquoted}"
+%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
+
+%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
+%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
+%global debug_on unoptimised with full debugging on
+%global fastdebug_on optimised with full debugging on
+%global for_fastdebug for packages with debugging on and optimisation
+%global for_debug for packages with debugging on and no optimisation
+
+%if %{with release}
+%global include_normal_build 1
+%else
+%global include_normal_build 0
+%endif
+
+%if %{include_normal_build}
+%global normal_build %{normal_suffix}
+%else
+%global normal_build %{nil}
+%endif
+
+# We have hardcoded list of files, which is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
+
+# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
+# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+%global is_system_jdk 0
+
+%global aarch64 aarch64 arm64 armv8
+# we need to distinguish between big and little endian PPC64
+%global ppc64le ppc64le
+%global ppc64be ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
+%global multilib_arches %{power64} sparc64 x86_64
+# Set of architectures for which we build slowdebug builds
+%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
+# Set of architectures for which we build fastdebug builds
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
+# Set of architectures which use the Zero assembler port (!jit_arches)
+%global zero_arches ppc s390
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures with a Ahead-Of-Time (AOT) compiler
+%global aot_arches x86_64 %{aarch64}
+# Set of architectures which support the serviceability agent
+%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
+# See https://bugzilla.redhat.com/show_bug.cgi?id=513605
+# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT
+%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x
+# Set of architectures for which we build the Shenandoah garbage collector
+%global shenandoah_arches x86_64 %{aarch64}
+# Set of architectures for which we build the Z garbage collector
+%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
+# Set of architectures for which java has short vector math library (libjsvml.so)
+%global svml_arches x86_64
+# Set of architectures where we verify backtraces with gdb
+%global gdb_arches %{jit_arches} %{zero_arches}
+
+# By default, we build a debug build during main build on JIT architectures
+%if %{with slowdebug}
+%ifarch %{debug_arches}
+%global include_debug_build 1
+%else
+%global include_debug_build 0
+%endif
+%else
+%global include_debug_build 0
+%endif
+
+# On certain architectures, we compile the Shenandoah GC
+%ifarch %{shenandoah_arches}
+%global use_shenandoah_hotspot 1
+%else
+%global use_shenandoah_hotspot 0
+%endif
+
+# By default, we build a fastdebug build during main build only on fastdebug architectures
+%if %{with fastdebug}
+%ifarch %{fastdebug_arches}
+%global include_fastdebug_build 1
+%else
+%global include_fastdebug_build 0
+%endif
+%else
+%global include_fastdebug_build 0
+%endif
+
+%if %{include_debug_build}
+%global slowdebug_build %{debug_suffix}
+%else
+%global slowdebug_build %{nil}
+%endif
+
+%if %{include_fastdebug_build}
+%global fastdebug_build %{fastdebug_suffix}
+%else
+%global fastdebug_build %{nil}
+%endif
+
+# If you disable all builds, then the build fails
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+
+%if %{include_staticlibs}
+%global staticlibs_loop %{staticlibs_suffix}
+%else
+%global staticlibs_loop %{nil}
+%endif
+
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
+%ifarch %{bootstrap_arches}
+%global bootstrap_build true
+%else
+%global bootstrap_build false
+%endif
+%endif
+
+%if %{include_staticlibs}
+# Extra target for producing the static-libraries. Separate from
+# other targets since this target is configured to use in-tree
+# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
+# and possibly others
+%global static_libs_target static-libs-image
+%else
+%global static_libs_target %{nil}
+%endif
+
+# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
+%global debug_symbols internal
+
+# unlike portables,the rpms have to use static_libs_target very dynamically
+%global bootstrap_targets images
+%global release_targets images docs-zip
+# No docs nor bootcycle for debug builds
+%global debug_targets images
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
+
+# JDK to use for bootstrapping
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
+
+
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
+
+# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
+# the initialization must be here. Later the pkg-config have buggy behavior
+# looks like openjdk RPM specific bug
+# Always set this so the nss.cfg file is not broken
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+
+# In some cases, the arch used by the JDK does
+# not match _arch.
+# Also, in some cases, the machine name used by SystemTap
+# does not match that given by _target_cpu
+%ifarch x86_64
+%global archinstall amd64
+%global stapinstall x86_64
+%endif
+%ifarch ppc
+%global archinstall ppc
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64be}
+%global archinstall ppc64
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64le}
+%global archinstall ppc64le
+%global stapinstall powerpc
+%endif
+%ifarch %{ix86}
+%global archinstall i686
+%global stapinstall i386
+%endif
+%ifarch ia64
+%global archinstall ia64
+%global stapinstall ia64
+%endif
+%ifarch s390
+%global archinstall s390
+%global stapinstall s390
+%endif
+%ifarch s390x
+%global archinstall s390x
+%global stapinstall s390
+%endif
+%ifarch %{arm}
+%global archinstall arm
+%global stapinstall arm
+%endif
+%ifarch %{aarch64}
+%global archinstall aarch64
+%global stapinstall arm64
+%endif
+# 32 bit sparc, optimized for v9
+%ifarch sparcv9
+%global archinstall sparc
+%global stapinstall %{_target_cpu}
+%endif
+# 64 bit sparc
+%ifarch sparc64
+%global archinstall sparcv9
+%global stapinstall %{_target_cpu}
+%endif
+# Need to support noarch for srpm build
+%ifarch noarch
+%global archinstall %{nil}
+%global stapinstall %{nil}
+%endif
+
+%ifarch %{systemtap_arches}
+%global with_systemtap 1
+%else
+%global with_systemtap 0
+%endif
+
+# New Version-String scheme-style defines
+%global featurever 17
+%global interimver 0
+%global updatever 5
+%global patchver 0
+# buildjdkver is usually same as %%{featurever},
+# but in time of bootstrap of next jdk, it is featurever-1,
+# and this it is better to change it here, on single place
+%global buildjdkver 17
+# We don't add any LTS designator for STS packages (Fedora and EPEL).
+# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
+%if 0%{?rhel} && !0%{?epel}
+ %global lts_designator "LTS"
+ %global lts_designator_zip -%{lts_designator}
+%else
+ %global lts_designator ""
+ %global lts_designator_zip ""
+%endif
+
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%else
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
+
+# Define IcedTea version used for SystemTap tapsets and desktop file
+%global icedteaver 6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 0bd5ca9ccc5
+
+# Standard JPackage naming and versioning defines
+%global origin openjdk
+%global origin_nice OpenJDK
+%global top_level_dir_name %{origin}
+%global top_level_dir_name_backup %{top_level_dir_name}-backup
+%global buildver 8
+%global rpmrelease 2
+# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
+%if %is_system_jdk
+# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
+# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
+# This means 11.0.9.0+11 would have had a priority of 11000911 as before
+# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11
+%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
+%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
+%else
+# for techpreview, using 1, so slowdebugs can have 0
+%global priority %( printf '%08d' 1 )
+%endif
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver %{featurever}
+
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga 1
+%if %{is_ga}
+%global build_type GA
+%global ea_designator ""
+%global ea_designator_zip ""
+%global extraver %{nil}
+%global eaprefix %{nil}
+%else
+%global build_type EA
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
+%global eaprefix 0.
+%endif
+
+# parametrized macros are order-sensitive
+%global compatiblename java-%{featurever}-%{origin}
+%global fullversion %{compatiblename}-%{version}-%{release}
+# images directories from upstream build
+%global jdkimage jdk
+%global static_libs_image static-libs
+# output dir stub
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+# we can copy the javadoc to not arched dir, or make it not noarch
+%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
+# main id and dir of this jdk
+%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}}
+
+#################################################################
+# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
+# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
+%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
+%if %is_system_jdk
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+# Never generate lib-style provides/requires for any debug packages
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%else
+# Don't generate provides/requires for JDK provided shared libraries at all.
+%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%endif
+
+
+%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin}
+%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
+# Standard JPackage directories and symbolic links.
+%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}}
+%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
+
+%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+
+%global alt_java_name alt-java
+
+%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
+
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
+%if 0%{?flatpak}
+%global alternatives_requires /usr/sbin/alternatives
+%else
+%global alternatives_requires %{_sbindir}/alternatives
+%endif
+
+%global family %{name}.%{_arch}
+%global family_noarch %{name}
+
+%if %{with_systemtap}
+# Where to install systemtap tapset (links)
+# We would like these to be in a package specific sub-dir,
+# but currently systemtap doesn't support that, so we have to
+# use the root tapset dir for now. To distinguish between 64
+# and 32 bit architectures we place the tapsets under the arch
+# specific dir (note that systemtap will only pickup the tapset
+# for the primary arch for now). Systemtap uses the machine name
+# aka target_cpu as architecture specific directory name.
+%global tapsetroot /usr/share/systemtap
+%global tapsetdirttapset %{tapsetroot}/tapset/
+%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
+%endif
+
+# not-duplicated scriptlets for normal/debug packages
+%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
+
+%define save_alternatives() %{expand:
+ # warning! alternatives are localised!
+ # LANG=cs_CZ.UTF-8 alternatives --display java | head
+ # LANG=en_US.UTF-8 alternatives --display java | head
+ function nonLocalisedAlternativesDisplayOfMaster() {
+ LANG=en_US.UTF-8 alternatives --display "$MASTER"
+ }
+ function headOfAbove() {
+ nonLocalisedAlternativesDisplayOfMaster | head -n $1
+ }
+ MASTER="%{?1}"
+ LOCAL_LINK="%{?2}"
+ FAMILY="%{?3}"
+ rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
+ if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
+ if headOfAbove 1 | grep -q manual ; then
+ if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
+ headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
+ fi
+ fi
+ fi
+}
+
+%define save_and_remove_alternatives() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ upgrade1_uninstal0=%{?3}
+ if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
+ %{save_alternatives %{?1} %{?2} %{?4}}
+ fi
+ alternatives --remove "%{?1}" "%{?2}"
+}
+
+%define set_if_needed_alternatives() %{expand:
+ MASTER="%{?1}"
+ FAMILY="%{?2}"
+ ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
+ if [ -e "$ALTERNATIVES_FILE" ] ; then
+ rm "$ALTERNATIVES_FILE"
+ alternatives --set $MASTER $FAMILY
+ fi
+}
+
+
+%define post_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+exit 0
+}
+
+%define alternatives_java_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+ext=.gz
+key=java
+alternatives \\
+ --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\
+ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
+ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
+ --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
+ --slave %{_mandir}/man1/java.1$ext java.1$ext \\
+ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
+ %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
+ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
+ %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
+
+%{set_if_needed_alternatives $key %{family}}
+
+for X in %{origin} %{javaver} ; do
+ key=jre_"$X"
+ alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+ %{set_if_needed_alternatives $key %{family}}
+done
+
+key=jre_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+
+%define post_headless() %{expand:
+%ifarch %{share_arches}
+%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
+%endif
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+# see pretrans where this file is declared
+# also see that pretrans is only for non-debug
+if [ ! "%{?1}" == %{debug_suffix} ]; then
+ if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then
+ sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}}
+ fi
+fi
+
+exit 0
+}
+
+%define postun_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ %{update_desktop_icons}
+fi
+exit 0
+}
+
+
+%define postun_headless() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
+}
+
+%define posttrans_script() %{expand:
+%{update_desktop_icons}
+}
+
+
+%define alternatives_javac_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+ext=.gz
+key=javac
+alternatives \\
+ --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\
+ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
+ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
+ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+ --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
+%endif
+%endif
+ --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
+ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
+ --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
+ --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
+ --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
+ --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
+ --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
+ --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
+ --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\
+ --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\
+ --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\
+ --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\
+ --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\
+ --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\
+ --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\
+ --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\
+ --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\
+ --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\
+ --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\
+ --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\
+ --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\
+ --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\
+ %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\
+ %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\
+ %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\
+ %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
+ %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
+ %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
+ %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
+ %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\
+ %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\
+ %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\
+ %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\
+ %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\
+ %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\
+ %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\
+ %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\
+ %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\
+ %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
+ %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
+
+%{set_if_needed_alternatives $key %{family}}
+
+for X in %{origin} %{javaver} ; do
+ key=java_sdk_"$X"
+ alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+ %{set_if_needed_alternatives $key %{family}}
+done
+
+key=java_sdk_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+
+%define post_devel() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+exit 0
+}
+
+%define postun_devel() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ %{update_desktop_icons}
+fi
+exit 0
+}
+
+%define posttrans_devel() %{expand:
+%{alternatives_javac_install -- %{?1}}
+%{update_desktop_icons}
+}
+
+%define alternatives_javadoc_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+key=javadocdir
+alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+%{set_if_needed_alternatives $key %{family_noarch}}
+exit 0
+}
+
+%define postun_javadoc() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+exit 0
+}
+
+%define alternatives_javadoczip_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+key=javadoczip
+alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+%{set_if_needed_alternatives $key %{family_noarch}}
+exit 0
+}
+
+%define postun_javadoc_zip() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+exit 0
+}
+
+%define files_jre() %{expand:
+%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
+}
+
+
+%define files_jre_headless() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
+%dir %{_sysconfdir}/.java/.systemPrefs
+%dir %{_sysconfdir}/.java
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}
+%{_jvmdir}/%{sdkdir -- %{?1}}/release
+%{_jvmdir}/%{jrelnk -- %{?1}}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
+%ifarch %{jit_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%if ! %{system_libs}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
+%endif
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
+%ifarch %{svml_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsvml.so
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
+%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/
+%ifarch %{share_arches}
+%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa
+%endif
+%dir %{etcjavasubdir}
+%dir %{etcjavadir -- %{?1}}
+%dir %{etcjavadir -- %{?1}}/lib
+%dir %{etcjavadir -- %{?1}}/lib/security
+%{etcjavadir -- %{?1}}/lib/security/cacerts
+%dir %{etcjavadir -- %{?1}}/conf
+%dir %{etcjavadir -- %{?1}}/conf/sdp
+%dir %{etcjavadir -- %{?1}}/conf/management
+%dir %{etcjavadir -- %{?1}}/conf/security
+%dir %{etcjavadir -- %{?1}}/conf/security/policy
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy
+ %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
+# This is a config template, thus not config-noreplace
+%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
+%config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/conf
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/java
+%ghost %{_bindir}/%{alt_java_name}
+%ghost %{_jvmdir}/jre
+%ghost %{_bindir}/keytool
+%ghost %{_bindir}/pack200
+%ghost %{_bindir}/rmid
+%ghost %{_bindir}/rmiregistry
+%ghost %{_bindir}/unpack200
+%ghost %{_jvmdir}/jre-%{origin}
+%ghost %{_jvmdir}/jre-%{javaver}
+%ghost %{_jvmdir}/jre-%{javaver}-%{origin}
+%endif
+%endif
+# https://bugzilla.redhat.com/show_bug.cgi?id=1820172
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
+%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
+%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
+}
+
+%define files_devel() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
+%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
+%endif
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver
+%{_jvmdir}/%{sdkdir -- %{?1}}/include
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym
+%if %{with_systemtap}
+%{_jvmdir}/%{sdkdir -- %{?1}}/tapset
+%endif
+%{_datadir}/applications/*jconsole%{?1}.desktop
+%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
+
+%if %{with_systemtap}
+%dir %{tapsetroot}
+%dir %{tapsetdirttapset}
+%dir %{tapsetdir}
+%{tapsetdir}/*%{_arch}%{?1}.stp
+%endif
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/javac
+%ghost %{_jvmdir}/java
+%ghost %{_jvmdir}/%{alt_java_name}
+%ghost %{_bindir}/jlink
+%ghost %{_bindir}/jmod
+%ghost %{_bindir}/jhsdb
+%ghost %{_bindir}/jar
+%ghost %{_bindir}/jarsigner
+%ghost %{_bindir}/javadoc
+%ghost %{_bindir}/javap
+%ghost %{_bindir}/jcmd
+%ghost %{_bindir}/jconsole
+%ghost %{_bindir}/jdb
+%ghost %{_bindir}/jdeps
+%ghost %{_bindir}/jdeprscan
+%ghost %{_bindir}/jimage
+%ghost %{_bindir}/jinfo
+%ghost %{_bindir}/jmap
+%ghost %{_bindir}/jps
+%ghost %{_bindir}/jrunscript
+%ghost %{_bindir}/jshell
+%ghost %{_bindir}/jstack
+%ghost %{_bindir}/jstat
+%ghost %{_bindir}/jstatd
+%ghost %{_bindir}/serialver
+%ghost %{_jvmdir}/java-%{origin}
+%ghost %{_jvmdir}/java-%{javaver}
+%ghost %{_jvmdir}/java-%{javaver}-%{origin}
+%endif
+%endif
+}
+
+%define files_jmods() %{expand:
+%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
+}
+
+%define files_demo() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/demo
+%{_jvmdir}/%{sdkdir -- %{?1}}/sample
+}
+
+%define files_src() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
+}
+
+%define files_static_libs() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
+}
+
+%define files_javadoc() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java
+%endif
+%endif
+}
+
+%define files_javadoc_zip() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java-zip
+%endif
+%endif
+}
+
+# x86 is not supported by OpenJDK 17
+ExcludeArch: %{ix86}
+
+# not-duplicated requires/provides/obsoletes for normal/debug packages
+%define java_rpo() %{expand:
+Requires: fontconfig%{?_isa}
+Requires: xorg-x11-fonts-Type1
+# Require libXcomposite explicitly since it's only dynamically loaded
+# at runtime. Fixes screenshot issues. See JDK-8150954.
+Requires: libXcomposite%{?_isa}
+# Requires rest of java
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# for java-X-openjdk package's desktop binding
+# Where recommendations are available, recommend Gtk+ for the Swing look and feel
+%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
+Recommends: gtk3%{?_isa}
+%endif
+
+Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+
+# Standard JPackage base provides
+Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_headless_rpo() %{expand:
+# Require /etc/pki/java/cacerts
+Requires: ca-certificates
+# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
+Requires: javapackages-filesystem
+# Require zone-info data provided by tzdata-java sub-package
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+Requires: tzdata-java >= 2022d
+# for support of kernel stream control
+# libsctp.so.1 is being `dlopen`ed on demand
+Requires: lksctp-tools%{?_isa}
+%if ! 0%{?flatpak}
+# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
+# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
+# considered as regression
+Requires: copy-jdk-configs >= 3.3
+OrderWithRequires: copy-jdk-configs
+%endif
+# for printing support
+Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
+# for FIPS PKCS11 provider
+Requires: nss
+# Post requires alternatives to install tool alternatives
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+# Where suggestions are available, recommend the sctp and pcsc libraries
+# for optional support of kernel stream control and card reader
+%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
+Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa}
+%endif
+
+# Standard JPackage base provides
+Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-headless%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_devel_rpo() %{expand:
+# Requires base package
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install tool alternatives
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+
+# Standard JPackage devel provides
+Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_static_libs_rpo() %{expand:
+Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+}
+
+%define java_jmods_rpo() %{expand:
+# Requires devel package
+# as jmods are bytecode, they should be OK without any _isa
+Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release}
+
+Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_demo_rpo() %{expand:
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+
+Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_javadoc_rpo() %{expand:
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install javadoc alternative
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall javadoc alternative
+Requires(postun): %{alternatives_requires}
+
+# Standard JPackage javadoc provides
+Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_src_rpo() %{expand:
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+
+# Standard JPackage sources provides
+Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+# Prevent brp-java-repack-jars from being run
+%global __jar_repack 0
+
+Name: java-%{javaver}-%{origin}
+Version: %{newjavaver}.%{buildver}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
+# and this change was brought into RHEL-4. java-1.5.0-ibm packages
+# also included the epoch in their virtual provides. This created a
+# situation where in-the-wild java-1.5.0-ibm packages provided "java =
+# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
+# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
+# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
+# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
+# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
+
+Epoch: 1
+Summary: %{origin_nice} %{featurever} Runtime Environment
+# Groups are only used up to RHEL 8 and on Fedora versions prior to F30
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+# HotSpot code is licensed under GPLv2
+# JDK library code is licensed under GPLv2 with the Classpath exception
+# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
+# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
+# The JSR166 concurrency code is in the public domain
+# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
+# The OpenJDK source tree includes:
+# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
+# - freetype (FTL), jline (BSD) and LCMS (MIT)
+# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
+# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
+# The test code includes copies of NSS under the Mozilla Public License v2.0
+# The PCSClite headers are under a BSD with advertising license
+# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
+License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
+URL: http://openjdk.java.net/
+
+
+# The source tarball, generated using generate_source_tarball.sh
+Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
+
+# Use 'icedtea_sync.sh' to update the following
+# They are based on code contained in the IcedTea project (6.x).
+# Systemtap tapsets. Zipped up to keep it small.
+Source8: tapsets-icedtea-%{icedteaver}.tar.xz
+
+# Desktop files. Adapted from IcedTea
+Source9: jconsole.desktop.in
+
+# Release notes
+Source10: NEWS
+
+# nss configuration file
+Source11: nss.cfg.in
+
+# Removed libraries that we link instead
+Source12: remove-intree-libraries.sh
+
+# Ensure we aren't using the limited crypto policy
+Source13: TestCryptoLevel.java
+
+# Ensure ECDSA is working
+Source14: TestECDSA.java
+
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
+# nss fips configuration file
+Source17: nss.fips.cfg.in
+
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
+############################################
+#
+# RPM/distribution specific patches
+#
+############################################
+
+# NSS via SunPKCS11 Provider (disabled comment
+# due to memory leak).
+Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
+Patch600: rh1750419-redhat_alt_java.patch
+
+# Ignore AWTError when assistive technologies are loaded
+Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+# Restrict access to java-atk-wrapper classes
+Patch2: rh1648644-java_access_bridge_privileged_security.patch
+Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
+Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
+# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3183, RH1340845: Follow system wide crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+# RH1929465: Improve system FIPS detection
+# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
+# RH1996182: Login to the NSS software token in FIPS mode
+# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
+# RH2021263: Resolve outstanding FIPS issues
+# RH2052819: Fix FIPS reliance on crypto policies
+# RH2052829: Detect NSS at Runtime for FIPS detection
+# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+# RH2023467: Enable FIPS keys export
+# RH2094027: SunEC runtime permission for FIPS
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+# RH2104724: Avoid import/export of DH private keys
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+# Build the systemconf library on all platforms
+# RH2048582: Support PKCS#12 keystores
+# RH2020290: Support TLS 1.3 in FIPS mode
+Patch1001: fips-17u-%{fipsver}.patch
+
+#############################################
+#
+# OpenJDK patches in need of upstreaming
+#
+#############################################
+# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+Patch2000: jdk8275535-rh2053256-ldap_auth.patch
+
+#############################################
+#
+# OpenJDK patches appearing in 17.0.5
+#
+#############################################
+
+#############################################
+#
+# OpenJDK patches targetted for 17.0.6
+#
+#############################################
+# JDK-8293834: Update CLDR data following tzdata 2022c update
+Patch2001: jdk8293834-kyiv_cldr_update.patch
+# JDK-8294357: (tz) Update Timezone Data to 2022d
+Patch2002: jdk8294357-tzdata2022d.patch
+# JDK-8295173: (tz) Update Timezone Data to 2022e
+Patch2003: jdk8295173-tzdata2022e.patch
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
+BuildRequires: desktop-file-utils
+# elfutils only are OK for build without AOT
+BuildRequires: elfutils-devel
+BuildRequires: fontconfig-devel
+BuildRequires: gcc-c++
+BuildRequires: gdb
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirement for setting up nss.cfg and nss.fips.cfg
+BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
+BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
+BuildRequires: zip
+BuildRequires: javapackages-filesystem
+BuildRequires: java-17-openjdk-devel
+# Zero-assembler build requirement
+%ifarch %{zero_arches}
+BuildRequires: libffi-devel
+%endif
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+BuildRequires: tzdata-java >= 2022d
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
+
+%if %{with_systemtap}
+BuildRequires: systemtap-sdt-devel
+%endif
+BuildRequires: make
+
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
+Provides: bundled(freetype) = 2.12.1
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 4.4.1
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.12.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
+# this is always built, also during debug-only build
+# when it is built in debug-only this package is just placeholder
+%{java_rpo %{nil}}
+
+%description
+The %{origin_nice} %{featurever} runtime environment.
+
+%if %{include_debug_build}
+%package slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{debug_suffix_unquoted}}
+%description slowdebug
+The %{origin_nice} %{featurever} runtime environment.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{fastdebug_suffix_unquoted}}
+%description fastdebug
+The %{origin_nice} %{featurever} runtime environment.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package headless
+Summary: %{origin_nice} %{featurever} Headless Runtime Environment
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_headless_rpo %{nil}}
+
+%description headless
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%endif
+
+%if %{include_debug_build}
+%package headless-slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_headless_rpo -- %{debug_suffix_unquoted}}
+
+%description headless-slowdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package headless-fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_headless_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description headless-fastdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package devel
+Summary: %{origin_nice} %{featurever} Development Environment
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo %{nil}}
+
+%description devel
+The %{origin_nice} %{featurever} development tools.
+%endif
+
+%if %{include_debug_build}
+%package devel-slowdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo -- %{debug_suffix_unquoted}}
+
+%description devel-slowdebug
+The %{origin_nice} %{featurever} development tools.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package devel-fastdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Tools
+%endif
+
+%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description devel-fastdebug
+The %{origin_nice} %{featurever} development tools .
+%{fastdebug_warning}
+%endif
+
+%if %{include_staticlibs}
+
+%if %{include_normal_build}
+%package static-libs
+Summary: %{origin_nice} %{featurever} libraries for static linking
+
+%{java_static_libs_rpo %{nil}}
+
+%description static-libs
+The %{origin_nice} %{featurever} libraries for static linking.
+%endif
+
+%if %{include_debug_build}
+%package static-libs-slowdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on}
+
+%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
+
+%description static-libs-slowdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package static-libs-fastdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on}
+
+%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description static-libs-fastdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%{fastdebug_warning}
+%endif
+
+# staticlibs
+%endif
+
+%if %{include_normal_build}
+%package jmods
+Summary: JMods for %{origin_nice} %{featurever}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_jmods_rpo %{nil}}
+
+%description jmods
+The JMods for %{origin_nice} %{featurever}.
+%endif
+
+%if %{include_debug_build}
+%package jmods-slowdebug
+Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_jmods_rpo -- %{debug_suffix_unquoted}}
+
+%description jmods-slowdebug
+The JMods for %{origin_nice} %{featurever}.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package jmods-fastdebug
+Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Tools
+%endif
+
+%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description jmods-fastdebug
+The JMods for %{origin_nice} %{featurever}.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package demo
+Summary: %{origin_nice} %{featurever} Demos
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_demo_rpo %{nil}}
+
+%description demo
+The %{origin_nice} %{featurever} demos.
+%endif
+
+%if %{include_debug_build}
+%package demo-slowdebug
+Summary: %{origin_nice} %{featurever} Demos %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_demo_rpo -- %{debug_suffix_unquoted}}
+
+%description demo-slowdebug
+The %{origin_nice} %{featurever} demos.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package demo-fastdebug
+Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_demo_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description demo-fastdebug
+The %{origin_nice} %{featurever} demos.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package src
+Summary: %{origin_nice} %{featurever} Source Bundle
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_src_rpo %{nil}}
+
+%description src
+The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever}
+class library source code for use by IDE indexers and debuggers.
+%endif
+
+%if %{include_debug_build}
+%package src-slowdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_src_rpo -- %{debug_suffix_unquoted}}
+
+%description src-slowdebug
+The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_debug}.
+%endif
+
+%if %{include_fastdebug_build}
+%package src-fastdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_src_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description src-fastdebug
+The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_fastdebug}.
+%endif
+
+%if %{include_normal_build}
+%package javadoc
+Summary: %{origin_nice} %{featurever} API documentation
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Documentation
+%endif
+Requires: javapackages-filesystem
+Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling
+
+%{java_javadoc_rpo -- %{nil} %{nil}}
+
+%description javadoc
+The %{origin_nice} %{featurever} API documentation.
+%endif
+
+%if %{include_normal_build}
+%package javadoc-zip
+Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Documentation
+%endif
+Requires: javapackages-filesystem
+Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling
+
+%{java_javadoc_rpo -- %{nil} -zip}
+%{java_javadoc_rpo -- %{nil} %{nil}}
+
+%description javadoc-zip
+The %{origin_nice} %{featurever} API documentation compressed in a single archive.
+%endif
+
+%prep
+
+echo "Preparing %{oj_vendor_version}"
+
+# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
+%if 0%{?stapinstall:1}
+ echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
+%else
+ %{error:Unrecognised architecture %{_target_cpu}}
+%endif
+
+if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
+ echo "include_normal_build is %{include_normal_build}"
+else
+ echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 11
+fi
+if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then
+ echo "include_debug_build is %{include_debug_build}"
+else
+ echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 12
+fi
+if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then
+ echo "include_fastdebug_build is %{include_fastdebug_build}"
+else
+ echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 13
+fi
+if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then
+ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
+ exit 14
+fi
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
+# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
+prioritylength=`expr length %{priority}`
+if [ $prioritylength -ne 8 ] ; then
+ echo "priority must be 8 digits in total, violated"
+ exit 14
+fi
+
+# OpenJDK patches
+
+%if %{system_libs}
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
+%endif
+
+# Patch the JDK
+pushd %{top_level_dir_name}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch6 -p1
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
+# tzdata updates targetted for 17.0.6
+%patch2001 -p1
+%patch2002 -p1
+%patch2003 -p1
+popd # openjdk
+
+%patch600
+
+%patch2000
+
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+ UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+fi
+if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
+ echo "WARNING: Designator mismatch";
+ echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
+ echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
+ # Don't fail at present as upstream are not maintaining the value correctly
+ #exit 17
+fi
+
+# Extract systemtap tapsets
+%if %{with_systemtap}
+tar --strip-components=1 -x -I xz -f %{SOURCE8}
+%if %{include_debug_build}
+cp -r tapset tapset%{debug_suffix}
+%endif
+%if %{include_fastdebug_build}
+cp -r tapset tapset%{fastdebug_suffix}
+%endif
+
+for suffix in %{build_loop} ; do
+ for file in "tapset"$suffix/*.in; do
+ OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
+ sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
+ sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2
+# TODO find out which architectures other than i686 have a client vm
+%ifarch %{ix86}
+ sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE
+%else
+ sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE
+%endif
+ sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
+ sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
+ sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
+ done
+done
+# systemtap tapsets ends
+%endif
+
+# Prepare desktop files
+# The _X_ syntax indicates variables that are replaced by make upstream
+# The @X@ syntax indicates variables that are replaced by configure upstream
+for suffix in %{build_loop} ; do
+for file in %{SOURCE9}; do
+ FILE=`basename $file | sed -e s:\.in$::g`
+ EXT="${FILE##*.}"
+ NAME="${FILE%.*}"
+ OUTPUT_FILE=$NAME$suffix.$EXT
+ sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE
+ sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE
+ sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE
+ sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE
+ sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE
+done
+done
+
+# Setup nss.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
+
+# Setup nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
+
+%build
+# How many CPU's do we have?
+export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
+export NUM_PROC=${NUM_PROC:-1}
+%if 0%{?_smp_ncpus_max}
+# Honor %%_smp_ncpus_max
+[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
+%endif
+
+%ifarch s390x sparc64 alpha %{power64} %{aarch64}
+export ARCH_DATA_MODEL=64
+%endif
+%ifarch alpha
+export CFLAGS="$CFLAGS -mieee"
+%endif
+
+# We use ourcppflags because the OpenJDK build seems to
+# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
+# Explicitly set the C++ standard as the default has changed on GCC >= 6
+EXTRA_CFLAGS="%ourcppflags"
+EXTRA_CPP_FLAGS="%ourcppflags"
+
+%ifarch %{power64} ppc
+# fix rpmlint warnings
+EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
+%endif
+%ifarch %{ix86}
+# Align stack boundary on x86_32
+EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+%endif
+export EXTRA_CFLAGS EXTRA_CPP_FLAGS
+
+function buildjdk() {
+ local outputdir=${1}
+ local buildjdk=${2}
+ local maketargets="${3}"
+ local debuglevel=${4}
+ local link_opt=${5}
+
+ local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
+ local top_dir_abs_build_path=$(pwd)/${outputdir}
+
+ # This must be set using the global, so that the
+ # static libraries still use a dynamic stdc++lib
+ if [ "x%{link_type}" = "xbundled" ] ; then
+ libc_link_opt="static";
+ else
+ libc_link_opt="dynamic";
+ fi
+
+ echo "Using output directory: ${outputdir}";
+ echo "Checking build JDK ${buildjdk} is operational..."
+ ${buildjdk}/bin/java -version
+ echo "Using make targets: ${maketargets}"
+ echo "Using debuglevel: ${debuglevel}"
+ echo "Using link_opt: ${link_opt}"
+ echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
+ mkdir -p ${outputdir}
+ pushd ${outputdir}
+
+ # Note: zlib and freetype use %{link_type}
+ # rather than ${link_opt} as the system versions
+ # are always used in a system_libs build, even
+ # for the static library build
+ bash ${top_dir_abs_src_path}/configure \
+%ifarch %{zero_arches}
+ --with-jvm-variants=zero \
+%endif
+%ifarch %{ppc64le}
+ --with-jobs=1 \
+%endif
+ --with-version-build=%{buildver} \
+ --with-version-pre="%{ea_designator}" \
+ --with-version-opt=%{lts_designator} \
+ --with-vendor-version-string="%{oj_vendor_version}" \
+ --with-vendor-name="%{oj_vendor}" \
+ --with-vendor-url="%{oj_vendor_url}" \
+ --with-vendor-bug-url="%{oj_vendor_bug_url}" \
+ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
+ --with-boot-jdk=${buildjdk} \
+ --with-debug-level=${debuglevel} \
+ --with-native-debug-symbols="%{debug_symbols}" \
+ --disable-sysconf-nss \
+ --enable-unlimited-crypto \
+ --with-zlib=%{link_type} \
+ --with-freetype=%{link_type} \
+ --with-libjpeg=${link_opt} \
+ --with-giflib=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+ --with-harfbuzz=${link_opt} \
+ --with-stdc++lib=${libc_link_opt} \
+ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
+ --with-extra-cflags="$EXTRA_CFLAGS" \
+ --with-extra-ldflags="%{ourldflags}" \
+ --with-num-cores="$NUM_PROC" \
+ --with-source-date="${SOURCE_DATE_EPOCH}" \
+ --disable-javac-server \
+%ifarch %{zgc_arches}
+ --with-jvm-features=zgc \
+%endif
+ --disable-warnings-as-errors
+
+ cat spec.gmk
+
+ make \
+ LOG=trace \
+ WARNINGS_ARE_ERRORS="-Wno-error" \
+ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
+ $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
+
+ popd
+}
+
+function installjdk() {
+ local imagepath=${1}
+
+ if [ -d ${imagepath} ] ; then
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+
+ # Build screws up permissions on binaries
+ # https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
+
+ # Install nss.cfg right away as we will be using the JRE above
+ install -m 644 nss.cfg ${imagepath}/conf/security/
+
+ # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+ install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/conf/security/java.security
+
+ # Use system-wide tzdata
+ rm ${imagepath}/lib/tzdb.dat
+ ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+
+ # Create fake alt-java as a placeholder for future alt-java
+ pushd ${imagepath}
+ # add alt-java man page
+ echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
+ fi
+}
+
+%if %{build_hotspot_first}
+ # Build a fresh libjvm.so first and use it to bootstrap
+ cp -LR --preserve=mode,timestamps %{bootjdk} newboot
+ systemjdk=$(pwd)/newboot
+ buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
+ mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
+%else
+ systemjdk=%{bootjdk}
+%endif
+
+for suffix in %{build_loop} ; do
+
+ if [ "x$suffix" = "x" ] ; then
+ debugbuild=release
+ else
+ # change --something to something
+ debugbuild=`echo $suffix | sed "s/-//g"`
+ fi
+
+
+ for loop in %{main_suffix} %{staticlibs_loop} ; do
+
+ builddir=%{buildoutputdir -- ${suffix}${loop}}
+ bootbuilddir=boot${builddir}
+
+ if test "x${loop}" = "x%{main_suffix}" ; then
+ link_opt="%{link_type}"
+%if %{system_libs}
+ # Copy the source tree so we can remove all in-tree libraries
+ cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
+ # Remove all libraries that are linked
+ sh %{SOURCE12} %{top_level_dir_name} full
+%endif
+ # Debug builds don't need same targets as release for
+ # build speed-up. We also avoid bootstrapping these
+ # slower builds.
+ if echo $debugbuild | grep -q "debug" ; then
+ maketargets="%{debug_targets}"
+ run_bootstrap=false
+ else
+ maketargets="%{release_targets}"
+ run_bootstrap=%{bootstrap_build}
+ fi
+ if ${run_bootstrap} ; then
+ buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
+ buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
+ rm -rf ${bootbuilddir}
+ else
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+ fi
+%if %{system_libs}
+ # Restore original source tree we modified by removing full in-tree sources
+ rm -rf %{top_level_dir_name}
+ mv %{top_level_dir_name_backup} %{top_level_dir_name}
+%endif
+ else
+ # Use bundled libraries for building statically
+ link_opt="bundled"
+ # Static library cycle only builds the static libraries
+ maketargets="%{static_libs_target}"
+ # Always just do the one build for the static libraries
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+ fi
+
+ done # end of main / staticlibs loop
+
+ # Final setup on the main image
+ top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+ installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+ # Print release information
+ cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
+
+# build cycles
+done # end of release / debug cycle loop
+
+%check
+
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
+%endif
+
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+# Pre-test setup
+
+#check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
+%endif
+
+so_suffix="so"
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+do
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
+ done
+ IFS="$old_IFS"
+
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+done
+
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" <
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre
+-- if copy-jdk-configs is in transaction, it installs in pretrans to temp
+-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is
+-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends
+-- whether copy-jdk-configs is installed or not. If so, then configs are copied
+-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
+local posix = require "posix"
+
+if (os.getenv("debug") == "true") then
+ debug = true;
+ print("cjc: in spec debug is on")
+else
+ debug = false;
+end
+
+SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
+SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
+
+local stat1 = posix.stat(SOURCE1, "type");
+local stat2 = posix.stat(SOURCE2, "type");
+
+ if (stat1 ~= nil) then
+ if (debug) then
+ print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.")
+ end;
+ package.path = package.path .. ";" .. SOURCE1
+else
+ if (stat2 ~= nil) then
+ if (debug) then
+ print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.")
+ end;
+ package.path = package.path .. ";" .. SOURCE2
+ else
+ if (debug) then
+ print(SOURCE1 .." does NOT exists")
+ print(SOURCE2 .." does NOT exists")
+ print("No config files will be copied")
+ end
+ return
+ end
+end
+-- run content of included file with fake args
+arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
+require "copy_jdk_configs.lua"
+
+%post
+%{post_script %{nil}}
+
+%post headless
+%{post_headless %{nil}}
+
+%postun
+%{postun_script %{nil}}
+
+%postun headless
+%{postun_headless %{nil}}
+
+%posttrans
+%{posttrans_script %{nil}}
+
+%posttrans headless
+%{alternatives_java_install %{nil}}
+
+%post devel
+%{post_devel %{nil}}
+
+%postun devel
+%{postun_devel %{nil}}
+
+%posttrans devel
+%{posttrans_devel %{nil}}
+
+%posttrans javadoc
+%{alternatives_javadoc_install %{nil}}
+
+%postun javadoc
+%{postun_javadoc %{nil}}
+
+%posttrans javadoc-zip
+%{alternatives_javadoczip_install %{nil}}
+
+%postun javadoc-zip
+%{postun_javadoc_zip %{nil}}
+%endif
+
+%if %{include_debug_build}
+%post slowdebug
+%{post_script -- %{debug_suffix_unquoted}}
+
+%post headless-slowdebug
+%{post_headless -- %{debug_suffix_unquoted}}
+
+%posttrans headless-slowdebug
+%{alternatives_java_install -- %{debug_suffix_unquoted}}
+
+%postun slowdebug
+%{postun_script -- %{debug_suffix_unquoted}}
+
+%postun headless-slowdebug
+%{postun_headless -- %{debug_suffix_unquoted}}
+
+%posttrans slowdebug
+%{posttrans_script -- %{debug_suffix_unquoted}}
+
+%post devel-slowdebug
+%{post_devel -- %{debug_suffix_unquoted}}
+
+%postun devel-slowdebug
+%{postun_devel -- %{debug_suffix_unquoted}}
+
+%posttrans devel-slowdebug
+%{posttrans_devel -- %{debug_suffix_unquoted}}
+%endif
+
+%if %{include_fastdebug_build}
+%post fastdebug
+%{post_script -- %{fastdebug_suffix_unquoted}}
+
+%post headless-fastdebug
+%{post_headless -- %{fastdebug_suffix_unquoted}}
+
+%postun fastdebug
+%{postun_script -- %{fastdebug_suffix_unquoted}}
+
+%postun headless-fastdebug
+%{postun_headless -- %{fastdebug_suffix_unquoted}}
+
+%posttrans fastdebug
+%{posttrans_script -- %{fastdebug_suffix_unquoted}}
+
+%posttrans headless-fastdebug
+%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
+
+%post devel-fastdebug
+%{post_devel -- %{fastdebug_suffix_unquoted}}
+
+%postun devel-fastdebug
+%{postun_devel -- %{fastdebug_suffix_unquoted}}
+
+%posttrans devel-fastdebug
+%{posttrans_devel -- %{fastdebug_suffix_unquoted}}
+
+%endif
+
+%if %{include_normal_build}
+%files
+# main package builds always
+%{files_jre %{nil}}
+%else
+%files
+# placeholder
+%endif
+
+
+%if %{include_normal_build}
+%files headless
+# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+# all config/noreplace files (and more) have to be declared in pretrans. See pretrans
+%{files_jre_headless %{nil}}
+
+%files devel
+%{files_devel %{nil}}
+
+%if %{include_staticlibs}
+%files static-libs
+%{files_static_libs %{nil}}
+%endif
+
+%files jmods
+%{files_jmods %{nil}}
+
+%files demo
+%{files_demo %{nil}}
+
+%files src
+%{files_src %{nil}}
+
+%files javadoc
+%{files_javadoc %{nil}}
+
+# This puts a huge documentation file in /usr/share
+# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only
+# same for debug variant
+%files javadoc-zip
+%{files_javadoc_zip %{nil}}
+%endif
+
+%if %{include_debug_build}
+%files slowdebug
+%{files_jre -- %{debug_suffix_unquoted}}
+
+%files headless-slowdebug
+%{files_jre_headless -- %{debug_suffix_unquoted}}
+
+%files devel-slowdebug
+%{files_devel -- %{debug_suffix_unquoted}}
+
+%if %{include_staticlibs}
+%files static-libs-slowdebug
+%{files_static_libs -- %{debug_suffix_unquoted}}
+%endif
+
+%files jmods-slowdebug
+%{files_jmods -- %{debug_suffix_unquoted}}
+
+%files demo-slowdebug
+%{files_demo -- %{debug_suffix_unquoted}}
+
+%files src-slowdebug
+%{files_src -- %{debug_suffix_unquoted}}
+%endif
+
+%if %{include_fastdebug_build}
+%files fastdebug
+%{files_jre -- %{fastdebug_suffix_unquoted}}
+
+%files headless-fastdebug
+%{files_jre_headless -- %{fastdebug_suffix_unquoted}}
+
+%files devel-fastdebug
+%{files_devel -- %{fastdebug_suffix_unquoted}}
+
+%if %{include_staticlibs}
+%files static-libs-fastdebug
+%{files_static_libs -- %{fastdebug_suffix_unquoted}}
+%endif
+
+%files jmods-fastdebug
+%{files_jmods -- %{fastdebug_suffix_unquoted}}
+
+%files demo-fastdebug
+%{files_demo -- %{fastdebug_suffix_unquoted}}
+
+%files src-fastdebug
+%{files_src -- %{fastdebug_suffix_unquoted}}
+
+%endif
+
+%changelog
+* Wed Oct 26 2022 Andrew Hughes - 1:17.0.5.0.8-2
+- Update to jdk-17.0.5+8 (GA)
+- Update release notes to 17.0.5+8 (GA)
+- Switch to GA mode for final release.
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Update CLDR data with Europe/Kyiv (JDK-8293834)
+- Drop JDK-8292223 patch which we found to be unnecessary
+- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
+- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
+- Remove freetype sources along with zlib sources
+- Resolves: rhbz#2133695
+
+* Tue Oct 04 2022 Andrew Hughes - 1:17.0.5.0.7-0.2.ea
+- Update to jdk-17.0.5+7
+- Update release notes to 17.0.5+7
+- Drop JDK-8288985 patch that is now upstream
+- Resolves: rhbz#2130617
+
+* Mon Oct 03 2022 Andrew Hughes - 1:17.0.5.0.1-0.2.ea
+- Update to jdk-17.0.5+1
+- Update release notes to 17.0.5+1
+- Switch to EA mode for 17.0.5 pre-release builds.
+- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
+- Bump FreeType bundled version to 2.12.1 following JDK-8290334
+- Related: rhbz#2130617
+
+* Tue Aug 30 2022 Andrew Hughes - 1:17.0.4.1.1-6
+- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider
+- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650
+- Resolves: rhbz#2006351
+
+* Tue Aug 30 2022 Andrew Hughes - 1:17.0.4.1.1-5
+- Switch to static builds, reducing system dependencies and making build more portable
+- Resolves: rhbz#2121263
+
+* Mon Aug 29 2022 Stephan Bergmann - 1:17.0.4.1.1-4
+- Fix flatpak builds (catering for their uncompressed manual pages)
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102734
+
+* Mon Aug 29 2022 Andrew Hughes - 1:17.0.4.1.1-3
+- Update FIPS support to bring in latest changes
+- * RH2104724: Avoid import/export of DH private keys
+- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+- * Build the systemconf library on all platforms
+- * RH2048582: Support PKCS#12 keystores
+- * RH2020290: Support TLS 1.3 in FIPS mode
+- Resolves: rhbz#2104724
+- Resolves: rhbz#2092507
+- Resolves: rhbz#2048582
+- Resolves: rhbz#2020290
+
+* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-2
+- Update to jdk-17.0.4.1+1
+- Update release notes to 17.0.4.1+1
+- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
+- Add test to ensure timezones can be translated
+- Resolves: rhbz#2119531
+
+* Fri Jul 22 2022 Andrew Hughes - 1:17.0.4.0.8-3
+- Update to jdk-17.0.4.0+8
+- Update release notes to 17.0.4.0+8
+- Switch to GA mode for release
+- Resolves: rhbz#2106522
+
+* Wed Jul 20 2022 Andrew Hughes - 1:17.0.4.0.7-0.2.ea
+- Revert the following changes until copy-java-configs has adapted to relative symlinks:
+- * Move cacerts replacement to install section and retain original of this and tzdb.dat
+- * Run tests on the installed image, rather than the build image
+- * Introduce variables to refer to the static library installation directories
+- * Use relative symlinks so they work within the image
+- * Run debug symbols check during build stage, before the install strips them
+- The move of turning on system security properties is retained so we don't ship with them off
+- Related: rhbz#2100674
+
+* Wed Jul 20 2022 Jiri Vanek - 1:17.0.4.0.7-0.2.ea
+- retutrned absolute symlinks
+- relative symlinks are breaking cjc, and deeper investigations are necessary
+-- why cjc intentionally skips relative symllinks
+- images have to be workarounded differently
+- Related: rhbz#2100674
+
+* Sat Jul 16 2022 Andrew Hughes - 1:17.0.4.0.7-0.1.ea
+- Update to jdk-17.0.4.0+7
+- Update release notes to 17.0.4.0+7
+- Switch to EA mode for 17.0.4 pre-release builds.
+- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Move EA designator check to prep so failures can be caught earlier
+- Make EA designator check non-fatal while upstream is not maintaining it
+- Explicitly require crypto-policies during build and runtime for system security properties
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+- Include a test in the RPM to check the build has the correct vendor information.
+- Resolves: rhbz#2083316
+
+* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+- Related: rhbz#2083316
+
+* Fri Jul 08 2022 Andrew Hughes - 1:17.0.3.0.7-6
+- Fix whitespace in spec file
+- Related: rhbz#2100674
+
+* Fri Jul 08 2022 Andrew Hughes - 1:17.0.3.0.7-6
+- Sequence spec file sections as they are run by rpmbuild (build, install then test)
+- Related: rhbz#2100674
+
+* Fri Jul 08 2022 Andrew Hughes - 1:17.0.3.0.7-6
+- Turn on system security properties as part of the build's install section
+- Move cacerts replacement to install section and retain original of this and tzdb.dat
+- Run tests on the installed image, rather than the build image
+- Introduce variables to refer to the static library installation directories
+- Use relative symlinks so they work within the image
+- Run debug symbols check during build stage, before the install strips them
+- Related: rhbz#2100674
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-5
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2007331
+
+* Tue Jun 28 2022 Andrew Hughes - 1:17.0.3.0.7-4
+- Update FIPS support to bring in latest changes
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Resolves: rhbz#2099840
+- Resolves: rhbz#2100674
+
+* Tue Jun 28 2022 Andrew Hughes - 1:17.0.3.0.7-3
+- Add rpminspect.yaml to turn off Java bytecode inspections
+- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
+- Resolves: rhbz#2101524
+
+* Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-2
+- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- RH2023467: Enable FIPS keys export
+- RH2094027: SunEC runtime permission for FIPS
+- Resolves: rhbz#2023467
+- Resolves: rhbz#2094027
+
+* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-1
+- April 2022 security update to jdk 17.0.3+7
+- Update to jdk-17.0.3.0+7 release tarball
+- Update release notes to 17.0.3.0+6
+- Add missing README.md and generate_source_tarball.sh
+- Switch to GA mode for release
+- JDK-8283911 patch no longer needed now we're GA...
+- Resolves: rhbz#2073577
+
+* Wed Apr 06 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea
+- Update to jdk-17.0.3.0+5
+- Update release notes to 17.0.3.0+5
+- Resolves: rhbz#2050456
+
+* Tue Mar 29 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea
+- Update to jdk-17.0.3.0+1
+- Update release notes to 17.0.3.0+1
+- Switch to EA mode for 17.0.3 pre-release builds.
+- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
+- Related: rhbz#2050456
+
+* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-15
+- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+- Resolves: rhbz#2052070
+
+* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-14
+- Introduce tests/tests.yml, based on the one in java-11-openjdk
+- Resolves: rhbz#2058493
+
+* Sun Feb 27 2022 Severin Gehwolf - 1:17.0.2.0.8-13
+- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
+ secmod.db file as part of nss
+- Resolves: rhbz#2023536
+
+* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-12
+- Detect NSS at runtime for FIPS detection
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
+- Resolves: rhbz#2051605
+
+* Fri Feb 25 2022 Andrew Hughes - 1:17.0.2.0.8-11
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053256
+
+* Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-10
+- Storing and restoring alterntives during update manually
+- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
+-- The move of alternatives creation to posttrans to fix:
+-- Bug 1200302 - dnf reinstall breaks alternatives
+-- Had caused the alternatives to be removed, and then created again,
+-- instead of being added, and then removing the old, and thus persisting
+-- the selection in family
+-- Thus this fix, is storing the family of manually selected master, and if
+-- stored, then it is restoring the family of the master
+- Resolves: rhbz#2008200
+
+* Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-9
+- Family extracted to globals
+- Resolves: rhbz#2008200
+
+* Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-8
+- alternatives creation moved to posttrans
+- Thus fixing the old reisntall issue:
+- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
+- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
+- Resolves: rhbz#2008200
+
+* Mon Feb 21 2022 Andrew Hughes - 1:17.0.2.0.8-7
+- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
+- Resolves: rhbz#2051590
+
+* Fri Feb 18 2022 Andrew Hughes - 1:17.0.2.0.8-6
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Resolves: rhbz#2023378
+
+* Thu Feb 17 2022 Andrew Hughes - 1:17.0.2.0.8-5
+- Restructure the build so a minimal initial build is then used for the final build (with docs)
+- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
+- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
+- Handle Fedora in distro conditionals that currently only pertain to RHEL.
+- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace
+- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
+- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
+- Need to support noarch for creating source RPMs for non-scratch builds.
+- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
+- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
+- Explicitly list JIT architectures rather than relying on those with slowdebug builds
+- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
+- Resolves: rhbz#2022822
+
+* Thu Feb 17 2022 Jiri Vanek - 1:17.0.2.0.8-5
+- Replaced tabs by sets of spaces to make rpmlint happy
+- javadoc-zip gets its own provides next to plain javadoc ones
+- Resolves: rhbz#2022822
+
+* Tue Feb 08 2022 Jiri Vanek - 1:17.0.2.0.8-4
+- Minor cosmetic improvements to make spec more comparable between variants
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-3
+- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
+- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-2
+- Extend LTS check to exclude EPEL.
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Severin Gehwolf - 1:17.0.2.0.8-2
+- Set LTS designator.
+- Related: rhbz#2022822
+
+* Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1
+- January 2022 security update to jdk 17.0.2+8
+- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
+- Rename libsvml.so to libjsvml.so following JDK-8276025
+- Resolves: rhbz#2039366
+
+* Thu Oct 28 2021 Andrew Hughes - 1:17.0.1.0.12-3
+- Sync desktop files with upstream IcedTea release 3.15.0 using new script
+- Related: rhbz#2013842
+
+* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-2
+- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1
+- Resolves: rhbz#2013842
+
+* Wed Oct 20 2021 Petra Alice Mikova - 1:17.0.1.0.12-2
+- October CPU update to jdk 17.0.1+12
+- Dropped commented-out source line
+- Resolves: rhbz#2013842
+
+* Sun Oct 10 2021 Andrew Hughes - 1:17.0.0.0.35-6
+- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
+- Resolves: rhbz#1994661
+
+* Sun Oct 10 2021 Martin Balao - 1:17.0.0.0.35-6
+- Add patch to allow plain key import.
+- Resolves: rhbz#1994661
+
+* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-5
+- Update release notes to document the major changes between OpenJDK 11 & 17.
+- Resolves: rhbz#2003072
+
+* Thu Sep 16 2021 Andrew Hughes - 1:17.0.0.0.35-3
+- Update to jdk-17+35, also known as jdk-17-ga.
+- Switch to GA mode.
+- Add JDK-8272332 fix so we actually link against HarfBuzz.
+- Resolves: rhbz#2003072
+- Resolves: rhbz#2004078
+
+* Mon Aug 30 2021 Andrew Hughes - 1:17.0.0.0.33-0.5.ea
+- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
+- Resolves: rhbz#1996182
+
+* Sat Aug 28 2021 Andrew Hughes - 1:17.0.0.0.33-0.4.ea
+- Fix unused function compiler warning found in systemconf.c
+- Related: rhbz#1995150
+
+* Sat Aug 28 2021 Martin Balao - 1:17.0.0.0.33-0.4.ea
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1996182
+
+* Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.3.ea
+- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
+- Resolves: rhbz#1995150
+
+* Fri Aug 27 2021 Andrew Hughes - 1:17.0.0.0.33-0.2.ea
+- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
+- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
+- Related: rhbz#1995150
+
+* Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.2.ea
+- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
+- Related: rhbz#1995150
+
+* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.1.ea
+- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
+- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
+- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
+- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
+- Disable FIPS mode support unless com.redhat.fips is set to "true".
+- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
+- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
+- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
+- Related: rhbz#1995150
+
+* Thu Aug 26 2021 Martin Balao - 1:17.0.0.0.33-0.1.ea
+- Support the FIPS mode crypto policy (RH1655466)
+- Use appropriate keystore types when in FIPS mode (RH1818909)
+- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
+- Related: rhbz#1995150
+
+* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.0.ea
+- Update to jdk-17+33, including JDWP fix and July 2021 CPU
+- Resolves: rhbz#1959487
+
+* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.26-0.5.ea
+- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
+- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
+- Resolves: rhbz#1959487
+
+* Wed Aug 25 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.4.ea
+- Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
+- Resolves: rhbz#1959487
+
+* Wed Aug 25 2021 Severin Gehwolf - 1:17.0.0.0.26-0.3.ea
+- Re-enable TestSecurityProperties after inclusion of PR3695
+- Resolves: rhbz#1959487
+
+* Wed Aug 25 2021 Andrew Hughes - 1:17.0.0.0.26-0.3.ea
+- Add PR3695 to allow the system crypto policy to be turned off
+- Resolves: rhbz#1959487
+
+* Wed Jul 14 2021 Andrew Hughes - 1:17.0.0.0.26-0.2.ea
+- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
+- Resolves: rhbz#1959487
+
+* Wed Jul 14 2021 Severin Gehwolf - 1:17.0.0.0.26-0.2.ea
+- Update buildjdkver to 17 so as to build with itself
+- Resolves: rhbz#1959487
+
+* Tue Jul 13 2021 Jiri Vanek - 1:17.0.0.0.26-0.1.ea
+- Add gating support
+- Resolves: rhbz#1959487
+
+* Mon Jun 21 2021 Andrew Hughes - 1:17.0.0.0.26-0.0.ea
+- Rename as java-17-openjdk and bootstrap using boot JDK in local sources
+- Exclude x86 as this is not supported by OpenJDK 17
+- Resolves: rhbz#1959487
+
+* Fri Jun 11 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.0.ea.rolling
+- update sources to jdk 17.0.0+26
+- set is_ga to 0, as this is early access build
+- change vendor_version_string
+- change path to the version-numbers.conf
+- removed rmid binary from files and from slaves
+- removed JAVAC_FLAGS=-g from make command, as it breaks the build since JDK-8258407
+- add lib/libsyslookup.so to files
+- renamed lib/security/blacklisted.certs to lib/security/blocked.certs
+- add lib/libsvml.so for intel
+- skip debuginfo check for libsyslookup.so on s390x
+
+* Thu Apr 29 2021 Jiri Vanek - 1:16.0.1.0.9-2.rolling
+- adapted to debug handling in newer cjc
+- The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution
+- Disable copy-jdk-configs for Flatpak builds
+
+* Sun Apr 25 2021 Petra Alice Mikova - 1:16.0.1.0.9-1.rolling
+- update to 16.0.1+9 april cpu tag
+- dropped jdk8259949-allow_cf-protection_on_x86.patch
+
+* Thu Mar 11 2021 Andrew Hughes - 1:16.0.0.0.36-2.rolling
+- Perform static library build on a separate source tree with bundled image libraries
+- Make static library build optional
+- Based on initial work by Severin Gehwolf
+
+* Tue Mar 09 2021 Jiri Vanek - 1:16.0.0.0.36-1.rolling
+- fixed suggests of wrong pcsc-lite-devel%{?_isa} to correct pcsc-lite-libs%{?_isa}
+- bumped buildjdkver to build by itself - 16
+
+* Fri Feb 19 2021 Andrew Hughes - 1:16.0.0.0.36-0.rolling
+- Update to jdk-16.0.0.0+36
+- Update tarball generation script to use git following OpenJDK's move to github
+- Update tarball generation script to use PR3823 which handles JDK-8235710 changes
+- Use upstream default for version-pre rather than setting it to "ea" or ""
+- Drop libsunec.so which is no longer generated, thanks to JDK-8235710
+- Drop unnecessary compiler flags, dating back to work on GCC 6 & 10
+- Adapt RH1750419 alt-java patch to still apply after some variable re-naming in the makefiles
+- Update filever to remove any trailing zeros, as in the OpenJDK build, and use for source filename
+- Use system harfbuzz now this is supported.
+- Pass SOURCE_DATE_EPOCH to build for reproducible builds
+
+* Fri Feb 19 2021 Stephan Bergmann - 1:15.0.2.0.7-1.rolling
+- Hardcode /usr/sbin/alternatives for Flatpak builds
+
+* Tue Jan 26 2021 Fedora Release Engineering - 1:15.0.2.0.7-0.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Andrew Hughes - 1:15.0.2.0.7-0.rolling
+- Update to jdk-15.0.2.0+7
+- Add release notes for 15.0.1.0 & 15.0.2.0
+- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly.
+- Still use 15.0.x rather than 15.0.x.0 for file naming, as the trailing zero is omitted from tags.
+- Cleanup debug package descriptions and version number placement.
+- Remove unused patch files.
+
+* Tue Jan 19 2021 Andrew Hughes - 1:15.0.1.9-10.rolling
+- Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV)
+
+* Tue Dec 22 2020 Jiri Vanek - 1:15.0.1.9-9.rolling
+- fixed missing condition for fastdebug packages being counted as debug ones
+
+* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-8.rolling
+- removed lib-style provides for fastdebug_suffix_unquoted
+
+* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-6.rolling
+- many cosmetic changes taken from more maintained jdk11
+- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches
+ instead of various hardcoded ifarches
+- updated systemtap
+- added requires excludes for debug pkgs
+- removed redundant logic around jsa files
+- added runtime requires of lksctp-tools and libXcomposite%
+- added and used Source15 TestSecurityProperties.java, but is made always positive as jdk15 now does not honor system policies
+- s390x excluded form fastdebug build
+
+* Thu Dec 17 2020 Andrew Hughes - 1:15.0.1.9-5.rolling
+- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
+- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly
+- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
+
+* Wed Dec 9 2020 Jiri Vanek - 1:15.0.1.9-4.rolling
+- moved wrongly placed licenses to accompany other ones
+- this bad placement was killng parallel-installability and thus having bad impact to leapp if used
+
+* Tue Dec 01 2020 Jiri Vanek - 1:15.0.1.9-3.rolling
+- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch
+- no longer copying of java->alt-java as it is created by patch600
+
+* Mon Nov 23 2020 Jiri Vanek - 1:15.0.1.9-2.rolling
+- Create a copy of java as alt-java with alternatives and man pages
+- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there...
+
+* Sun Oct 25 2020 Petra Alice Mikova - 1:15.0.1.9-1.rolling
+- updated to October CPU 2020 sources
+
+* Thu Oct 22 2020 Severin Gehwolf - 1:15.0.0.36-4.rolling
+- Fix directory ownership of -static-libs sub-package.
+
+* Fri Oct 09 2020 Jiri Vanek - 1:15.0.0.36-3.rolling
+- Build static-libs-image and add resulting files via -static-libs sub-package.
+- Disable stripping of debug symbols for static libraries part of the -static-libs sub-package.
+- JDK-8245832 increases the set of static libraries, so try and include them all with a wildcard.
+- Update static-libs packaging to new layout
+
+* Mon Sep 21 2020 Petra Alice Mikova - 1:15.0.0.36-2.rolling
+- Add support for fastdebug builds on 64 bit architectures
+
+* Tue Sep 15 2020 Severin Gehwolf - 1:15.0.0.36-1.rolling
+- Remove EA designation
+- Re-generate sources with PR3803 patch
+
+* Mon Aug 31 2020 Petra Alice Mikova - 1:15.0.0.36-0.1.ea.rolling
+- Update to jdk 15.0.0.36 tag
+- Modify rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+- Update vendor version string to 20.9
+- jjs removed from packaging after JEP 372: Nashorn removal
+- rmic removed from packaging after JDK-8225319
+
+* Mon Jul 27 2020 Severin Gehwolf - 1:14.0.2.12-2.rolling
+- Disable LTO so as to pass debuginfo check
+
+* Wed Jul 22 2020 Petra Alice Mikova - 1:14.0.2.12-1.rolling
+- update to jdk 14.0.2.12 CPU version
+- remove upstreamed patch jdk8237879-make_4_3_build_fixes.patch
+- remove upstreamed patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h.patch
+- remove upstreamed patch jdk8243059-build_fails_when_with_vendor_contains_comma.patch
+
+* Thu Jul 09 2020 Andrew Hughes - 1:14.0.1.7-4.rolling
+- Re-introduce java-openjdk-src & java-openjdk-demo for system_jdk builds.
+- Fix accidental renaming of java-openjdk-devel to java-devel-openjdk.
+
+* Thu May 14 2020 Petra Alice Mikova - 1:14.0.1.7-3.rolling
+- introduce patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h to fix build issues in rawhide
+- rename and reorganize patch sections
+
+* Thu Apr 23 2020 Severin Gehwolf - 1:14.0.1.7-2.rolling
+- Fix vendor version to 20.3 (from 19.9)
+
+* Fri Apr 17 2020 Petra Alice Mikova - 1:14.0.1.7-1.rolling
+- April security update
+- uploaded new src tarball
+
+* Wed Apr 08 2020 Jiri Vanek - 1:14.0.0.36-4.rolling
+- set vendor property and vendor urls
+- made urls to be preconfigured by os
+
+* Tue Mar 24 2020 Petra Alice Mikova - 1:14.0.0.36-3.rolling
+- Remove s390x workaround flags for GCC 10
+- bump buildjdkver to 14
+- uploaded new src tarball
+
+* Mon Mar 23 2020 Petra Alice Mikova - 1:14.0.0.36-2.rolling
+- removed a whitespace causing fail of postinstall script
+- removed backslashes at the end of alternatives command
+
+* Fri Mar 13 2020 Petra Alice Mikova - 1:14.0.0.36-1.rolling
+- update to jdk 14+36 ga build
+- remove JDK-8224851 patch, as OpenJDK 14 already contains it
+- removed pack200 and unpack200 binaries, slaves, manpages and libunpack.so library
+- added listings for jpackage binary, manpages and added slave records to alternatives
+
+* Thu Mar 12 2020 Petra Alice Mikova - 1:13.0.2.8-4.rolling
+- add patch for build issues with make 4.3
+
+* Thu Feb 27 2020 Severin Gehwolf - 1:13.0.2.8-3.rolling
+- add workaround for issues with build with GCC10 on s390x (see RHBZ#1799531)
+- fix issues with build with GCC10: JDK-8224851, -fcommon switch
+
+* Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling
+- Add JDK-8224851 patch to resolve aarch64 issues
+
+* Tue Feb 04 2020 Petra Alice Mikova - 1:13.0.2.8-2.rolling
+- fix Release, as it was broken by last rpmdev-bumpspec
+
+* Wed Jan 29 2020 Fedora Release Engineering - 1:13.0.2.8-1.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jan 17 2020 Petra Alice Mikova - 1:13.0.2.8-1.rolling
+- removed patch jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
+- removed patch jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
+- updated sources to the 13.0.2+8 tag
+
+* Fri Oct 25 2019 Petra Alice Mikova - 1:13.0.1.9-2.rolling
+- Fixed hardcoded major version in jdk13u to macro
+- added jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
+- added jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
+
+* Mon Oct 21 2019 Petra Alice Mikova - 1:13.0.1.9-1.rolling
+- Updated to October 2019 CPU sources
+
+* Wed Oct 16 2019 Petra Alice Mikova - 1:13.0.0.33-3.rolling
+- synced up generate tarball script with other OpenJDK packages
+- dropped pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch from the sources
+- regenerated sources with the updated script
+
+* Wed Oct 02 2019 Andrew Hughes - 1:13.0.0.33-3.rolling
+- Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it.
+
+* Wed Oct 02 2019 Andrew John Hughes - 1:13.0.0.33-3.rolling
+- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime.
+- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency
+- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency
+- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency
+
+* Wed Oct 02 2019 Andrew Hughes - 1:13.0.0.33-3.rolling
+- Obsolete javadoc-slowdebug and javadoc-slowdebug-zip packages via javadoc and javadoc-zip respectively.
+
+* Tue Oct 01 2019 Severin Gehwolf - 1:13.0.0.33-2.rolling
+- Don't produce javadoc/javadoc-zip sub packages for the
+ debug variant build.
+- Don't perform a bootcycle build for the debug variant build.
+
+* Mon Sep 30 2019 Severin Gehwolf - 1:13.0.0.33-2.rolling
+- Fix vendor version as JDK 13 has been GA'ed September 2019: 19.3 => 19.9
+
+* Wed Aug 14 2019 Petra Alice Mikova - 1:13.0.0.33-1.rolling
+- updated to 13+33 sources
+- added two manpages to file listings (jfr, jaotc)
+- set is_ga to 1 to match build from jdk.java.net
+
+* Fri Jul 26 2019 Severin Gehwolf - 1:13.0.0.28-0.2.ea.rolling
+- Fix bootjdkver macro. It attempted to build with jdk 12, which is
+ no longer available in rawhide (it's 13 instead).
+- Fix Release as rpmdev-bumpspec doesn't do it correctly.
+
+* Thu Jul 25 2019 Fedora Release Engineering - 1:13.0.0.28-0.1.ea.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jul 09 2019 Petra Alice Mikova - 1:13.0.0.28-0.1.ea.rolling
+- updated to jdk 13
+- adapted pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch
+- adapted rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+- fixed file listings
+- included https://src.fedoraproject.org/rpms/java-11-openjdk/pull-request/49:
+- Include 'ea' designator in Release when appropriate
+- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately
+
+* Tue May 21 2019 Petra Alice Mikova - 1:12.0.1.12-2.rolling
+- fixed requires/provides for the non-system JDK case (backport of RHBZ#1702324)
+
+* Thu Apr 18 2019 Petra Mikova - 1:12.0.1.12-1.rolling
+- updated sources to current CPU release
+
+* Thu Apr 04 2019 Petra Mikova - 1:12.0.0.33-4.rolling
+- added slave for jfr binary in devel package
+
+* Thu Mar 21 2019 Petra Mikova - 1:12.0.0.33-3.rolling
+- Replaced pcsc-lite-devel (which is in optional channel) with pcsc-lite-libs.
+- added rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch to make jdk work with pcsc
+- removed LTS string from LTS designator, because epel builds get identified as rhel and JDK 12 is not LTS
+- removed duplicated dependency on lksctp-tools
+
+* Wed Mar 20 2019 Peter Robinson 1:12.0.0.33-2.ea.1.rolling
+- Drop chkconfig dep, 1.7 shipped in f24
+
+* Thu Mar 07 2019 Petra Mikova - 1:12.0.0.33-1.ea.1.rolling
+- bumped sources to jdk12+33
+
+* Mon Feb 11 2019 Severin Gehwolf - 1:12.0.0.30-1.ea.1.rolling
+- Only build 'bootcycle-images docs' target and 'images docs' targets, respectively.
+
+* Fri Feb 01 2019 Fedora Release Engineering - 1:12.0.0.25-0.ea.1.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Dec 21 2018 Jiri Vanek - 1:12.0.0.25-0.ea.1.rolling
+- bumped sources to jdk12. Crypto list synced.
+- adapted patches to usptream (removed are upstreamed)
+- removed fixed upstreamed patch6, jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch:
+- renamed patch5, pr1983-rh1565658-..._sunec_provider_jdk11.patch to pr1983-rh1565658-..._sunec_provider_jdk12.patch
+- adapted patch5, pr1983-rh1565658 to jdk12 (libraries.m4 and /Lib-jdk.crypto.ec.gmk)
+- removed patch8, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
+- removed patch9, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
+- removed patch10, jdk8210647-rh1632174. Is rummored to be in upstream
+- removed patch11, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch
+- removed patch12, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0
+- removed patch584, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+- removed patch585, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+- set build jdk to jdk11; buildjdkver set to 11
+- todo, revisit _privatelibs and slaves, discuse patch10, more?
+- now building with --no-print-directory to workaround JDK8215213
+- renamed original of docs zip to jdk-major+build
+- check shenandaoh with -XX:+UnlockExperimentalVMOptions
+- libjli moved from lib/libjli to lib
+- added lib/jspawnhelper and bin/jfr and conf/sdp/sdp.conf.template
+- added explanation to the --no-print-directory
+- re-added lts_designator_zip macro
+- added patch6 for rh1673833-remove_removal_of_wformat_during_test_compilation.patch
+
+* Wed Dec 5 2018 Jiri Vanek - 1:11.0.1.13-10.rolling
+- for non debug supackages, ghosted all masters and slaves (rhbz1649776)
+- for tech-preview packages, if-outed versionless provides. Aligned versions to be %%{epoch}:%%{version}-%%{release} instead of chaotic
+- Removed all slowdebug provides (rhbz1655938); for tech-preview packages also removed all internal provides
+
+* Tue Dec 04 2018 Severin Gehwolf - 1:11.0.1.13-9
+- Added %%global _find_debuginfo_opts -g
+- Resolves: RHBZ#1520879 (Detailed NMT issue)
+
+* Fri Nov 30 2018 Jiri Vanek - 1:11.0.1.13-8
+- added rolling suffix to release (before dist) to prevent conflict with java-11-openjdk which now have same major version
+
+* Mon Nov 12 2018 Jiri Vanek - 1:11.0.1.13-6
+- fixed tck failures of arraycopy and process exec with shenandoah on
+- added patch585 rh1648995-shenandoah_array_copy_broken_by_not_always_copy_forward_for_disjoint_arrays.patch
+
+* Wed Nov 07 2018 Jiri Vanek - 1:11.0.1.13-5
+- headless' suggests of cups, replaced by Requires of cups-libs
+
+* Thu Nov 01 2018 Jiri Vanek - 1:11.0.1.13-3
+- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+
+* Mon Oct 29 2018 Severin Gehwolf - 1:11.0.1.13-3
+- Use upstream's version of Aarch64 intrinsics disable patch:
+ - Removed:
+ RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
+ RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
+ - Superceded by:
+ jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch
+
+* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-2
+- Use LTS designator in version output for RHEL.
+
+* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-1
+- Update to October 2018 CPU release, 11.0.1+13.
+
+* Wed Oct 17 2018 Severin Gehwolf - 1:11.0.0.28-2
+- Use --with-vendor-version-string=18.9 so as to show original
+ GA date for the JDK.
+
+* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.0.28-1
+- Identify as GA version and no longer as early access (EA).
+- JDK 11 has been released for GA on 2018-09-25.
+
+* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.ea.28-9
+- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes
+ RHBZ-1624122.
+- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to
+ optimize compilation of fdlibm library.
+- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so
+ as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
+- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to
+ optimize compilation of libsaproc (extra c flags won't override
+ optimization).
+- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to
+ optimize compilation of libjsig.
+- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to
+ optimize compilation of vmStructs.cpp (part of libjvm.so).
+- Reinstate filtering of opt flags coming from redhat-rpm-config.
+
+* Thu Sep 27 2018 Jiri Vanek - 1:11.0.ea.28-8
+- removed version less provides
+- javadocdir moved to arched dir as it is no longer noarch
+
+* Thu Sep 20 2018 Severin Gehwolf - 1:11.0.ea.28-6
+- Add patch, RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch,
+ so as to disable log math intrinsic on aarch64. Work-around for
+ JDK-8210858
+
+* Thu Sep 13 2018 Severin Gehwolf - 1:11.0.ea.28-5
+- Add patch, RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch,
+ so as to disable dsin/dcos math intrinsics on aarch64. Work-around for
+ JDK-8210461.
+
+* Wed Sep 12 2018 Severin Gehwolf - 1:11.0.ea.22-6
+- Add patch, JDK-8210416-RHBZ-1624122-fdlibm-opt-fix.patch, so as to
+ optimize compilation of fdlibm library.
+- Add patch, JDK-8210425-RHBZ-1624122-sharedRuntimeTrig-opt-fix.patch, so
+ as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
+- Add patch, JDK-8210647-RHBZ-1624122-libsaproc-opt-fix.patch, so as to
+ optimize compilation of libsaproc (extra c flags won't override
+ optimization).
+- Add patch, JDK-8210703-RHBZ-1624122-vmStructs-opt-fix.patch, so as to
+ optimize compilation of vmStructs.cpp (part of libjvm.so).
+- No longer filter -O flags from C flags coming from
+ redhat-rpm-config.
+
+* Mon Sep 10 2018 Jiri Vanek - 1:11.0.ea.28-4
+- link to jhsdb followed its file to ifarch jit_arches ifnarch s390x
+
+* Fri Sep 7 2018 Severin Gehwolf - 1:11.0.ea.28-3
+- Enable ZGC on x86_64.
+
+* Tue Sep 4 2018 Jiri Vanek - 1:11.0.ea.28-2
+- jfr/*jfc files listed for all arches
+- lib/classlist do not exists s390, ifarch-ed via jit_arches out
+
+* Fri Aug 31 2018 Severin Gehwolf - 1:11.0.ea.28-1
+- Update to latest upstream build jdk11+28, the first release
+ candidate.
+
+* Wed Aug 29 2018 Severin Gehwolf - 1:11.0.ea.22-8
+- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so
+ as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue.
+
+* Thu Aug 23 2018 Jiri Vanek - 1:11.0.ea.22-6
+- dissabled accessibility, fixed provides for main package's debug variant
+
+* Mon Jul 30 2018 Jiri Vanek - 1:11.0.ea.22-5
+- now buildrequires javapackages-filesystem as the issue with macros should be fixed
+
+* Wed Jul 18 2018 Jiri Vanek - 1:11.0.ea.22-2
+- changed to build by itself instead of by jdk10
+
+* Tue Jul 17 2018 Jiri Vanek - 1:11.0.ea.22-1
+- added Recommends gtk3 for main package
+- changed BuildRequires from gtk2-devel to gtk3-devel (it can be more likely dropped)
+- added Suggests lksctp-tools, pcsc-lite-devel, cups for headless package
+- see RHBZ1598152
+- added trick to catch hs_err files (sgehwolf)
+- updated to shenandaoh-jdk-11+22
+
+* Sat Jul 07 2018 Jiri Vanek - 1:11.0.ea.20-1
+- removed patch6 JDK-8205616-systemLcmsAndJpgFixFor-rev_f0aeede1b855.patch
+- improved a bit generate_source_tarball.sh to serve also for systemtap
+- thus deleted generate_tapsets.sh
+- simplified and cleared update_package.sh
+- moved to single source jdk - from shenandoah/jdk11
+- bumped to latest jdk11+20
+- adapted PR2126 to jdk11+20
+- adapted handling of systemtap sources to new style
+- (no (misleading) version inside (full version is in name), thus different sed on tapsets and different directory)
+- shortened summaries and descriptions to around 80 chars
+- Hunspell spell checked
+- license fixed to correct jdk11 (sgehwolf)
+- more correct handling of internal libraries (sgehwolf)
+- added lib/security/public_suffix_list.dat as +20 have added it (JDK-8201815)
+- added test for shenandaoh GC presence where expected
+- Removed workaround for broken aarch64 slowdebug build
+- Removed all defattrs
+- Removed no longer necessary cleanup of diz and debuginfo files
+
+* Fri Jun 22 2018 Jiri Vanek - 1:11.0.ea.19-1
+- updated sources to jdk-11+19
+- added patch6 systemLcmsAndJpgFixFor-f0aeede1b855.patch to fix regression of system libraries after f0aeede1b855 commit
+- adapted pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch to accommodate changes after f0aeede1b855 commit
+
+* Thu Jun 14 2018 Severin Gehwolf - 1:11.0.ea.16-5
+- Revert rename: java-11-openjdk => java-openjdk.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-4
+- Add aarch64 to aot_arches.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-3
+- Rename to package java-11-openjdk.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-2
+- Disable Aarch64 slowdebug build (see JDK-8204331).
+- s390x doesn't have the SA even though it's a JIT arch.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-1
+- Initial version of JDK 11 ea based on tag jdk-11+16.
+- Removed patches no longer needed or upstream:
+ sorted-diff.patch (see JDK-8198844)
+ JDK-8201788-bootcycle-images-jobs.patch
+ JDK-8201509-s390-atomic_store.patch
+ JDK-8202262-libjsig.so-extra-link-flags.patch (never was an issue on 11)
+ JDK-8193802-npe-jar-getVersionMap.patch
+- Updated and renamed patches:
+ java-openjdk-s390-size_t.patch => JDK-8203030-s390-size_t.patch
+- Updated patches for JDK 11:
+ pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+* Tue Jun 12 2018 Severin Gehwolf - 1:10.0.1.10-9
+- Use proper private_libs expression for filtering requires/provides.
+
+* Fri Jun 08 2018 Severin Gehwolf - 1:10.0.1.10-8
+- Bump release and rebuild for fixed gdb. See RHBZ#1589118.
+
+* Mon Jun 04 2018 Jiri Vanek - 1:10.0.1.10-7
+- quoted sed expressions, changed possibly confusing # by @
+- added vendor(origin) into icons
+- removed last trace of relative symlinks
+- added BuildRequires of javapackages-tools to fix build failure after Requires change to javapackages-filesystem
+
+* Thu May 17 2018 Severin Gehwolf - 1:10.0.1.10-5
+- Move to javapackages-filesystem for directory ownership.
+ Resolves RHBZ#1500288
+
+* Mon Apr 30 2018 Severin Gehwolf - 1:10.0.1.10-4
+- Add JDK-8193802-npe-jar-getVersionMap.patch so as to fix
+ RHBZ#1557375.
+
+* Mon Apr 23 2018 Severin Gehwolf - 1:10.0.1.10-3
+- Inject build flags properly. See RHBZ#1571359
+- Added patch JDK-8202262-libjsig.so-extra-link-flags.patch
+ since libjsig.so doesn't get linker flags injected properly.
+
+* Fri Apr 20 2018 Severin Gehwolf - 1:10.0.1.10-2
+- Removed unneeded patches:
+ PStack-808293.patch
+ multiple-pkcs11-library-init.patch
+ ppc_stack_overflow_fix.patch
+- Added patches for s390 Zero builds:
+ JDK-8201495-s390-java-opts.patch
+ JDK-8201509-s390-atomic_store.patch
+- Renamed patches for clarity:
+ aarch64BuildFailure.patch => JDK-8200556-aarch64-slowdebug-crash.patch
+ systemCryptoPolicyPR3183.patch => pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+ bootcycle_jobs.patch => JDK-8201788-bootcycle-images-jobs.patch
+ system-nss-ec-rh1565658.patch => pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+* Fri Apr 20 2018 Jiri Vanek - 1:10.0.1.10-1
+- updated to security update 1
+- jexec unlinked from path
+- used java-openjdk as boot jdk
+- aligned provides/requires
+- renamed zip javadoc
+
+* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-12
+- Enable basic EC ciphers test in %%check.
+
+* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-11
+- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10.
+- Resolves RHBZ#1565658
+
+* Mon Apr 09 2018 Jiri Vanek - 1:10.0.0.46-10
+- jexec linked to path
+
+* Fri Apr 06 2018 Jiri Vanek - 1:10.0.0.46-9
+- subpackage(s) replaced by sub-package(s) and other cosmetic changes
+
+* Tue Apr 03 2018 Jiri Vanek - 1:10.0.0.46-8
+- removed accessibility sub-packages
+- kept applied patch and properties files
+- debug sub-packages renamed to slowdebug
+
+* Fri Feb 23 2018 Jiri Vanek - 1:10.0.0.46-1
+- initial load
diff --git a/jconsole.desktop.in b/jconsole.desktop.in
new file mode 100644
index 0000000..8a3b04d
--- /dev/null
+++ b/jconsole.desktop.in
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
+Comment=Monitor and manage OpenJDK applications
+Exec=_SDKBINDIR_/jconsole
+Icon=java-@JAVA_VER@-@JAVA_VENDOR@
+Terminal=false
+Type=Application
+StartupWMClass=sun-tools-jconsole-JConsole
+Categories=Development;Profiling;Java;
+Version=1.0
diff --git a/jdk8275535-rh2053256-ldap_auth.patch b/jdk8275535-rh2053256-ldap_auth.patch
new file mode 100644
index 0000000..51bd6d2
--- /dev/null
+++ b/jdk8275535-rh2053256-ldap_auth.patch
@@ -0,0 +1,26 @@
+diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+index 70903206ea0..09956084cf9 100644
+--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
++++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+ ctx = getLdapCtxFromUrl(
+ r.getDomainName(), url, new LdapURL(u), env);
+ return ctx;
++ } catch (AuthenticationException e) {
++ // do not retry on a different endpoint to avoid blocking
++ // the user if authentication credentials are wrong.
++ throw e;
+ } catch (NamingException e) {
+ // try the next element
+ lastException = e;
+@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+ for (String u : urls) {
+ try {
+ return getUsingURL(u, env);
++ } catch (AuthenticationException e) {
++ // do not retry on a different URL to avoid blocking
++ // the user if authentication credentials are wrong.
++ throw e;
+ } catch (NamingException e) {
+ ex = e;
+ }
diff --git a/jdk8293834-kyiv_cldr_update.patch b/jdk8293834-kyiv_cldr_update.patch
new file mode 100644
index 0000000..b8dda24
--- /dev/null
+++ b/jdk8293834-kyiv_cldr_update.patch
@@ -0,0 +1,51 @@
+diff --git a/make/data/cldr/common/bcp47/timezone.xml b/make/data/cldr/common/bcp47/timezone.xml
+index 41ff6d236c8..e703020dcdd 100644
+--- a/make/data/cldr/common/bcp47/timezone.xml
++++ b/make/data/cldr/common/bcp47/timezone.xml
+@@ -393,7 +393,7 @@ For terms of use, see http://www.unicode.org/copyright.html
+
+Date: Wed Oct 5 07:13:43 2022 +0000
+
+ 8294357: (tz) Update Timezone Data to 2022d
+
+ Backport-of: f01573368f905f27d26f1d07d9cfd26dcc736a54
+
+diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
+index decb8716b22..889d0e6dad7 100644
+--- a/make/data/tzdata/VERSION
++++ b/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022c
++tzdata2022d
+diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
+index 3a150b0f36b..f9df7432947 100644
+--- a/make/data/tzdata/asia
++++ b/make/data/tzdata/asia
+@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # The winter time in 2015 started on October 23 at 01:00.
+ # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
+ # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
+-#
+-# From Paul Eggert (2019-04-10):
+-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
+-# preceding March's last Sunday (i.e., Sat>=24).
+
+ # From P Chan (2021-10-18):
+ # http://wafa.ps/Pages/Details/34701
+@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # From Heba Hamad (2022-03-10):
+ # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+
++# From Heba Hamad (2022-08-30):
++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
++# 60 minutes backwards. Also the state of Palestine adopted the summer
++# and winter time for the years: 2023,2024,2025,2026 ...
++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
++# (2022-08-31): ... the Saturday before the last Sunday in March and October
++# at 2:00 AM ,for the years from 2023 to 2026.
++# (2022-09-05): https://mtit.pna.ps/Site/New/1453
++#
++# From Paul Eggert (2022-08-31):
++# For now, assume that this rule will also be used after 2026.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
+ Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 -
+@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 -
+ Rule Palestine 2014 only - Oct 24 0:00 0 -
+ Rule Palestine 2015 only - Mar 28 0:00 1:00 S
+ Rule Palestine 2015 only - Oct 23 1:00 0 -
+-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S
+-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 -
++Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S
++Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 -
+ Rule Palestine 2019 only - Mar 29 0:00 1:00 S
+-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 -
+-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S
++Rule Palestine 2019 only - Oct Sat<=30 0:00 0 -
++Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S
+ Rule Palestine 2020 only - Oct 24 1:00 0 -
+-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 -
+-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S
++Rule Palestine 2021 only - Oct 29 1:00 0 -
++Rule Palestine 2022 only - Mar 27 0:00 1:00 S
++Rule Palestine 2022 max - Oct Sat<=30 2:00 0 -
++Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
+diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward
+index d4a29e8cf29..7765d99aedf 100644
+--- a/make/data/tzdata/backward
++++ b/make/data/tzdata/backward
+@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT
+ Link Europe/London Europe/Belfast
+ Link Europe/Kyiv Europe/Kiev
+ Link Europe/Chisinau Europe/Tiraspol
++Link Europe/Kyiv Europe/Uzhgorod
++Link Europe/Kyiv Europe/Zaporozhye
+ Link Europe/London GB
+ Link Europe/London GB-Eire
+ Link Etc/GMT GMT+0
+diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
+index 879b5337536..accc845dbaf 100644
+--- a/make/data/tzdata/europe
++++ b/make/data/tzdata/europe
+@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880
+ # From Alexander Krivenyshev (2014-03-17):
+ # time change at 2:00 (2am) on March 30, 2014
+ # https://vz.ru/news/2014/3/17/677464.html
+-# From Paul Eggert (2014-03-30):
+-# Simferopol and Sevastopol reportedly changed their central town clocks
+-# late the previous day, but this appears to have been ceremonial
+-# and the discrepancies are small enough to not worry about.
++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
++# The clocks at the railway station in Simferopol were put forward from 22:00
++# to 24:00 the previous day in a "symbolic ceremony"; however, per
++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
++# time switch at 2am" on Sunday.
++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
++# https://www.bbc.com/news/av/world-europe-26806583
+ 2:00 EU EE%sT 2014 Mar 30 2:00
+ 4:00 - MSK 2014 Oct 26 2:00s
+ 3:00 - MSK
+@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
+ # US colleague David Cochrane) are still trying to get more
+ # information upon these local deviations from Kiev rules.
+ #
+-# From Paul Eggert (2022-02-08):
+-# For now, assume that Ukraine's other three zones followed the same rules,
++# From Paul Eggert (2022-08-27):
++# For now, assume that Ukraine's zones all followed the same rules,
+ # except that Crimea switched to Moscow time in 1994 as described elsewhere.
+
+ # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
+@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
+ # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
+ # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
+
+-# From Paul Eggert (2022-04-12):
+-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
+-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
+-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev,
+-# "Kyiv" is now more common due to widespread reporting of the current conflict.
+-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
+-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
+-# certainly wrong as a transliteration of the Czech "Praha".
+-# English-language spelling of Ukrainian names is in flux, and
+-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
+-# common in English; in the meantime, do not change these
+-# English spellings as that means less disruption for our users.
+-
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-# This represents most of Ukraine. See above for the spelling of "Kyiv".
+ Zone Europe/Kyiv 2:02:04 - LMT 1880
+ 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time
+ 2:00 - EET 1930 Jun 21
+@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880
+ 2:00 1:00 EEST 1991 Sep 29 3:00
+ 2:00 C-Eur EE%sT 1996 May 13
+ 2:00 EU EE%sT
+-# Transcarpathia used CET 1990/1991.
+-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
+-# "Uzhgorod" is more common in English.
+-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct
+- 1:00 - CET 1940
+- 1:00 C-Eur CE%sT 1944 Oct
+- 1:00 1:00 CEST 1944 Oct 26
+- 1:00 - CET 1945 Jun 29
+- 3:00 Russia MSK/MSD 1990
+- 3:00 - MSK 1990 Jul 1 2:00
+- 1:00 - CET 1991 Mar 31 3:00
+- 2:00 - EET 1992 Mar 20
+- 2:00 C-Eur EE%sT 1996 May 13
+- 2:00 EU EE%sT
+-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
+-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
+-# "Zaporozh'ye" is more common in English. Use the common English
+-# spelling, except omit the apostrophe as it is not allowed in
+-# portable Posix file names.
+-Zone Europe/Zaporozhye 2:20:40 - LMT 1880
+- 2:20 - +0220 1924 May 2
+- 2:00 - EET 1930 Jun 21
+- 3:00 - MSK 1941 Aug 25
+- 1:00 C-Eur CE%sT 1943 Oct 25
+- 3:00 Russia MSK/MSD 1991 Mar 31 2:00
+- 2:00 E-Eur EE%sT 1992 Mar 20
+- 2:00 C-Eur EE%sT 1996 May 13
+- 2:00 EU EE%sT
+
+ # Vatican City
+ # See Europe/Rome.
+diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica
+index 13ec081c7e0..3c0e0e2061c 100644
+--- a/make/data/tzdata/southamerica
++++ b/make/data/tzdata/southamerica
+@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914
+ # for America/Santiago will start on midnight of September 11th;
+ # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
+ # will keep UTC -3 "indefinitely"... This is because on September 4th
+-# we will have a voting whether to approve a new Constitution....
+-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
++# we will have a voting whether to approve a new Constitution.
++#
++# From Eduardo Romero Urra (2022-08-17):
++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
++#
++# From Paul Eggert (2022-08-17):
++# Although the presidential decree stops at fall 2026, assume that
++# similar DST rules will continue thereafter.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Chile 1927 1931 - Sep 1 0:00 1:00 -
+diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab
+index 51b65fa273c..ee025196e50 100644
+--- a/make/data/tzdata/zone.tab
++++ b/make/data/tzdata/zone.tab
+@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti
+ TW +2503+12130 Asia/Taipei
+ TZ -0648+03917 Africa/Dar_es_Salaam
+ UA +5026+03031 Europe/Kyiv Ukraine (most areas)
+-UA +4837+02218 Europe/Uzhgorod Transcarpathia
+-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
+ UG +0019+03225 Africa/Kampala
+ UM +2813-17722 Pacific/Midway Midway Islands
+ UM +1917+16637 Pacific/Wake Wake Island
+diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+index 15c2f0d1275..6f6e190efcd 100644
+--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+@@ -574,12 +574,8 @@ public final class ZoneInfoFile {
+ // we can then pass in the dom = -1, dow > 0 into ZoneInfo
+ //
+ // hacking, assume the >=24 is the result of ZRB optimization for
+- // "last", it works for now. From tzdata2020d this hacking
+- // will not work for Asia/Gaza and Asia/Hebron which follow
+- // Palestine DST rules.
+- if (dom < 0 || dom >= 24 &&
+- !(zoneId.equals("Asia/Gaza") ||
+- zoneId.equals("Asia/Hebron"))) {
++ // "last", it works for now.
++ if (dom < 0 || dom >= 24) {
+ params[1] = -1;
+ params[2] = toCalendarDOW[dow];
+ } else {
+@@ -601,7 +597,6 @@ public final class ZoneInfoFile {
+ params[7] = 0;
+ } else {
+ // hacking: see comment above
+- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e
+ if (dom < 0 || dom >= 24) {
+ params[6] = -1;
+ params[7] = toCalendarDOW[dow];
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+index c32bee39fba..71470168456 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022c
++tzdata2022d
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
+index a5e6428a3f5..e3ce742f887 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
+@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT
+ Link Europe/London Europe/Belfast
+ Link Europe/Kyiv Europe/Kiev
+ Link Europe/Chisinau Europe/Tiraspol
++Link Europe/Kyiv Europe/Uzhgorod
++Link Europe/Kyiv Europe/Zaporozhye
+ Link Europe/London GB
+ Link Europe/London GB-Eire
+ Link Etc/GMT GMT+0
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+index fc148537f1f..b3823958ae4 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -163,11 +163,9 @@ Europe/Simferopol MSK
+ Europe/Sofia EET EEST
+ Europe/Tallinn EET EEST
+ Europe/Tirane CET CEST
+-Europe/Uzhgorod EET EEST
+ Europe/Vienna CET CEST
+ Europe/Vilnius EET EEST
+ Europe/Warsaw CET CEST
+-Europe/Zaporozhye EET EEST
+ Europe/Zurich CET CEST
+ HST HST
+ MET MET MEST
+diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
+index 7b50c342a0d..a7d14f1aa21 100644
+--- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
++++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
+@@ -176,11 +176,12 @@ public class TestZoneInfo310 {
+ * save time in IANA tzdata. This bug is tracked via JDK-8223388.
+ *
+ * These are the zones/rules that employ negative DST in vanguard
+- * format (as of 2019a):
++ * format (as of 2019a), Palestine added in 2022d:
+ *
+ * - Rule "Eire"
+ * - Rule "Morocco"
+ * - Rule "Namibia"
++ * - Rule "Palestine"
+ * - Zone "Europe/Prague"
+ *
+ * Tehran/Iran rule has rules beyond 2037, in which javazic assumes
+@@ -196,6 +197,8 @@ public class TestZoneInfo310 {
+ zid.equals("Europe/Dublin") || // uses "Eire" rule
+ zid.equals("Europe/Prague") ||
+ zid.equals("Asia/Tehran") || // last rule mismatch
++ zid.equals("Asia/Gaza") || // uses "Palestine" rule
++ zid.equals("Asia/Hebron") || // uses "Palestine" rule
+ zid.equals("Iran")) { // last rule mismatch
+ continue;
+ }
diff --git a/jdk8295173-tzdata2022e.patch b/jdk8295173-tzdata2022e.patch
new file mode 100644
index 0000000..8ffd2ee
--- /dev/null
+++ b/jdk8295173-tzdata2022e.patch
@@ -0,0 +1,420 @@
+commit d159a377e0243bd2c80593689fd7cd20b2b578f7
+Author: duke
+Date: Fri Oct 14 03:37:19 2022 +0000
+
+ Backport 21407dec0156301871a83328615e4d975c4287c4
+
+diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
+index 889d0e6dad7..b8cb36e69f4 100644
+--- a/make/data/tzdata/VERSION
++++ b/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022d
++tzdata2022e
+diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
+index f9df7432947..5b2337fd0b6 100644
+--- a/make/data/tzdata/asia
++++ b/make/data/tzdata/asia
+@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u
+ # From the Arabic version, it seems to say it would be at midnight
+ # (assume 24:00) on the last Thursday in February, starting from 2022.
+
++# From Issam Al-Zuwairi (2022-10-05):
++# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
++# that daylight saving time (DST) will be throughout the year....
++#
++# From Brian Inglis (2022-10-06):
++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
++#
++# From Paul Eggert (2022-10-05):
++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Jordan 1973 only - Jun 6 0:00 1:00 S
+ Rule Jordan 1973 1975 - Oct 1 0:00 0 -
+@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 -
+ Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 -
+ Rule Jordan 2013 only - Dec 20 0:00 0 -
+ Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S
+-Rule Jordan 2014 max - Oct lastFri 0:00s 0 -
+-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S
++Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 -
++Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Amman 2:23:44 - LMT 1931
+- 2:00 Jordan EE%sT
++ 2:00 Jordan EE%sT 2022 Oct 28 0:00s
++ 3:00 - +03
+
+
+ # Kazakhstan
+@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 -
+ # Our brief summary:
+ # https://www.timeanddate.com/news/time/syria-dst-2012.html
+
+-# From Arthur David Olson (2012-03-27):
+-# Assume last Friday in March going forward XXX.
++# From Steffen Thorsen (2022-10-05):
++# Syria is adopting year-round DST, starting this autumn....
++# From https://www.enabbaladi.net/archives/607812
++# "This [the decision] came after the weekly government meeting today,
++# Tuesday 4 October ..."
++#
++# From Paul Eggert (2022-10-05):
++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
+
+ Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S
+ Rule Syria 2008 only - Nov 1 0:00 0 -
+ Rule Syria 2009 only - Mar lastFri 0:00 1:00 S
+ Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S
+-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S
+-Rule Syria 2009 max - Oct lastFri 0:00 0 -
++Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S
++Rule Syria 2009 2022 - Oct lastFri 0:00 0 -
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq
+- 2:00 Syria EE%sT
++ 2:00 Syria EE%sT 2022 Oct 28 0:00
++ 3:00 - +03
+
+ # Tajikistan
+ # From Shanks & Pottenger.
+diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
+index accc845dbaf..2832c4b9763 100644
+--- a/make/data/tzdata/europe
++++ b/make/data/tzdata/europe
+@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u
+ 0:00 Spain WE%sT 1940 Mar 16 23:00
+ 1:00 Spain CE%sT 1979
+ 1:00 EU CE%sT
+-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44
++Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u
+ 0:00 - WET 1918 May 6 23:00
+ 0:00 1:00 WEST 1918 Oct 7 23:00
+ 0:00 - WET 1924
+diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica
+index 114cef14cce..ce4ee74582c 100644
+--- a/make/data/tzdata/northamerica
++++ b/make/data/tzdata/northamerica
+@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D
+ Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S
+ Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
++Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1920
+ -6:00 Chicago C%sT 1936 Mar 1 2:00
+ -5:00 - EST 1936 Nov 15 2:00
+@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
+ -6:00 Chicago C%sT 1967
+ -6:00 US C%sT
+ # Oliver County, ND switched from mountain to central time on 1992-10-25.
+-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
++Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1992 Oct 25 2:00
+ -6:00 US C%sT
+ # Morton County, ND, switched from mountain to central time on
+@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
+ # Jones, Mellette, and Todd Counties in South Dakota;
+ # but in practice these other counties were already observing central time.
+ # See .
+-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 2003 Oct 26 2:00
+ -6:00 US C%sT
+
+@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
+ # largest city in Mercer County). Google Maps places Beulah's city hall
+ # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
+
+-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53
++Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 2010 Nov 7 2:00
+ -6:00 US C%sT
+
+@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S
+ Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D
+ Rule Denver 1965 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04
++Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1920
+ -7:00 Denver M%sT 1942
+ -7:00 US M%sT 1946
+@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D
+ Rule CA 1950 1961 - Sep lastSun 2:00 0 S
+ Rule CA 1962 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02
++Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
+ -8:00 US P%sT 1946
+ -8:00 CA P%sT 1967
+ -8:00 US P%sT
+@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00
+ # Go with the Arizona State Library instead.
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42
++Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1944 Jan 1 0:01
+ -7:00 - MST 1944 Apr 1 0:01
+ -7:00 US M%sT 1944 Oct 1 0:01
+@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
+ # switched four weeks late in 1974.
+ #
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11
++Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u
+ -8:00 US P%sT 1923 May 13 2:00
+ -7:00 US M%sT 1974
+ -7:00 - MST 1974 Feb 3 2:00
+@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D
+ Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S
+ Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22
++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1920
+ -6:00 Indianapolis C%sT 1942
+ -6:00 US C%sT 1946
+@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S
+ Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D
+ Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37
++Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1951
+ -6:00 Marengo C%sT 1961 Apr 30 2:00
+ -5:00 - EST 1969
+@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S
+ Rule Vincennes 1961 only - Sep lastSun 2:00 0 S
+ Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53
++Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Vincennes C%sT 1964 Apr 26 2:00
+ -5:00 - EST 1969
+@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S
+ Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D
+ Rule Perry 1961 1963 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57
++Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Perry C%sT 1964 Apr 26 2:00
+ -5:00 - EST 1967 Oct 29 2:00
+@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S
+ Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D
+ Rule Pike 1961 1964 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53
++Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1955
+ -6:00 Pike C%sT 1965 Apr 25 2:00
+ -5:00 - EST 1966 Oct 30 2:00
+@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S
+ Rule Starke 1957 1958 - Sep lastSun 2:00 0 S
+ Rule Starke 1959 1961 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30
++Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1947
+ -6:00 Starke C%sT 1962 Apr 29 2:00
+ -5:00 - EST 1963 Oct 27 2:00
+@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S
+ Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S
+ Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
++Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Pulaski C%sT 1961 Apr 30 2:00
+ -5:00 - EST 1969
+@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
+ #
+ # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44
++Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1954 Apr 25 2:00
+ -5:00 - EST 1969
+ -5:00 US E%sT 1973
+@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D
+ Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S
+ Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
++Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1921
+ -6:00 Louisville C%sT 1942
+ -6:00 US C%sT 1946
+@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
+ # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
+ # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
+ #
+-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36
++Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 - CST 1968
+ -6:00 US C%sT 2000 Oct 29 2:00
+@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
+ # longitude they are located at.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
++Rule Mexico 1931 only - May 1 23:00 1:00 D
++Rule Mexico 1931 only - Oct 1 0:00 0 S
+ Rule Mexico 1939 only - Feb 5 0:00 1:00 D
+ Rule Mexico 1939 only - Jun 25 0:00 0 S
+ Rule Mexico 1940 only - Dec 9 0:00 1:00 D
+@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D
+ Rule Mexico 2002 max - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ # Quintana Roo; represented by Cancún
+-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56
++Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1981 Dec 23
+ -5:00 Mexico E%sT 1998 Aug 2 2:00
+ -6:00 Mexico C%sT 2015 Feb 1 2:00
+ -5:00 - EST
+ # Campeche, Yucatán; represented by Mérida
+-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
++Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1981 Dec 23
+ -5:00 - EST 1982 Dec 2
+ -6:00 Mexico C%sT
+@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
+ # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
+ # 2016-03-12
+ # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
+-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00
++Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1988
+ -6:00 US C%sT 1989
+ -6:00 Mexico C%sT 2010
+ -6:00 US C%sT
+ # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
+-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44
++Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1988
+ -6:00 US C%sT 1989
+ -6:00 Mexico C%sT
+ # Central Mexico
+-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
++Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 Mexico C%sT 2001 Sep 30 2:00
+ -6:00 - CST 2002 Feb 20
+ -6:00 Mexico C%sT
+@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
+ # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
+ # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
+ # (See the 2016-03-12 El Universal source mentioned above.)
+-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20
++Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1996
+ -6:00 Mexico C%sT 1998
+ -6:00 - CST 1998 Apr Sun>=1 3:00
+ -7:00 Mexico M%sT 2010
+ -7:00 US M%sT
+ # Chihuahua (away from US border)
+-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40
++Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1996
+ -6:00 Mexico C%sT 1998
+ -6:00 - CST 1998 Apr Sun>=1 3:00
+ -7:00 Mexico M%sT
+ # Sonora
+-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
++Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
+ # Use "Bahia_Banderas" to keep the name to fourteen characters.
+
+ # Mazatlán
+-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20
++Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+ -7:00 Mexico M%sT
+
+ # Bahía de Banderas
+-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
++Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
+ -6:00 Mexico C%sT
+
+ # Baja California
+-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56
++Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1924
+ -8:00 - PST 1927 Jun 10 23:00
+ -7:00 - MST 1930 Nov 15
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+index 71470168456..0cad939008f 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022d
++tzdata2022e
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+index b3823958ae4..2f2786f1c69 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -97,9 +97,7 @@ America/Winnipeg CST CDT
+ America/Yakutat AKST AKDT
+ America/Yellowknife MST MDT
+ Antarctica/Macquarie AEST AEDT
+-Asia/Amman EET EEST
+ Asia/Beirut EET EEST
+-Asia/Damascus EET EEST
+ Asia/Famagusta EET EEST
+ Asia/Gaza EET EEST
+ Asia/Hebron EET EEST
diff --git a/nss.cfg.in b/nss.cfg.in
new file mode 100644
index 0000000..377a39c
--- /dev/null
+++ b/nss.cfg.in
@@ -0,0 +1,5 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
+handleStartupErrors = ignoreMultipleInitialisation
diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in
new file mode 100644
index 0000000..2d9ec35
--- /dev/null
+++ b/nss.fips.cfg.in
@@ -0,0 +1,8 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = sql:/etc/pki/nssdb
+nssDbMode = readOnly
+nssModule = fips
+
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh
new file mode 100644
index 0000000..25c2fc8
--- /dev/null
+++ b/remove-intree-libraries.sh
@@ -0,0 +1,164 @@
+#!/bin/sh
+
+# Arguments:
+TREE=${1}
+TYPE=${2}
+
+ZIP_SRC=src/java.base/share/native/libzip/zlib/
+FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
+JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
+GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
+PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
+LCMS_SRC=src/java.desktop/share/native/liblcms/
+
+if test "x${TREE}" = "x"; then
+ echo "$0 (MINIMAL|FULL)";
+ exit 1;
+fi
+
+if test "x${TYPE}" = "x"; then
+ TYPE=minimal;
+fi
+
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+ echo "Type must be minimal or full";
+ exit 2;
+fi
+
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+
+cd ${TREE}
+
+echo "Removing built-in libs (they will be linked)"
+
+# On full runs, allow for zlib & freetype having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+ echo "${ZIP_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${ZIP_SRC}
+echo "Removing freetype"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
+ echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${FREETYPE_SRC}
+
+# Minimal is limited to just zlib and freetype so finish here
+if test "x${TYPE}" = "xminimal"; then
+ echo "Finished.";
+ exit 0;
+fi
+
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+ echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+ exit 1
+fi
+
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+ echo "${GIF_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${GIF_SRC}
+
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+ echo "${PNG_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${PNG_SRC}
+
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+ echo "${LCMS_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h
diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
new file mode 100644
index 0000000..3042186
--- /dev/null
+++ b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
@@ -0,0 +1,16 @@
+diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
+--- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200
++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200
+@@ -595,7 +595,11 @@
+ toolkit = new HeadlessToolkit(toolkit);
+ }
+ if (!GraphicsEnvironment.isHeadless()) {
+- loadAssistiveTechnologies();
++ try {
++ loadAssistiveTechnologies();
++ } catch (AWTError error) {
++ // ignore silently
++ }
+ }
+ }
+ return toolkit;
diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
new file mode 100644
index 0000000..6d2342a
--- /dev/null
+++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -0,0 +1,12 @@
+diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
+index adfaf57d29e..abf89bbf327 100644
+--- a/src/java.base/share/conf/security/java.security
++++ b/src/java.base/share/conf/security/java.security
+@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
+ security.provider.tbd=Apple
+ #endif
+ security.provider.tbd=SunPKCS11
++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
+ # Security providers used when FIPS mode support is active
diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch
new file mode 100644
index 0000000..53026ad
--- /dev/null
+++ b/rh1648644-java_access_bridge_privileged_security.patch
@@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # Determines whether this properties file can be appended to
diff --git a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
new file mode 100644
index 0000000..5e2b254
--- /dev/null
+++ b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
@@ -0,0 +1,13 @@
+--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:12.038189968 +0100
++++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:11.913188505 +0100
+@@ -48,8 +48,8 @@
+
+ private final static String PROP_NAME = "sun.security.smartcardio.library";
+
+- private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
+- private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
++ private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
++ private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
+ private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
+
+ PlatformPCSC() {
diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch
new file mode 100644
index 0000000..88f5e5a
--- /dev/null
+++ b/rh1750419-redhat_alt_java.patch
@@ -0,0 +1,117 @@
+diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
+index 700ddefda49..2882de68eb2 100644
+--- openjdk.orig/make/modules/java.base/Launcher.gmk
++++ openjdk/make/modules/java.base/Launcher.gmk
+@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
+ OPTIMIZATION := HIGH, \
+ ))
+
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
++$(eval $(call SetupBuildLauncher, alt-java, \
++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
++ EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
++ OPTIMIZATION := HIGH, \
++))
++
+ ifeq ($(call isTargetOs, windows), true)
+ $(eval $(call SetupBuildLauncher, javaw, \
+ CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
+diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
+new file mode 100644
+index 00000000000..697df2898ac
+--- /dev/null
++++ openjdk/src/java.base/share/native/launcher/alt_main.h
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#ifdef REDHAT_ALT_JAVA
++
++#include
++
++
++/* Per task speculation control */
++#ifndef PR_GET_SPECULATION_CTRL
++# define PR_GET_SPECULATION_CTRL 52
++#endif
++#ifndef PR_SET_SPECULATION_CTRL
++# define PR_SET_SPECULATION_CTRL 53
++#endif
++/* Speculation control variants */
++#ifndef PR_SPEC_STORE_BYPASS
++# define PR_SPEC_STORE_BYPASS 0
++#endif
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
++
++#ifndef PR_SPEC_NOT_AFFECTED
++# define PR_SPEC_NOT_AFFECTED 0
++#endif
++#ifndef PR_SPEC_PRCTL
++# define PR_SPEC_PRCTL (1UL << 0)
++#endif
++#ifndef PR_SPEC_ENABLE
++# define PR_SPEC_ENABLE (1UL << 1)
++#endif
++#ifndef PR_SPEC_DISABLE
++# define PR_SPEC_DISABLE (1UL << 2)
++#endif
++#ifndef PR_SPEC_FORCE_DISABLE
++# define PR_SPEC_FORCE_DISABLE (1UL << 3)
++#endif
++#ifndef PR_SPEC_DISABLE_NOEXEC
++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
++#endif
++
++static void set_speculation() __attribute__((constructor));
++static void set_speculation() {
++ if ( prctl(PR_SET_SPECULATION_CTRL,
++ PR_SPEC_STORE_BYPASS,
++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
++ return;
++ }
++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
++}
++
++#endif // REDHAT_ALT_JAVA
+diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
+index b734fe2ba78..79dc8307650 100644
+--- openjdk.orig/src/java.base/share/native/launcher/main.c
++++ openjdk/src/java.base/share/native/launcher/main.c
+@@ -34,6 +34,14 @@
+ #include "jli_util.h"
+ #include "jni.h"
+
++#ifdef REDHAT_ALT_JAVA
++#if defined(__linux__) && defined(__x86_64__)
++#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
++#endif
++
+ #ifdef _MSC_VER
+ #if _MSC_VER > 1400 && _MSC_VER < 1600
+
diff --git a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
new file mode 100644
index 0000000..1b706a1
--- /dev/null
+++ b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
@@ -0,0 +1,19 @@
+Remove uses of FAR in jpeg code
+
+Upstream libjpeg-trubo removed the (empty) FAR macro:
+http://sourceforge.net/p/libjpeg-turbo/code/1312/
+
+Adjust our code to not use the undefined FAR macro anymore.
+
+diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+@@ -1385,7 +1385,7 @@
+ /* and fill it in */
+ dst_ptr = icc_data;
+ for (seq_no = first; seq_no < last; seq_no++) {
+- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
++ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+ unsigned int length =
+ icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
+
diff --git a/sources b/sources
new file mode 100644
index 0000000..b1d8135
--- /dev/null
+++ b/sources
@@ -0,0 +1,2 @@
+SHA512 (openjdk-jdk17u-jdk-17.0.5+8.tar.xz) = 1acbda948374d7834347c9b98cfc25a7db24a5656e4466792831015158bdf24026a35a2cdbb8993c09e906a5f305b9e7749fa36b4dae3e75800a8976a2cb2b82
+SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30