From 47fb230d2f0446679f7cd27af2b3a97963b76888 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 8 Nov 2022 12:11:07 +0000 Subject: [PATCH] Auto sync2gitlab import of java-17-openjdk-17.0.5.0.8-2.el8.src.rpm --- .gitignore | 2 + CheckVendor.java | 65 + EMPTY | 1 - NEWS | 1886 ++++++ TestCryptoLevel.java | 72 + TestECDSA.java | 49 + TestSecurityProperties.java | 84 + TestTranslations.java | 140 + fips-17u-0bd5ca9ccc5.patch | 5585 +++++++++++++++++ java-17-openjdk.spec | 3551 +++++++++++ jconsole.desktop.in | 10 + jdk8275535-rh2053256-ldap_auth.patch | 26 + jdk8293834-kyiv_cldr_update.patch | 51 + jdk8294357-tzdata2022d.patch | 303 + jdk8295173-tzdata2022e.patch | 420 ++ nss.cfg.in | 5 + nss.fips.cfg.in | 8 + remove-intree-libraries.sh | 164 + ...sible_toolkit_crash_do_not_break_jvm.patch | 16 + ...ut_nss_cfg_provider_to_java_security.patch | 12 + ...va_access_bridge_privileged_security.patch | 20 + ...lite-libs_instead_of_pcsc-lite-devel.patch | 13 + rh1750419-redhat_alt_java.patch | 117 + ...eg_turbo_1_4_compat_for_jdk10_and_up.patch | 19 + sources | 2 + 25 files changed, 12620 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 CheckVendor.java delete mode 100644 EMPTY create mode 100644 NEWS create mode 100644 TestCryptoLevel.java create mode 100644 TestECDSA.java create mode 100644 TestSecurityProperties.java create mode 100644 TestTranslations.java create mode 100644 fips-17u-0bd5ca9ccc5.patch create mode 100644 java-17-openjdk.spec create mode 100644 jconsole.desktop.in create mode 100644 jdk8275535-rh2053256-ldap_auth.patch create mode 100644 jdk8293834-kyiv_cldr_update.patch create mode 100644 jdk8294357-tzdata2022d.patch create mode 100644 jdk8295173-tzdata2022e.patch create mode 100644 nss.cfg.in create mode 100644 nss.fips.cfg.in create mode 100644 remove-intree-libraries.sh create mode 100644 rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch create mode 100644 rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch create mode 100644 rh1648644-java_access_bridge_privileged_security.patch create mode 100644 rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch create mode 100644 rh1750419-redhat_alt_java.patch create mode 100644 rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4dbb636 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/openjdk-jdk17u-jdk-17.0.5+8.tar.xz +/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/CheckVendor.java b/CheckVendor.java new file mode 100644 index 0000000..29b296b --- /dev/null +++ b/CheckVendor.java @@ -0,0 +1,65 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 4) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + String vendorVersionString = System.getProperty("java.vendor.version"); + String expectedVendorVersionString = args[3]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL %s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + if (!expectedVendorVersionString.equals(vendorVersionString)) { + System.err.printf("Invalid vendor version string %s, expected %s\n", + vendorVersionString, expectedVendorVersionString); + System.exit(5); + } + + System.err.printf("Vendor information verified as %s, %s, %s, %s\n", + vendor, vendorURL, vendorBugURL, vendorVersionString); + } +} diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..0aacfef --- /dev/null +++ b/NEWS @@ -0,0 +1,1886 @@ +Key: + +JDK-X - https://bugs.openjdk.java.net/browse/JDK-X +CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY + +New in release OpenJDK 17.0.5 (2022-10-18): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1705 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html + +* Security fixes + - JDK-8282252: Improve BigInteger/Decimal validation + - JDK-8285662: Better permission resolution + - JDK-8286077, CVE-2022-21618: Wider MultiByte conversions + - JDK-8286511: Improve macro allocation + - JDK-8286519: Better memory handling + - JDK-8286526, CVE-2022-21619: Improve NTLM support + - JDK-8286910, CVE-2022-21624: Improve JNDI lookups + - JDK-8286918, CVE-2022-21628: Better HttpServer service + - JDK-8287446: Enhance icon presentations + - JDK-8288508: Enhance ECDSA usage + - JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage + - JDK-8289853: Update HarfBuzz to 4.4.1 + - JDK-8290334: Update FreeType to 2.12.1 +* Other changes + - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider + - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 + - JDK-7131823: bug in GIFImageReader + - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac + - JDK-8028265: Add legacy tz tests to OpenJDK + - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed + - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails + - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java + - JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes! + - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad" + - JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test. + - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values + - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch + - JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues + - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled. + - JDK-8227651: Tests fail with SSLProtocolException: Input record too big + - JDK-8240903: Add test to check that jmod hashes are reproducible + - JDK-8254318: Remove .hgtags + - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline + - JDK-8256844: Make NMT late-initializable + - JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom" + - JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class + - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly. + - JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled" + - JDK-8269039: Disable SHA-1 Signed JARs + - JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr + - JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections + - JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java + - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest + - JDK-8271344: Windows product version issue + - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8 + - JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData + - JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals + - JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null] + - JDK-8273040: Turning off JpAllowDowngrades (or Upgrades) + - JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts + - JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12 + - JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms + - JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false] + - JDK-8274597: Some of the dnd tests time out and fail intermittently + - JDK-8274856: Failing jpackage tests with fastdebug/release build + - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test + - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled + - JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold + - JDK-8276837: [macos]: Error when signing the additional launcher + - JDK-8277429: Conflicting jpackage static library name + - JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged" + - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable + - JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript + - JDK-8278311: Debian packaging doesn't work + - JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS + - JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS + - JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4 + - JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0 + - JDK-8279622: C2: miscompilation of map pattern as a vector reduction + - JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl + - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound + - JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed + - JDK-8280863: Update build README to reflect that MSYS2 is supported + - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method + - JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism + - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix + - JDK-8281181: Do not use CPU Shares to compute active processor count + - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 + - JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted) + - JDK-8281535: Create a regression test for JDK-4670051 + - JDK-8281569: Create tests for Frame.setMinimumSize() method + - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting + - JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button + - JDK-8281745: Create a regression test for JDK-4514331 + - JDK-8281988: Create a regression test for JDK-4618767 + - JDK-8282007: Assorted enhancements to jpackage testing framework + - JDK-8282046: Create a regression test for JDK-8000326 + - JDK-8282214: Upgrade JQuery to version 3.6.0 + - JDK-8282234: Create a regression test for JDK-4532513 + - JDK-8282280: Update Xerces to Version 2.12.2 + - JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access + - JDK-8282343: Create a regression test for JDK-4518432 + - JDK-8282351: jpackage does not work if class file has `$$` in the name on windows + - JDK-8282407: Missing ')' in MacResources.properties + - JDK-8282467: add extra diagnostics for JDK-8268184 + - JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler + - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + - JDK-8282548: Create a regression test for JDK-4330998 + - JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc + - JDK-8282640: Create a test for JDK-4740761 + - JDK-8282778: Create a regression test for JDK-4699544 + - JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767 + - JDK-8282860: Write a regression test for JDK-4164779 + - JDK-8282933: Create a test for JDK-4529616 + - JDK-8282936: Write a regression test for JDK-4615365 + - JDK-8282937: Write a regression test for JDK-4820080 + - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions + - JDK-8283015: Create a test for JDK-4715496 + - JDK-8283087: Create a test or JDK-4715503 + - JDK-8283245: Create a test for JDK-4670319 + - JDK-8283277: ISO 4217 Amendment 171 Update + - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) + - JDK-8283457: [macos] libpng build failures with Xcode13.3 + - JDK-8283493: Create an automated regression test for RFE 4231298 + - JDK-8283507: Create a regression test for RFE 4287690 + - JDK-8283562: JDK-8282306 breaks gtests on zero + - JDK-8283597: [REDO] Invalid generic signature for redefined classes + - JDK-8283621: Write a regression test for CCC4400728 + - JDK-8283623: Create an automated regression test for JDK-4525475 + - JDK-8283624: Create an automated regression test for RFE-4390885 + - JDK-8283712: Create a manual test framework class + - JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows + - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test + - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode + - JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 + - JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS + - JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt + - JDK-8284077: Create an automated test for JDK-4170173 + - JDK-8284294: Create an automated regression test for RFE 4138746 + - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph + - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 + - JDK-8284521: Write an automated regression test for RFE 4371575 + - JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception + - JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest + - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset + - JDK-8284686: Interval of < 1 ms disables ExecutionSample events + - JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice + - JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512 + - JDK-8284898: Enhance PassFailJFrame + - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization + - JDK-8284950: CgroupV1 detection code should consider memory.swappiness + - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment + - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist + - JDK-8285081: Improve XPath operators count accuracy + - JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java + - JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity + - JDK-8285380: Fix typos in security + - JDK-8285398: Cache the results of constraint checks + - JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test + - JDK-8285693: Create an automated test for JDK-4702199 + - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null + - JDK-8285730: unify _WIN32_WINNT settings + - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 + - JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities + - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java + - JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe + - JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure + - JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5 + - JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes + - JDK-8286277: CDS VerifyError when calling clone() on object array + - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache + - JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45] + - JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage + - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled + - JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect + - JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis + - JDK-8286869: unify os::dir_is_empty across posix platforms + - JDK-8286870: Memory leak with RepeatCompilation + - JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5 + - JDK-8287073: NPE from CgroupV2Subsystem.getInstance() + - JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn + - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller + - JDK-8287113: JFR: Periodic task thread uses period for method sampling events + - JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host + - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event + - JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver + - JDK-8287366: Improve test failure reporting in GHA + - JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number + - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node + - JDK-8287463: JFR: Disable TestDevNull.java on Windows + - JDK-8287663: Add a regression test for JDK-8287073 + - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run + - JDK-8287724: Fix various issues with msys2 + - JDK-8287735: Provide separate event category for dll operations + - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete + - JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag + - JDK-8287895: Some langtools tests fail on msys2 + - JDK-8287896: PropertiesTest.sh fail on msys2 + - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows + - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests + - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier + - JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs + - JDK-8288003: log events for os::dll_unload + - JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic + - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes + - JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds + - JDK-8288467: remove memory_operand assert for spilled instructions + - JDK-8288499: Restore cancel-in-progress in GHA + - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... + - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp + - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small + - JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305 + - JDK-8288992: AArch64: CMN should be handled the same way as CMP + - JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible + - JDK-8289147: unify os::infinite_sleep on posix platforms + - JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion + - JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java + - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc + - JDK-8289486: Improve XSLT XPath operators count efficiency + - JDK-8289549: ISO 4217 Amendment 172 Update + - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl + - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun + - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad + - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter + - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 + - JDK-8289910: unify os::message_box across posix platforms + - JDK-8290000: Bump macOS GitHub actions to macOS 11 + - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC + - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown + - JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers + - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" + - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle + - JDK-8290456: remove os::print_statistics() + - JDK-8291595: [17u] Delete files missed in backport of 8269039 + - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr + - JDK-8292579: (tz) Update Timezone Data to 2022c + - JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5 + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable +=========================================================================== +Two system properties have been added which control the keep alive +behavior of HttpURLConnection in the case where the server does not +specify a keep alive time. Two properties are defined for controlling +connections to servers and proxies separately. They are: + +* `http.keepAlive.time.server` +* `http.keepAlive.time.proxy` + +respectively. More information about them can be found on the +Networking Properties page: +https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html. + +security-libs/javax.crypto: + +JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location +===================================================================================== +The Windows KeyStore support in the SunMSCAPI provider has been +expanded to include access to the local machine location. The new +keystore types are: + +* "Windows-MY-LOCALMACHINE" +* "Windows-ROOT-LOCALMACHINE" + +The following keystore types were also added, allowing developers to +make it clear they map to the current user: + +* "Windows-MY-CURRENTUSER" (same as "Windows-MY") +* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT") + +JDK-8286918: Better HttpServer service +====================================== +The HttpServer can be optionally configured with a maximum connection +limit by setting the jdk.httpserver.maxConnections system property. A +value of 0 or a negative integer is ignored and considered to +represent no connection limit. In the case of a positive integer +value, any newly accepted connections will be first checked against +the current count of established connections and, if the configured +limit has been reached, then the newly accepted connection will be +closed immediately. + +hotspot/runtime: + +JDK-8281181: CPU Shares Ignored When Computing Active Processor Count +===================================================================== +Previous JDK releases used an incorrect interpretation of the Linux +cgroups parameter "cpu.shares". This might cause the JVM to use fewer +CPUs than available, leading to an under utilization of CPU resources +when the JVM is used inside a container. + +Starting from this JDK release, by default, the JVM no longer +considers "cpu.shares" when deciding the number of threads to be used +by the various thread pools. The `-XX:+UseContainerCpuShares` +command-line option can be used to revert to the previous +behavior. This option is deprecated and may be removed in a future JDK +release. + +security-libs/java.security: + +JDK-8269039: Disabled SHA-1 Signed JARs +======================================= +JARs signed with SHA-1 algorithms are now restricted by default and +treated as if they were unsigned. This applies to the algorithms used +to digest, sign, and optionally timestamp the JAR. It also applies to +the signature and digest algorithms of the certificates in the +certificate chain of the code signer and the Timestamp Authority, and +any CRLs or OCSP responses that are used to verify if those +certificates have been revoked. These restrictions also apply to +signed JCE providers. + +To reduce the compatibility risk for JARs that have been previously +timestamped, there is one exception to this policy: + +- Any JAR signed with SHA-1 algorithms and timestamped prior to + January 01, 2019 will not be restricted. + +This exception may be removed in a future JDK release. To determine if +your signed JARs are affected by this change, run: + +$ jarsigner -verify -verbose -certs` + +on the signed JAR, and look for instances of "SHA1" or "SHA-1" and +"disabled" and a warning that the JAR will be treated as unsigned in +the output. + +For example: + + Signed by "CN="Signer"" + Digest algorithm: SHA-1 (disabled) + Signature algorithm: SHA1withRSA (disabled), 2048-bit key + + WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: + + jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 + +JARs affected by these new restrictions should be replaced or +re-signed with stronger algorithms. + +Users can, *at their own risk*, remove these restrictions by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) and removing "SHA1 usage +SignedJAR & denyAfter 2019-01-01" from the +`jdk.certpath.disabledAlgorithms` security property and "SHA1 +denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security +property. + +New in release OpenJDK 17.0.4.1 (2022-08-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17041 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.1.txt + +* Other changes + - JDK-8292258: Bump update version for OpenJDK: jdk-17.0.4.1 + - JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large + +Notes on individual issues: +=========================== + +hotspot/compiler: + +JDK-8292396: C2 Compilation Errors Unpredictably Crashes JVM +============================================================ +Fixes a regression in the C2 JIT compiler which caused the Java +Runtime to crash unpredictably. + +New in release OpenJDK 17.0.4 (2022-07-19): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1704 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt + +* Security fixes + - JDK-8272243: Improve DER parsing + - JDK-8272249: Better properties of loaded Properties + - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions + - JDK-8277608: Address IP Addressing + - JDK-8281859, CVE-2022-21540: Improve class compilation + - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations + - JDK-8283190: Improve MIDI processing + - JDK-8284370: Improve zlib usage + - JDK-8285407, CVE-2022-34169: Improve Xalan supports +* Other changes + - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn + - JDK-8181571: printing to CUPS fails on mac sandbox app + - JDK-8193682: Infinite loop in ZipOutputStream.close() + - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use + - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test + - JDK-8214733: runtime/8176717/TestInheritFD.java timed out + - JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel + - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled + - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode + - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR + - JDK-8255266: Update Public Suffix List to 3c213aa + - JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers + - JDK-8258814: Compilation logging crashes for thread suspension / debugging tests + - JDK-8263461: jdk/jfr/event/gc/detailed/TestEvacuationFailedEvent.java uses wrong mechanism to cause evacuation failure + - JDK-8263538: SharedArchiveConsistency.java should test -Xshare:auto as well + - JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/suspendthrd003/TestDescription.java failed with "agent_tools.cpp, 471: (foundThread = (jthread) jni_env->NewGlobalRef(foundThread)) != NULL" + - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + - JDK-8265317: [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL + - JDK-8267163: Rename anonymous loader tests to hidden loader tests + - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo + - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped + - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout + - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) + - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum + - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest + - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs + - JDK-8269135: TestDifferentProtectionDomains runs into timeout in client VM + - JDK-8269373: some tests in jdk/tools/launcher/ fails on localized Windows platform + - JDK-8269753: Misplaced caret in PatternSyntaxException's detail message + - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support + - JDK-8270021: Incorrect log decorators in gc/g1/plab/TestPLABEvacuationFailure.java + - JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree + - JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed: did not find too_many string in output + - JDK-8270468: TestRangeCheckEliminated fails because methods are not compiled + - JDK-8270797: ShortECDSA.java test is not complete + - JDK-8270837: fix typos in test TestSigParse.java + - JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom + - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack + - JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code + - JDK-8271302: Regex Test Refresh + - JDK-8272146: Disable Fibonacci test on memory constrained systems + - JDK-8272168: some hotspot runtime/logging tests don't check exit code + - JDK-8272169: runtime/logging/LoaderConstraintsTest.java doesn't build test.Empty + - JDK-8272358: Some tests may fail when executed with other locales than the US + - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 + - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security + - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" + - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency + - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests + - JDK-8273169: java/util/regex/NegativeArraySize.java failed after JDK-8271302 + - JDK-8273804: Platform.isTieredSupported should handle the no-compiler case + - JDK-8274172: Convert JavadocTester to use NIO + - JDK-8274233: Minor cleanup for ToolBox + - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun + - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines + - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend + - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image + - JDK-8274751: Drag And Drop hangs on Windows + - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed + - JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS + - JDK-8274983: C1 optimizes the invocation of private interface methods + - JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/btree011/btree011.java crashes with memory exhaustion on Windows + - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty + - JDK-8275638: GraphKit::combine_exception_states fails with "matching stack sizes" assert + - JDK-8275745: Reproducible copyright headers + - JDK-8275830: C2: Receiver downcast is missing when inlining through method handle linkers + - JDK-8275854: C2: assert(stride_con != 0) failed: missed some peephole opt + - JDK-8276260: (se) Remove java/nio/channels/Selector/Wakeup.java from ProblemList (win) + - JDK-8276657: XSLT compiler tries to define a class with empty name + - JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC + - JDK-8276825: hotspot/runtime/SelectionResolution test errors + - JDK-8276863: Remove test/jdk/sun/security/ec/ECDSAJavaVerify.java + - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary + - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations + - JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics + - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive + - JDK-8277087: ZipException: zip END header not found at ZipFile#Source.findEND + - JDK-8277123: jdeps does not report some exceptions correctly + - JDK-8277165: jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories + - JDK-8277166: Data race in jdeps VersionHelper + - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread + - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch + - JDK-8277893: Arraycopy stress tests + - JDK-8277906: Incorrect type for IV phi of long counted loops after CCP + - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge + - JDK-8278014: [vectorapi] Remove test run script + - JDK-8278065: Refactor subclassAudits to use ClassValue + - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method + - JDK-8278472: Invalid value set to CANDIDATEFORM structure + - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null" + - JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15 + - JDK-8278766: Enable OpenJDK build support for reproducible jars and jmods using --date + - JDK-8278794: Infinite loop in DeflaterOutputStream.finish() + - JDK-8278796: Incorrect behavior of FloatVector.withLane on X86 + - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs + - JDK-8278948: compiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler + - JDK-8278966: two microbenchmarks tests fail "assert(!jvms->method()->has_exception_handlers()) failed: no exception handler expected" after JDK-8275638 + - JDK-8279182: MakeZipReproducible ZipEntry timestamps not localized to UTC + - JDK-8279219: [REDO] C2 crash when allocating array of size too large + - JDK-8279227: Access Bridge: Wrong frame position and hit test result on HiDPI display + - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! + - JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM + - JDK-8279515: C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked + - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism + - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64 + - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java + - JDK-8279560: AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment + - JDK-8279586: [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking + - JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails with -XX:TieredStopAtLevel=1 on machines with many cores + - JDK-8279668: x86: AVX2 versions of vpxor should be asserted + - JDK-8279822: CI: Constant pool entries in error state are not supported + - JDK-8279834: Alpine Linux fails to build when --with-source-date enabled + - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region + - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos + - JDK-8279958: Provide configure hints for Alpine/apk package managers + - JDK-8280004: DCmdArgument::parse_value() should handle NULL input + - JDK-8280041: Retry loop issues in java.io.ClassCache + - JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN + - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized + - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang + - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS + - JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor + - JDK-8280600: C2: assert(!had_error) failed: bad dominance + - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. + - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination + - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs + - JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint + - JDK-8280940: gtest os.release_multi_mappings_vm is racy + - JDK-8280941: os::print_memory_mappings() prints segment preceeding the inclusion range + - JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y + - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly + - JDK-8281043: Intrinsify recursive ObjectMonitor locking for PPC64 + - JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter + - JDK-8281262: Windows builds in different directories are not fully reproducible + - JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly + - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info + - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths + - JDK-8281318: Improve jfr/event/allocation tests reliability + - JDK-8281338: NSAccessibilityPressAction action for tree node and NSAccessibilityShowMenuAcgtion action not working + - JDK-8281450: Remove unnecessary operator new and delete from ObjectMonitor + - JDK-8281522: Rename ADLC classes which have the same name as hotspot variants + - JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/ + - JDK-8281615: Deadlock caused by jdwp agent + - JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions + - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature + - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 + - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling + - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder + - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway + - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1 + - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test + - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads + - JDK-8282225: GHA: Allow one concurrent run per PR only + - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers + - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive + - JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert + - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 + - JDK-8282345: handle latest VS2022 in abstract_vm_version + - JDK-8282382: Report glibc malloc tunables in error reports + - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale + - JDK-8282444: Module finder incorrectly assumes default file system path-separator character + - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4 + - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output + - JDK-8282551: Properly initialize L32X64MixRandom state + - JDK-8282583: Update BCEL md to include the copyright notice + - JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes + - JDK-8282592: C2: assert(false) failed: graph should be schedulable + - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig() + - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap + - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows + - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value + - JDK-8283017: GHA: Workflows break with update release versions + - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails + - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c + - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing + - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize + - JDK-8283315: jrt-fs.jar not always deterministically built + - JDK-8283323: libharfbuzz optimization level results in extreme build times + - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled + - JDK-8283350: (tz) Update Timezone Data to 2022a + - JDK-8283408: Fix a C2 crash when filling arrays with unsafe + - JDK-8283422: Create a new test for JDK-8254790 + - JDK-8283451: C2: assert(_base == Long) failed: Not a Long + - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak + - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info + - JDK-8283641: Large value for CompileThresholdScaling causes assert + - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM + - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate + - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo + - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c + - JDK-8284094: Memory leak in invoker_completeInvokeRequest() + - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4 + - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + - JDK-8284437: Building from different users/workspace is not always deterministic + - JDK-8284458: CodeHeapState::aggregate() leaks blob_name + - JDK-8284507: GHA: Only check test results if testing was not skipped + - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler + - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member + - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2 + - JDK-8284620: CodeBuffer may leak _overflow_arena + - JDK-8284622: Update versions of some Github Actions used in JDK workflow + - JDK-8284661: Reproducible assembly builds without relative linking + - JDK-8284754: print more interesting env variables in hs_err and VM.info + - JDK-8284758: [linux] improve print_container_info + - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping + - JDK-8284866: Add test to JDK-8273056 + - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java + - JDK-8284992: Fix misleading Vector API doc for LSHR operator + - JDK-8285342: Zero build failure with clang due to values not handled in switch + - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id() + - JDK-8285397: JNI exception pending in CUPSfuncs.c:250 + - JDK-8285445: cannot open file "NUL:" + - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 + - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java + - JDK-8285686: Update FreeType to 2.12.0 + - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head + - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head + - JDK-8285728: Alpine Linux build fails with busybox tar + - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols + - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine + - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService + - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java + - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc + - JDK-8286198: [linux] Fix process-memory information + - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources + - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause + - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups + - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk + - JDK-8286855: javac error on invalid jar should only print filename + - JDK-8287109: Distrust.java failed with CertificateExpiredException + - JDK-8287119: Add Distrust.java to ProblemList + - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions + - JDK-8287336: GHA: Workflows break on patch versions + - JDK-8287362: FieldAccessWatch testcase failed on AIX platform + - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos +================================================================ +Support has been added for TLS channel binding tokens for +Negotiate/Kerberos authentication over HTTPS through +javax.net.HttpsURLConnection. + +Channel binding tokens are increasingly required as an enhanced form +of security which can mitigate certain kinds of socially engineered, +man in the middle (MITM) attacks. They work by communicating from a +client to a server the client's understanding of the binding between +connection security (as represented by a TLS server cert) and higher +level authentication credentials (such as a username and +password). The server can then detect if the client has been fooled by +a MITM and shutdown the session/connection. + +The feature is controlled through a new system property +`jdk.https.negotiate.cbt` which is described fully at the following +page: + +https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt + +core-libs/java.lang: + +JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder +===================================================================== +ProcessBuilder on Windows is restored to address a regression caused +by JDK-8250568. Previously, an argument to ProcessBuilder that +started with a double-quote and ended with a backslash followed by a +double-quote was passed to a command incorrectly and may cause the +command to fail. For example the argument `"C:\\Program Files\"`, +would be seen by the command with extra double-quotes. This update +restores the long standing behavior that does not treat the backslash +before the final double-quote specially. + + +core-libs/java.util.jar: + +JDK-8278386: Default JDK compressor will be closed when IOException is encountered +================================================================================== +`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods +have been modified to close out the associated default JDK compressor +before propagating a Throwable up the +stack. `ZIPOutputStream.closeEntry()` method has been modified to +close out the associated default JDK compressor before propagating an +IOException, not of type ZipException, up the stack. + +core-libs/java.io: + +JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File +================================================================================================= +The Windows implementation of `java.io.File` allows access to NTFS +Alternate Data Streams (ADS) by default. Such streams have a structure +like “filename:streamname”. A system property `jdk.io.File.enableADS` +has been added to control this behavior. To disable ADS support in +`java.io.File`, the system property `jdk.io.File.enableADS` should be +set to `false` (case ignored). Stricter path checking however prevents +the use of special devices such as `NUL:` + +New in release OpenJDK 17.0.3 (2022-04-19): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1703 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt + +* Security fixes + - JDK-8269938: Enhance XML processing passes redux + - JDK-8270504, CVE-2022-21426: Better XPath expression handling + - JDK-8272255: Completely handle MIDI files + - JDK-8272261: Improve JFR recording file processing + - JDK-8272588: Enhanced recording parsing + - JDK-8272594: Better record of recordings + - JDK-8274221: More definite BER encodings + - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0 + - JDK-8275151, CVE-2022-21443: Improved Object Identification + - JDK-8277227: Better identification of OIDs + - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support + - JDK-8277672, CVE-2022-21434: Better invocation handler handling + - JDK-8278356: Improve file creation + - JDK-8278449: Improve keychain support + - JDK-8278798: Improve supported intrinsic + - JDK-8278805: Enhance BMP image loading + - JDK-8278972, CVE-2022-21496: Improve URL supports + - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo +* Other changes + - JDK-8177814: jdk/editpad is not in jdk TEST.groups + - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64 + - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently + - JDK-8225559: assertion error at TransTypes.visitApply + - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful + - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails + - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test + - JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1 + - JDK-8251216: Implement MD5 intrinsics on AArch64 + - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost" + - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" + - JDK-8263567: gtests don't terminate the VM safely + - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark + - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups + - JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it + - JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only + - JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM + - JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file + - JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java + - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long' + - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error + - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" + - JDK-8270117: Broken jtreg link in "Building the JDK" page + - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor + - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity + - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key + - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty + - JDK-8271506: Add ResourceHashtable support for deleting selected entries + - JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests + - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories + - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates + - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() + - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication + - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code + - JDK-8272600: (test) Use native "sleep" in Basic.java + - JDK-8272866: java.util.random package summary contains incorrect mixing function in table + - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled + - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt + - JDK-8273277: C2: Move conditional negation into rc_predicate + - JDK-8273341: Update Siphash to version 1.0 + - JDK-8273351: bad tag in jdk.random module-info.java + - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12 + - JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm + - JDK-8273387: remove some unreferenced gtk-related functions + - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests + - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests + - JDK-8273526: Extend the OSContainer API pids controller with pids.current + - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java + - JDK-8273655: content-types.properties files are missing some common types + - JDK-8273682: Upgrade Jline to 3.20.0 + - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time + - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3 + - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions + - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12 + - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform) + - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes + - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches + - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures + - JDK-8274471: Add support for RSASSA-PSS in OCSP Response + - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root + - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake + - JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS + - JDK-8274658: ISO 4217 Amendment 170 Update + - JDK-8274714: Incorrect verifier protected access error message + - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976 + - JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes + - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler + - JDK-8274935: dumptime_table has stale entry + - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info + - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions + - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime + - JDK-8275586: Zero: Simplify interpreter initialization + - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow + - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault + - JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg + - JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64 + - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 + - JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException + - JDK-8275800: Redefinition leaks MethodData::_extra_data_lock + - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method + - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue + - JDK-8276057: Update JMH devkit to 1.33 + - JDK-8276141: XPathFactory set/getProperty method + - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" + - JDK-8276314: [JVMCI] check alignment of call displacement during code installation + - JDK-8276623: JDK-8275650 accidentally pushed "out" file + - JDK-8276654: element-list order is non deterministic + - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common() + - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod + - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content + - JDK-8276841: Add support for Visual Studio 2022 + - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible" + - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 + - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64 + - JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits + - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows + - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for + - JDK-8277383: VM.metaspace optionally show chunk freelist details + - JDK-8277385: Zero: Enable CompactStrings support + - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last + - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop + - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs + - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 + - JDK-8277497: Last column cell in the JTable row is read as empty cell + - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found." + - JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER + - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad + - JDK-8277795: ldap connection timeout not honoured under contention + - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64 + - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording + - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 + - JDK-8278016: Add compiler tests to tier{2,3} + - JDK-8278020: ~13% variation in Renaissance-Scrabble + - JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation + - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError + - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute' + - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx + - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx + - JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup + - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux + - JDK-8278185: Custom JRE cannot find non-ASCII named module inside + - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d + - JDK-8278241: Implement JVM SpinPause on linux-aarch64 + - JDK-8278309: [windows] use of uninitialized OSThread::_state + - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output + - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine + - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec + - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT + - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic + - JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column + - JDK-8278604: SwingSet2 table demo does not have accessible description set for images + - JDK-8278627: Shenandoah: TestHeapDump test failed + - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134 + - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3 + - JDK-8278824: Uneven work distribution when scanning heap roots in G1 + - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob + - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 + - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__ + - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t + - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 + - JDK-8279124: VM does not handle SIGQUIT during initialization + - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers + - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest + - JDK-8279379: GHA: Print tests that are in error + - JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344 + - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it + - JDK-8279445: Update JMH devkit to 1.34 + - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms + - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT + - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition + - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also + - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 + - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 + - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks + - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" + - JDK-8280002: jmap -histo may leak stream + - JDK-8280155: [PPC64, s390] frame size checks are not yet correct + - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492 + - JDK-8280414: Memory leak in DefaultProxySelector + - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} + - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames + - JDK-8281460: Let ObjectMonitor have its own NMT category + - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX + - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 + - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character + - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods + - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException + - JDK-8284920: Incorrect Token type causes XPath expression to return empty result + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8274791: Support for RSASSA-PSS in OCSP Response +==================================================== +An OCSP response signed with the RSASSA-PSS algorithm is now supported. + +New in release OpenJDK 17.0.2 (2022-01-18): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1702 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt + +* Security fixes + - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside + - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization + - JDK-8268488: More valuable DerValues + - JDK-8268494: Better inlining of inlined interfaces + - JDK-8268512: More content for ContentInfo + - JDK-8268813, CVE-2022-21283: Better String matching + - JDK-8269151: Better construction of EncryptedPrivateKeyInfo + - JDK-8269944: Better HTTP transport redux + - JDK-8270386, CVE-2022-21291: Better verification of scan methods + - JDK-8270392, CVE-2022-21293: Improve String constructions + - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps + - JDK-8270492, CVE-2022-21282: Better resolution of URIs + - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management + - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities + - JDK-8270952, CVE-2022-21277: Improve TIFF file handling + - JDK-8271962: Better TrueType font loading + - JDK-8271968: Better canonical naming + - JDK-8271987: Manifest improved manifest entries + - JDK-8272014, CVE-2022-21305: Better array indexing + - JDK-8272026, CVE-2022-21340: Verify Jar Verification + - JDK-8272236, CVE-2022-21341: Improve serial forms for transport + - JDK-8272272: Enhance jcmd communication + - JDK-8272462: Enhance image handling + - JDK-8273290: Enhance sound handling + - JDK-8273756, CVE-2022-21360: Enhance BMP image support + - JDK-8273838, CVE-2022-21365: Enhanced BMP processing + - JDK-8274096, CVE-2022-21366: Improve decoding of image files +* Other changes + - JDK-4819544: SwingSet2 JTable Demo throws NullPointerException + - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing + - JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap + - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently + - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream + - JDK-8214761: Bug in parallel Kahan summation implementation + - JDK-8223923: C2: Missing interference with mismatched unsafe accesses + - JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir(). + - JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name + - JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines())) + - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled + - JDK-8261579: AArch64: Support for weaker memory ordering in Atomic + - JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol + - JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null + - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert + - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream + - JDK-8263375: Support stack watermarks in Zero VM + - JDK-8263773: Reenable German localization for builds at Oracle + - JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer + - JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer + - JDK-8264291: Create implementation for NSAccessibilityCell protocol peer + - JDK-8264292: Create implementation for NSAccessibilityList protocol peer + - JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer + - JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer + - JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer + - JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer + - JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer + - JDK-8264298: Create implementation for NSAccessibilityRow protocol peer + - JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer + - JDK-8266239: Some duplicated javac command-line options have repeated effect + - JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color + - JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true + - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl + - JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility + - JDK-8267387: Create implementation for NSAccessibilityOutline protocol + - JDK-8267388: Create implementation for NSAccessibilityTable protocol + - JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button" + - JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs. + - JDK-8268361: Fix the infinite loop in next_line + - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML + - JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests + - JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler + - JDK-8268860: Windows-Aarch64 build is failing in GitHub actions + - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc + - JDK-8268885: duplicate checkcast when destination type is not first type of intersection type + - JDK-8268893: jcmd to trim the glibc heap + - JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition + - JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)" + - JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783 + - JDK-8269113: Javac throws when compiling switch (null) + - JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java + - JDK-8269269: [macos11] SystemIconTest fails with ClassCastException + - JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString() + - JDK-8269481: SctpMultiChannel never releases own file descriptor + - JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows + - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles + - JDK-8269687: pauth_aarch64.hpp include name is incorrect + - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 + - JDK-8269924: Shenandoah: Introduce weak/strong marking asserts + - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked + - JDK-8270110: Shenandoah: Add test for JDK-8269661 + - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS + - JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests + - JDK-8270290: NTLM authentication fails if HEAD request is used + - JDK-8270317: Large Allocation in CipherSuite + - JDK-8270320: JDK-8270110 committed invalid copyright headers + - JDK-8270517: Add Zero support for LoongArch + - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS + - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling + - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file + - JDK-8270901: Typo PHASE_CPP in CompilerPhaseType + - JDK-8270946: X509CertImpl.getFingerprint should not return the empty String + - JDK-8271071: accessibility of a table on macOS lacks cell navigation + - JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug + - JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h + - JDK-8271170: Add unit test for what jpackage app launcher puts in the environment + - JDK-8271215: Fix data races in G1PeriodicGCTask + - JDK-8271254: javac generates unreachable code when using empty semicolon statement + - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" + - JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call + - JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes + - JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1 + - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop + - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java + - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity + - JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. + - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling + - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" + - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions + - JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop + - JDK-8271605: Update JMH devkit to 1.32 + - JDK-8271718: Crash when during color transformation the color profile is replaced + - JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers + - JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest + - JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used + - JDK-8271868: Warn user when using mac-sign option with unsigned app-image. + - JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18 + - JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late + - JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112 + - JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64 + - JDK-8272114: Unused _last_state in osThread_windows + - JDK-8272170: Missing memory barrier when checking active state for regions + - JDK-8272305: several hotspot runtime/modules don't check exit codes + - JDK-8272318: Improve performance of HeapDumpAllTest + - JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher + - JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes + - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions + - JDK-8272345: macos doesn't check `os::set_boot_path()` result + - JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0" + - JDK-8272391: Undeleted debug information + - JDK-8272413: Incorrect num of element count calculation for vector cast + - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong + - JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late + - JDK-8272570: C2: crash in PhaseCFG::global_code_motion + - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late + - JDK-8272639: jpackaged applications using microphone on mac + - JDK-8272703: StressSeed should be set via FLAG_SET_ERGO + - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit + - JDK-8272783: Epsilon: Refactor tests to improve performance + - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests + - JDK-8272838: Move CriticalJNI tests out of tier1 + - JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1 + - JDK-8272850: Drop zapping values in the Zap* option descriptions + - JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test + - JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag + - JDK-8272859: Javadoc external links should only have feature version number in URL + - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups + - JDK-8272970: Parallelize runtime/InvocationTests/ + - JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop + - JDK-8273021: C2: Improve Add and Xor ideal optimizations + - JDK-8273026: Slow LoginContext.login() on multi threading application + - JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7 + - JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert + - JDK-8273176: handle latest VS2019 in abstract_vm_version + - JDK-8273229: Update OS detection code to recognize Windows Server 2022 + - JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash + - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit + - JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT + - JDK-8273308: PatternMatchTest.java fails on CI + - JDK-8273314: Add tier4 test groups + - JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test + - JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory + - JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods + - JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs + - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 + - JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size + - JDK-8273361: InfoOptsTest is failing in tier1 + - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero + - JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop + - JDK-8273376: Zero: Disable vtable/itableStub gtests + - JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP + - JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record + - JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1} + - JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java + - JDK-8273450: Fix the copyright header of SVML files + - JDK-8273451: Remove unreachable return in mutexLocker::wait + - JDK-8273483: Zero: Clear pending JNI exception check in native method handler + - JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option + - JDK-8273487: Zero: Handle "zero" variant in runtime tests + - JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths + - JDK-8273498: compiler/c2/Test7179138_1.java timed out + - JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes + - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure + - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated + - JDK-8273592: Backout JDK-8271868 + - JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image. + - JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian + - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch + - JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests + - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F + - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher + - JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease + - JDK-8273695: Safepoint deadlock on VMOperation_lock + - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem + - JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly + - JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java + - JDK-8273808: Cleanup AddFontsToX11FontPath + - JDK-8273826: Correct Manifest file name and NPE checks + - JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out + - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral + - JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release() + - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() + - JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported + - JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds + - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character + - JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled + - JDK-8273968: JCK javax_xml tests fail in CI + - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects + - JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM + - JDK-8274083: Update testing docs to mention tiered testing + - JDK-8274087: Windows DLL path not set correctly. + - JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition + - JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC + - JDK-8274215: Remove globalsignr2ca root from 17.0.2 + - JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86 + - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp + - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated + - JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160 + - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m + - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern + - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror" + - JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile + - JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU + - JDK-8274381: missing CAccessibility definitions in JNI code + - JDK-8274383: JNI call of getAccessibleSelection on a wrong thread + - JDK-8274401: C2: GraphKit::load_array_element bypasses Access API + - JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough" + - JDK-8274407: (tz) Update Timezone Data to 2021c + - JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl + - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b + - JDK-8274468: TimeZoneTest.java fails with tzdata2021b + - JDK-8274501: c2i entry barriers read int as long on AArch64 + - JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected + - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah + - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah + - JDK-8274550: c2i entry barriers read int as long on PPC + - JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah + - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test + - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 + - JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume. + - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily + - JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers + - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform + - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST + - JDK-8274840: Update OS detection code to recognize Windows 11 + - JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior + - JDK-8274851: [ppc64] Port zgc to linux on ppc64le + - JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155) + - JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11 + - JDK-8275049: [ZGC] missing null check in ZNMethod::log_register + - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag + - JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed + - JDK-8275104: IR framework does not handle client VM builds correctly + - JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. + - JDK-8275131: Exceptions after a touchpad gesture on macOS + - JDK-8275141: recover corrupted line endings for the version-numbers.conf + - JDK-8275145: file.encoding system property has an incorrect value on Windows + - JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges + - JDK-8275302: unexpected compiler error: cast, intersection types and sealed + - JDK-8275426: PretouchTask num_chunks calculation can overflow + - JDK-8275604: Zero: Reformat opclabels_data + - JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless + - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem + - JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak + - JDK-8275766: (tz) Update Timezone Data to 2021e + - JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:] + - JDK-8275811: Incorrect instance to dispose + - JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective + - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e + - JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings + - JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml + - JDK-8276025: Hotspot's libsvml.so may conflict with user dependency + - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance + - JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3 + - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly + - JDK-8276112: Inconsistent scalar replacement debug info at safepoints + - JDK-8276122: Change openjdk project in jcheck to jdk-updates + - JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme + - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test + - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 + - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point + - JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration + - JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition + - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 + - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend + - JDK-8276572: Fake libsyslookup.so library causes tooling issues + - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie + - JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah + - JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager + - JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32 + - JDK-8276846: JDK-8273416 is incomplete for UseSSE=1 + - JDK-8276854: Windows GHA builds fail due to broken Cygwin + - JDK-8276864: Update boot JDKs to 17.0.1 in GHA + - JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders + - JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le + - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes + - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element + - JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points + - JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest] + - JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches + - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE + - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint + - JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup + +Notes on individual issues: +=========================== + +core-libs/java.io:serialization: + +JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element +========================================================================================= +`java.util.Vector` is updated to correctly report +`ClassNotFoundException that occurs during deserialization using +`java.io.ObjectInputStream.GetField.get(name, object)` when the class +of an element of the Vector is not found. Without this fix, a +`StreamCorruptedException` is thrown that does not provide information +about the missing class. + +security-libs/java.security: + +JDK-8272535: Removed Google's GlobalSign Root Certificate +========================================================= +The following root certificate from Google has been removed from the +`cacerts` keystore: + +Alias Name: globalsignr2ca [jdk] +Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 + +core-libs/java.io: + +JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows +============================================================================ +The initialization of the `file.encoding` system property on non macOS +platforms has been reverted to align with the behavior on or before +JDK 11. This has been an issue especially on Windows where the system +and user's locales are not the same. + +hotspot/gc: + +JDK-8277533: ZGC: Fixed long Process Non-Strong References times +================================================================ +A bug has been fixed that could cause long "Concurrent Process +Non-Strong References" times with ZGC. The bug blocked the GC from +making significant progress, and caused both latency and throughput +issues for the Java application. + +The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g. + +[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms + +core-libs/java.time: + +JDK-8274857: Update Timezone Data to 2021c +=========================================== +IANA Time Zone Database, on which JDK's Date/Time libraries are based, +has been updated to version 2021c +(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note +that with this update, some of the time zone rules prior to the year +1970 have been modified according to the changes which were introduced +with 2021b. For more detail, refer to the announcement of 2021b +(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) + +New in release OpenJDK 17.0.1 (2021-10-19): +=========================================== +Live versions of these release notes can be found at: + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt + +* Security fixes + - JDK-8263314: Enhance XML Dsig modes + - JDK-8265167, CVE-2021-35556: Richer Text Editors + - JDK-8265574: Improve handling of sheets + - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit + - JDK-8265776: Improve Stream handling for SSL + - JDK-8266097, CVE-2021-35561: Better hashing support + - JDK-8266103: Better specified spec values + - JDK-8266109: More Resilient Classloading + - JDK-8266115: More Manifest Jar Loading + - JDK-8266137, CVE-2021-35564: Improve Keystore integrity + - JDK-8266689, CVE-2021-35567: More Constrained Delegation + - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic + - JDK-8267712: Better LDAP reference processing + - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking + - JDK-8267735, CVE-2021-35586: Better BMP support + - JDK-8268193: Improve requests of certificates + - JDK-8268199: Correct certificate requests + - JDK-8268205: Enhance DTLS client handshake + - JDK-8268500: Better specified ParameterSpecs + - JDK-8268506: More Manifest Digests + - JDK-8269618, CVE-2021-35603: Better session identification + - JDK-8269624: Enhance method selection support + - JDK-8270398: Enhance canonicalization + - JDK-8270404: Better canonicalization +* Other changes + - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 + - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails + - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked + - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations + - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" + - JDK-8263531: Remove unused buffer int + - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java + - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type + - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file + - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance + - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms + - JDK-8269297: Bump version numbers for JDK 17.0.1 + - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient + - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events + - JDK-8269763: The JEditorPane is blank after JDK-8265167 + - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers + - JDK-8269882: stack-use-after-scope in NewObjectA + - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible + - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status + - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags + - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations + - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode + - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert + - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup + - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error + - JDK-8270344: Session resumption errors + - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added + - JDK-8271276: C2: Wrong JVM state used for receiver null check + - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4 + - JDK-8271589: fatal error with variable shift count integer rotate operation. + - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java + - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests + - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier + - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon + - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj + - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails + - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 + - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 + - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 + - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used + - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 + - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled + - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed + - JDK-8273358: macOS Monterey does not have the font Times needed by Serif + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8271434: Removed IdenTrust Root Certificate +=============================================== +The following root certificate from IdenTrust has been removed from +the `cacerts` keystore: + +Alias Name: identrustdstx3 [jdk] +Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. + +New in release OpenJDK 17.0.0 (2021-09-14): +=========================================== +The full list of changes in the interim releases from 11u to 17u can be found at: + * https://builds.shipilev.net/backports-monitor/release-notes-12.txt + * https://builds.shipilev.net/backports-monitor/release-notes-13.txt + * https://builds.shipilev.net/backports-monitor/release-notes-14.txt + * https://builds.shipilev.net/backports-monitor/release-notes-15.txt + * https://builds.shipilev.net/backports-monitor/release-notes-16.txt + * https://builds.shipilev.net/backports-monitor/release-notes-17.txt + +Major changes are listed below. Some changes may have been backported +to earlier releases following their first appearance in OpenJDK 12 +through to 17. + +NEW FEATURES +============ + +Language Features +================= + +Switch Expressions +================== +https://openjdk.java.net/jeps/325 +https://openjdk.java.net/jeps/354 +https://openjdk.java.net/jeps/361 + +Extend the `switch` statement so that it can be used as either a +statement or an expression, and that both forms can use either a +"traditional" or "simplified" scoping and control flow behavior. Both +forms can use either traditional `case ... :` labels (with fall +through) or new `case ... ->` labels (with no fall through), with a +further new statement for yielding a value from a `switch` +expression. These changes will simplify everyday coding, and also +prepare the way for the use of pattern matching in `switch`. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 12 & 13 and became final in OpenJDK 14. + +Text Blocks +=========== +https://openjdk.java.net/jeps/355 +https://openjdk.java.net/jeps/368 +https://openjdk.java.net/jeps/378 + +Add text blocks to the Java language. A text block is a multi-line +string literal that avoids the need for most escape sequences, +automatically formats the string in a predictable way, and gives the +developer control over format when desired. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 13 & 14 and became final in OpenJDK 15. + +Pattern Matching for instanceof +=============================== +https://openjdk.java.net/jeps/305 +https://openjdk.java.net/jeps/375 +https://openjdk.java.net/jeps/394 +http://cr.openjdk.java.net/~briangoetz/amber/pattern-match.html + +Enhance the Java programming language with pattern matching for the +`instanceof` operator. Pattern matching allows common logic in a +program, namely the conditional extraction of components from objects, +to be expressed more concisely and safely. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 14 & 15 and became final in OpenJDK 16. + +Records +======= +https://openjdk.java.net/jeps/359 +https://openjdk.java.net/jeps/384 +https://openjdk.java.net/jeps/395 + +Enhance the Java programming language with records. Records provide a +compact syntax for declaring classes which are transparent holders for +shallowly immutable data. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 14 & 15 and became final in OpenJDK 16. + +Sealed Classes +============== +https://openjdk.java.net/jeps/360 +https://openjdk.java.net/jeps/397 +https://openjdk.java.net/jeps/409 +https://cr.openjdk.java.net/~briangoetz/amber/datum.html + +Enhance the Java programming language with sealed classes and +interfaces. Sealed classes and interfaces restrict which other classes +or interfaces may extend or implement them. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 15 & 16 and became final in OpenJDK 17. + +Restore Always-Strict Floating-Point Semantics +============================================== +https://openjdk.java.net/jeps/306 + +Make floating-point operations consistently strict, rather than have +both strict floating-point semantics (`strictfp`) and subtly different +default floating-point semantics. This will restore the original +floating-point semantics to the language and VM, matching the +semantics before the introduction of strict and default floating-point +modes in Java SE 1.2. + +Pattern Matching for switch +=========================== +https://openjdk.java.net/jeps/406 + +Enhance the Java programming language with pattern matching for +`switch` expressions and statements, along with extensions to the +language of patterns. Extending pattern matching to `switch` allows an +expression to be tested against a number of patterns, each with a +specific action, so that complex data-oriented queries can be +expressed concisely and safely. + +This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK +17. + +Library Features +================ + +JVM Constants API +================= +https://openjdk.java.net/jeps/334 + +Introduce an API to model nominal descriptions of key class-file and +run-time artifacts, in particular constants that are loadable from the +constant pool. + +Reimplement the Legacy Socket API +================================= +https://openjdk.java.net/jeps/353 + +Replace the underlying implementation used by the `java.net.Socket` +and `java.net.ServerSocket` APIs with a simpler and more modern +implementation that is easy to maintain and debug. The new +implementation will be easy to adapt to work with user-mode threads, +a.k.a. fibers, currently being explored in Project Loom +(https://openjdk.java.net/projects/loom). + +JFR Event Streaming +=================== +https://openjdk.java.net/jeps/349 + +Expose JDK Flight Recorder data for continuous monitoring. + +Non-Volatile Mapped Byte Buffers +================================ +https://openjdk.java.net/jeps/352 + +Add new JDK-specific file mapping modes so that the `FileChannel` API +can be used to create `MappedByteBuffer` instances that refer to +non-volatile memory. + +Helpful NullPointerExceptions +============================= +https://openjdk.java.net/jeps/358 + +Improve the usability of `NullPointerException`s generated by the JVM +by describing precisely which variable was `null`. + +Foreign-Memory Access API +========================= +https://openjdk.java.net/jeps/370 +https://openjdk.java.net/jeps/383 +https://openjdk.java.net/jeps/393 + +Introduce an API to allow Java programs to safely and efficiently +access foreign memory outside of the Java heap. + +This was a incubation feature (https://openjdk.java.net/jeps/11) in +OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory +API in OpenJDK 17 (see below). + +Edwards-Curve Digital Signature Algorithm (EdDSA) +================================================= +https://openjdk.java.net/jeps/339 + +Implement cryptographic signatures using the Edwards-Curve Digital +Signature Algorithm (EdDSA) as described by RFC 8032 +(https://tools.ietf.org/html/rfc8032). + +Hidden Classes +============== +https://openjdk.java.net/jeps/371 + +Introduce hidden classes, which are classes that cannot be used +directly by the bytecode of other classes. Hidden classes are intended +for use by frameworks that generate classes at run time and use them +indirectly, via reflection. A hidden class may be defined as a member +of an access control nest (https://openjdk.java.net/jeps/181), and may +be unloaded independently of other classes. + +Reimplement the Legacy DatagramSocket API +========================================= +https://openjdk.java.net/jeps/373 + +Replace the underlying implementations of the +`java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with +simpler and more modern implementations that are easy to maintain and +debug. The new implementations will be easy to adapt to work with +virtual threads, currently being explored in Project Loom +(https://openjdk.java.net/projects/loom). This is a follow-on to JEP +353 (see above), which already reimplemented the legacy Socket API. + +Vector API +========== +https://openjdk.java.net/jeps/338 +https://openjdk.java.net/jeps/414 + +Provide an initial iteration of an incubator module, +`jdk.incubator.vector`, to express vector computations that reliably +compile at runtime to optimal vector hardware instructions on +supported CPU architectures and thus achieve superior performance to +equivalent scalar computations. + +This is an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 16. + +Unix-Domain Socket Channels +=========================== +https://openjdk.java.net/jeps/380 + +Add Unix-domain (`AF_UNIX`) socket support to the socket channel and +server-socket channel APIs in the `java.nio.channels` package. Extend +the inherited channel mechanism to support Unix-domain socket channels +and server socket channels. + +Foreign Linker API (Incubator) +============================== +https://openjdk.java.net/jeps/389 + +Introduce an API that offers statically-typed, pure-Java access to +native code. This API, together with the Foreign-Memory API (see +above), will considerably simplify the otherwise error-prone process +of binding to a native library. + +This was an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 16, now superseded by the Foreign Function & +Memory API in OpenJDK 17 (see below). + +Strongly Encapsulate JDK Internals by Default +============================================= +https://openjdk.java.net/jeps/396 +https://openjdk.java.net/jeps/403 + +Strongly encapsulate all internal elements of the JDK by default, +except for critical internal APIs such as `sun.misc.Unsafe`. It will +no longer be possible to relax the strong encapsulation of internal +elements via a single command-line option, as was possible in OpenJDK +9 through 16. + +Enhanced Pseudo-Random Number Generators +======================================== +https://openjdk.java.net/jeps/356 + +Provide new interface types and implementations for pseudo-random +number generators (PRNGs), including jumpable PRNGs and an additional +class of splittable PRNG algorithms (LXM). + +Foreign Function & Memory API +============================= +https://openjdk.java.net/jeps/412 + +Introduce an API by which Java programs can interoperate with code and +data outside of the Java runtime. By efficiently invoking foreign +functions (i.e., code outside the JVM), and by safely accessing +foreign memory (i.e., memory not managed by the JVM), the API enables +Java programs to call native libraries and process native data without +the brittleness and danger of JNI. + +This API is an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 17, and is an evolution of the Foreign Memory +Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK +16) (see above). + +Context-Specific Deserialization Filters +======================================== +https://openjdk.java.net/jeps/415 + +Allow applications to configure context-specific and +dynamically-selected deserialization filters via a JVM-wide filter +factory that is invoked to select a filter for each individual +deserialization operation. + +Tools +===== + +Packaging Tool +============== +https://openjdk.java.net/jeps/343 +https://openjdk.java.net/jeps/392 + +Provide the `jpackage` tool, for packaging self-contained Java +applications. + +JVM Features +============ + +Shenandoah: A Low-Pause-Time Garbage Collector +============================================== +https://openjdk.java.net/jeps/189 +https://openjdk.java.net/jeps/379 + +Add a new garbage collection (GC) algorithm named Shenandoah which +reduces GC pause times by doing evacuation work concurrently with the +running Java threads. Pause times with Shenandoah are independent of +heap size, meaning you will have the same consistent pause times +whether your heap is 200 MB or 200 GB. + +Shenandoah has been provided in Red Hat builds of OpenJDK 8 since +8u131 in April 2017 and in all 11u builds. + +Upstream, it was introduced in OpenJDK 12 as an experimental feature +and became a production feature in OpenJDK 15. It was backported to +OpenJDK 11 with the 11.0.9 release in October 2020. + +Abortable Mixed Collections for G1 +================================== +https://openjdk.java.net/jeps/344 + +Make G1 mixed collections abortable if they might exceed the pause +target. + +Promptly Return Unused Committed Memory from G1 +=============================================== +https://openjdk.java.net/jeps/346 + +Enhance the G1 garbage collector to automatically return Java heap +memory to the operating system when idle. + +Dynamic CDS Archives +==================== +https://openjdk.java.net/jeps/310 +https://openjdk.java.net/jeps/350 + +Extend application class-data sharing to allow the dynamic archiving +of classes at the end of Java application execution. The archived +classes will include all loaded application classes and library +classes that are not present in the default, base-layer CDS archive. + +ZGC: Uncommit Unused Memory (Experimental) +========================================== +https://openjdk.java.net/jeps/351 + +Enhance ZGC to return unused heap memory to the operating system. + +NUMA-Aware Memory Allocation for G1 +=================================== +https://openjdk.java.net/jeps/345 + +Improve G1 performance on large machines by implementing NUMA-aware +memory allocation. + +ZGC on macOS (Experimental) +=========================== +https://openjdk.java.net/jeps/364 + +Port the ZGC garbage collector to macOS. + +ZGC on Windows (Experimental) +============================= +https://openjdk.java.net/jeps/365 + +Port the ZGC garbage collector to Windows. + +ZGC: A Scalable Low-Latency Garbage Collector (Production) +========================================================== +https://openjdk.java.net/jeps/377 + +Change the Z Garbage Collector from an experimental feature into a +product feature. + +ZGC: Concurrent Thread-Stack Processing +======================================= +https://openjdk.java.net/jeps/376 + +Move ZGC thread-stack processing from safepoints to a concurrent +phase. + +Elastic Metaspace +================= +https://openjdk.java.net/jeps/387 + +Return unused HotSpot class-metadata (i.e., metaspace) memory to the +operating system more promptly, reduce metaspace footprint, and +simplify the metaspace code in order to reduce maintenance costs. + +Ports +===== + +Alpine Linux Port +================= +https://openjdk.java.net/jeps/386 + +Port the JDK to Alpine Linux, and to other Linux distributions that +use musl as their primary C library, on both the x64 and AArch64 +architectures, + +Windows/AArch64 Port +==================== +https://openjdk.java.net/jeps/388 + +Port the JDK to Windows/AArch64. + +New macOS Rendering Pipeline +============================ +https://openjdk.java.net/jeps/382 + +Implement a Java 2D internal rendering pipeline for macOS using the +Apple Metal API as alternative to the existing pipeline, which uses +the deprecated Apple OpenGL API. + +macOS/AArch64 Port +================== +https://openjdk.java.net/jeps/391 + +Port the JDK to macOS/AArch64. + +DEPRECATIONS +============ + +Deprecate the ParallelScavenge + SerialOld GC Combination +========================================================= +https://openjdk.java.net/jeps/366 + +Deprecate the combination of the Parallel Scavenge and Serial Old +garbage collection algorithms. + +Deprecate and Disable Biased Locking +==================================== +https://openjdk.java.net/jeps/374 + +Disable biased locking by default, and deprecate all related +command-line options. + +Warnings for Value-Based Classes +================================ +https://openjdk.java.net/jeps/390 + +Designate the primitive wrapper classes as value-based and deprecate +their constructors for removal, prompting new deprecation +warnings. Provide warnings about improper attempts to synchronize on +instances of any value-based classes in the Java Platform. + +Deprecate the Applet API for Removal +==================================== +https://openjdk.java.net/jeps/398 + +Deprecate the Applet API for removal. It is essentially irrelevant +since all web-browser vendors have either removed support for Java +browser plug-ins or announced plans to do so. + +Deprecate the Security Manager for Removal +========================================== +https://openjdk.java.net/jeps/411 + +Deprecate the Security Manager for removal in a future release. The +Security Manager dates from Java 1.0. It has not been the primary +means of securing client-side Java code for many years, and it has +rarely been used to secure server-side code. To move Java forward, we +intend to deprecate the Security Manager for removal in concert with +the legacy Applet API (see above). . + +REMOVALS +======== + +Remove the Concurrent Mark Sweep (CMS) Garbage Collector +======================================================== +https://openjdk.java.net/jeps/363 + +Remove the Concurrent Mark Sweep (CMS) garbage collector. + +Remove the Pack200 Tools and API +================================ +https://openjdk.java.net/jeps/336 +https://openjdk.java.net/jeps/367 + +Remove the `pack200` and `unpack200` tools, and the `Pack200` API in +the `java.util.jar` package. These tools and API were deprecated for +removal in OpenJDK 11 with the express intent to remove them in a +future release. + +Remove the Nashorn JavaScript Engine +==================================== +https://openjdk.java.net/jeps/372 + +Remove the Nashorn JavaScript script engine and APIs, and the `jjs` +tool. The engine, the APIs, and the tool were deprecated for removal +in OpenJDK 11 with the express intent to remove them in a future +release. + +Remove the Solaris and SPARC Ports +================================== +https://openjdk.java.net/jeps/362 +https://openjdk.java.net/jeps/381 + +Remove the source code and build support for the Solaris/SPARC, +Solaris/x64, and Linux/SPARC ports. These ports were deprecated for +removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381). + +Remove RMI Activation +===================== +https://openjdk.java.net/jeps/385 +https://openjdk.java.net/jeps/407 +https://docs.oracle.com/en/java/javase/14/docs/specs/rmi/activation.html + +Remove the Remote Method Invocation (RMI) Activation mechanism, while +preserving the rest of RMI. RMI Activation is an obsolete part of RMI +that has been optional since OpenJDK 8 and was deprecated in OpenJDK +15. + +Remove the Experimental AOT and JIT Compiler +============================================ +https://openjdk.java.net/jeps/410 + +Remove the experimental Java-based ahead-of-time (AOT) and +just-in-time (JIT) compiler. This compiler has seen little use since +its introduction and the effort required to maintain it is +significant. Retain the experimental Java-level JVM compiler +interface (JVMCI) so that developers can continue to use +externally-built versions of the compiler for JIT compilation. diff --git a/TestCryptoLevel.java b/TestCryptoLevel.java new file mode 100644 index 0000000..b32b7ae --- /dev/null +++ b/TestCryptoLevel.java @@ -0,0 +1,72 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +} diff --git a/TestECDSA.java b/TestECDSA.java new file mode 100644 index 0000000..6eb9cb2 --- /dev/null +++ b/TestECDSA.java @@ -0,0 +1,49 @@ +/* TestECDSA -- Ensure ECDSA signatures are working. + Copyright (C) 2016 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * @test + */ +public class TestECDSA { + + public static void main(String[] args) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + KeyPair key = keyGen.generateKeyPair(); + + byte[] data = "This is a string to sign".getBytes("UTF-8"); + + Signature dsa = Signature.getInstance("NONEwithECDSA"); + dsa.initSign(key.getPrivate()); + dsa.update(data); + byte[] sig = dsa.sign(); + System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); + + Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); + dsaCheck.initVerify(key.getPublic()); + dsaCheck.update(data); + boolean success = dsaCheck.verify(sig); + if (!success) { + throw new RuntimeException("Test failed. Signature verification error"); + } + System.out.println("Test passed."); + } +} diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java new file mode 100644 index 0000000..2967a32 --- /dev/null +++ b/TestSecurityProperties.java @@ -0,0 +1,84 @@ +/* TestSecurityProperties -- Ensure system security properties can be used to + enable the crypto policies. + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config"; + + private static final String MSG_PREFIX = "DEBUG: "; + + public static void main(String[] args) { + if (args.length == 0) { + System.err.println("TestSecurityProperties "); + System.err.println("Invoke with 'true' if system security properties should be enabled."); + System.err.println("Invoke with 'false' if system security properties should be disabled."); + System.exit(1); + } + boolean enabled = Boolean.valueOf(args[0]); + System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled); + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + if (enabled) { + loadPolicy(jdkProps); + } + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println(MSG_PREFIX + "Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(propsFile)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + + private static void loadPolicy(Properties props) { + try (FileInputStream fin = new FileInputStream(POLICY_FILE)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + +} diff --git a/TestTranslations.java b/TestTranslations.java new file mode 100644 index 0000000..dbea417 --- /dev/null +++ b/TestTranslations.java @@ -0,0 +1,140 @@ +/* TestTranslations -- Ensure translations are available for new timezones + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.text.DateFormatSymbols; + +import java.time.ZoneId; +import java.time.format.TextStyle; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.Locale; +import java.util.Objects; +import java.util.TimeZone; + +public class TestTranslations { + + private static Map KYIV; + + static { + Map map = new HashMap(); + map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET", + "Eastern European Summer Time", "GMT+03:00", "EEST", + "Eastern European Time", "GMT+02:00", "EET"}); + map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET", + "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST", + "heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"}); + map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ", + "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", + "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); + KYIV = Collections.unmodifiableMap(map); + } + + + public static void main(String[] args) { + if (args.length < 1) { + System.err.println("Test must be started with the name of the locale provider."); + System.exit(1); + } + + String localeProvider = args[0]; + System.out.println("Checking sanity of full zone string set..."); + boolean invalid = Arrays.stream(Locale.getAvailableLocales()) + .peek(l -> System.out.println("Locale: " + l)) + .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings()) + .flatMap(zs -> Arrays.stream(zs)) + .flatMap(names -> Arrays.stream(names)) + .filter(name -> Objects.isNull(name) || name.isEmpty()) + .findAny() + .isPresent(); + if (invalid) { + System.err.println("Zone string for a locale returned null or empty string"); + System.exit(2); + } + + for (Locale l : KYIV.keySet()) { + String[] expected = KYIV.get(l); + for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) { + String expectedShortStd = null; + String expectedShortDST = null; + String expectedShortGen = null; + + System.out.printf("Checking locale %s for %s...\n", l, id); + + if ("JRE".equals(localeProvider)) { + expectedShortStd = expected[2]; + expectedShortDST = expected[5]; + expectedShortGen = expected[8]; + } else if ("CLDR".equals(localeProvider)) { + expectedShortStd = expected[1]; + expectedShortDST = expected[4]; + expectedShortGen = expected[7]; + } else { + System.err.printf("Invalid locale provider %s\n", localeProvider); + System.exit(3); + } + System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n", + localeProvider, expectedShortStd, expectedShortDST, expectedShortGen); + + String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l); + String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l); + String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l); + String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l); + String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l); + String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l); + + if (!expected[0].equals(longStd)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longStd, expected[0]); + System.exit(4); + } + + if (!expectedShortStd.equals(shortStd)) { + System.err.printf("Short standard display name for %s in %s was %s, expected %s\n", + id, l, shortStd, expectedShortStd); + System.exit(5); + } + + if (!expected[3].equals(longDST)) { + System.err.printf("Long DST display name for %s in %s was %s, expected %s\n", + id, l, longDST, expected[3]); + System.exit(6); + } + + if (!expectedShortDST.equals(shortDST)) { + System.err.printf("Short DST display name for %s in %s was %s, expected %s\n", + id, l, shortDST, expectedShortDST); + System.exit(7); + } + + if (!expected[6].equals(longGen)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longGen, expected[6]); + System.exit(8); + } + + if (!expectedShortGen.equals(shortGen)) { + System.err.printf("Short generic display name for %s in %s was %s, expected %s\n", + id, l, shortGen, expectedShortGen); + System.exit(9); + } + } + } + } +} diff --git a/fips-17u-0bd5ca9ccc5.patch b/fips-17u-0bd5ca9ccc5.patch new file mode 100644 index 0000000..86fb1ab --- /dev/null +++ b/fips-17u-0bd5ca9ccc5.patch @@ -0,0 +1,5585 @@ +diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..b2b1c1787da +--- /dev/null ++++ b/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,84 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index a65d91ee974..a8f054c1397 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + m4_include([lib-fontconfig.m4]) + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index c2c9c4adf3a..9d105b37acf 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -836,6 +836,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk +index 5658ff342e5..c8bc5bde1e1 100644 +--- a/make/modules/java.base/Lib.gmk ++++ b/make/modules/java.base/Lib.gmk +@@ -167,6 +167,29 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) ++ ++TARGETS += $(BUILD_LIBSYSTEMCONF) ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java +index 1fd6230d83b..683e3dd3a8d 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java +@@ -25,13 +25,12 @@ + + package com.sun.crypto.provider; + +-import java.util.Arrays; +- + import javax.crypto.SecretKey; + import javax.crypto.spec.SecretKeySpec; +-import javax.crypto.spec.PBEParameterSpec; ++import javax.crypto.spec.PBEKeySpec; + import java.security.*; + import java.security.spec.*; ++import sun.security.util.PBEUtil; + + /** + * This is an implementation of the HMAC algorithms as defined +@@ -108,79 +107,15 @@ abstract class HmacPKCS12PBECore extends HmacCore { + */ + protected void engineInit(Key key, AlgorithmParameterSpec params) + throws InvalidKeyException, InvalidAlgorithmParameterException { +- char[] passwdChars; +- byte[] salt = null; +- int iCount = 0; +- if (key instanceof javax.crypto.interfaces.PBEKey) { +- javax.crypto.interfaces.PBEKey pbeKey = +- (javax.crypto.interfaces.PBEKey) key; +- passwdChars = pbeKey.getPassword(); +- salt = pbeKey.getSalt(); // maybe null if unspecified +- iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified +- } else if (key instanceof SecretKey) { +- byte[] passwdBytes; +- if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || +- (passwdBytes = key.getEncoded()) == null) { +- throw new InvalidKeyException("Missing password"); +- } +- passwdChars = new char[passwdBytes.length]; +- for (int i=0; i attrs = new HashMap<>(3); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" +- + "|OAEPWITHMD5ANDMGF1PADDING" +- + "|OAEPWITHSHA1ANDMGF1PADDING" +- + "|OAEPWITHSHA-1ANDMGF1PADDING" +- + "|OAEPWITHSHA-224ANDMGF1PADDING" +- + "|OAEPWITHSHA-256ANDMGF1PADDING" +- + "|OAEPWITHSHA-384ANDMGF1PADDING" +- + "|OAEPWITHSHA-512ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Cipher", "RSA", +- "com.sun.crypto.provider.RSACipher", null, attrs); +- +- // common block cipher modes, pads +- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + +- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + +- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; +- final String BLOCK_MODES128 = BLOCK_MODES + +- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + +- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; +- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DES", +- "com.sun.crypto.provider.DESCipher", null, attrs); +- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", +- attrs); +- ps("Cipher", "Blowfish", +- "com.sun.crypto.provider.BlowfishCipher", null, attrs); +- +- ps("Cipher", "RC2", +- "com.sun.crypto.provider.RC2Cipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES128); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES", +- "com.sun.crypto.provider.AESCipher$General", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", +- attrs); +- ps("Cipher", "AES/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_128/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_128/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_128/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_128/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_192/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_192/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_192/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_192/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_256/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_256/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_256/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_256/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "GCM"); +- attrs.put("SupportedKeyFormats", "RAW"); +- +- ps("Cipher", "AES/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, +- attrs); +- psA("Cipher", "AES_128/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES128", +- attrs); +- psA("Cipher", "AES_192/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES192", +- attrs); +- psA("Cipher", "AES_256/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES256", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "CBC"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DESedeWrap", +- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "ARCFOUR", +- "com.sun.crypto.provider.ARCFOURCipher", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "ChaCha20", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", +- null, attrs); +- psA("Cipher", "ChaCha20-Poly1305", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", +- attrs); +- +- // PBES1 +- psA("Cipher", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", +- null); +- ps("Cipher", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); +- psA("Cipher", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", +- null); +- psA("Cipher", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", +- null); +- +- psA("Cipher", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", +- null); +- +- // PBES2 +- ps("Cipher", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); +- +- /* +- * Key(pair) Generator engines +- */ +- ps("KeyGenerator", "DES", +- "com.sun.crypto.provider.DESKeyGenerator"); +- psA("KeyGenerator", "DESede", +- "com.sun.crypto.provider.DESedeKeyGenerator", +- null); +- ps("KeyGenerator", "Blowfish", +- "com.sun.crypto.provider.BlowfishKeyGenerator"); +- psA("KeyGenerator", "AES", +- "com.sun.crypto.provider.AESKeyGenerator", +- null); +- ps("KeyGenerator", "RC2", +- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); +- psA("KeyGenerator", "ARCFOUR", +- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", +- null); +- ps("KeyGenerator", "ChaCha20", +- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); +- ps("KeyGenerator", "HmacMD5", +- "com.sun.crypto.provider.HmacMD5KeyGenerator"); +- +- psA("KeyGenerator", "HmacSHA1", +- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); +- psA("KeyGenerator", "HmacSHA224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", +- null); +- psA("KeyGenerator", "HmacSHA256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", +- null); +- psA("KeyGenerator", "HmacSHA384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", +- null); +- psA("KeyGenerator", "HmacSHA512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", +- null); +- psA("KeyGenerator", "HmacSHA512/224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", +- null); +- psA("KeyGenerator", "HmacSHA512/256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", +- null); +- +- psA("KeyGenerator", "HmacSHA3-224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", +- null); +- psA("KeyGenerator", "HmacSHA3-256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", +- null); +- psA("KeyGenerator", "HmacSHA3-384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", +- null); +- psA("KeyGenerator", "HmacSHA3-512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", +- null); +- +- psA("KeyPairGenerator", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyPairGenerator", +- null); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" ++ + "|OAEPWITHMD5ANDMGF1PADDING" ++ + "|OAEPWITHSHA1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-256ANDMGF1PADDING" ++ + "|OAEPWITHSHA-384ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Cipher", "RSA", ++ "com.sun.crypto.provider.RSACipher", null, attrs); ++ ++ // common block cipher modes, pads ++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + ++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + ++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; ++ final String BLOCK_MODES128 = BLOCK_MODES + ++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + ++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; ++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DES", ++ "com.sun.crypto.provider.DESCipher", null, attrs); ++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", ++ attrs); ++ ps("Cipher", "Blowfish", ++ "com.sun.crypto.provider.BlowfishCipher", null, attrs); ++ ++ ps("Cipher", "RC2", ++ "com.sun.crypto.provider.RC2Cipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES128); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES", ++ "com.sun.crypto.provider.AESCipher$General", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_128/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_128/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_128/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_192/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_192/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_192/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_256/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_256/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_256/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "GCM"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ++ ps("Cipher", "AES/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, ++ attrs); ++ psA("Cipher", "AES_128/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES128", ++ attrs); ++ psA("Cipher", "AES_192/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES192", ++ attrs); ++ psA("Cipher", "AES_256/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES256", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "CBC"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DESedeWrap", ++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "ARCFOUR", ++ "com.sun.crypto.provider.ARCFOURCipher", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "ChaCha20", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", ++ null, attrs); ++ psA("Cipher", "ChaCha20-Poly1305", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", ++ attrs); ++ ++ // PBES1 ++ psA("Cipher", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", ++ null); ++ ps("Cipher", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); ++ psA("Cipher", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("Cipher", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", ++ null); ++ ++ // PBES2 ++ ps("Cipher", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); ++ ++ /* ++ * Key(pair) Generator engines ++ */ ++ ps("KeyGenerator", "DES", ++ "com.sun.crypto.provider.DESKeyGenerator"); ++ psA("KeyGenerator", "DESede", ++ "com.sun.crypto.provider.DESedeKeyGenerator", ++ null); ++ ps("KeyGenerator", "Blowfish", ++ "com.sun.crypto.provider.BlowfishKeyGenerator"); ++ psA("KeyGenerator", "AES", ++ "com.sun.crypto.provider.AESKeyGenerator", ++ null); ++ ps("KeyGenerator", "RC2", ++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); ++ psA("KeyGenerator", "ARCFOUR", ++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", ++ null); ++ ps("KeyGenerator", "ChaCha20", ++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); ++ ps("KeyGenerator", "HmacMD5", ++ "com.sun.crypto.provider.HmacMD5KeyGenerator"); ++ ++ psA("KeyGenerator", "HmacSHA1", ++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); ++ psA("KeyGenerator", "HmacSHA224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", ++ null); ++ psA("KeyGenerator", "HmacSHA256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", ++ null); ++ psA("KeyGenerator", "HmacSHA384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", ++ null); ++ psA("KeyGenerator", "HmacSHA512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", ++ null); ++ psA("KeyGenerator", "HmacSHA512/224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", ++ null); ++ psA("KeyGenerator", "HmacSHA512/256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", ++ null); ++ ++ psA("KeyGenerator", "HmacSHA3-224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", ++ null); ++ psA("KeyGenerator", "HmacSHA3-256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", ++ null); ++ psA("KeyGenerator", "HmacSHA3-384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", ++ null); ++ psA("KeyGenerator", "HmacSHA3-512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", ++ null); ++ ++ psA("KeyPairGenerator", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyPairGenerator", ++ null); ++ } + + /* + * Algorithm parameter generation engines +@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + +- /* +- * Key Agreement engines +- */ +- attrs.clear(); +- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + +- "|javax.crypto.interfaces.DHPrivateKey"); +- psA("KeyAgreement", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyAgreement", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key Agreement engines ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + ++ "|javax.crypto.interfaces.DHPrivateKey"); ++ psA("KeyAgreement", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyAgreement", ++ attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -610,118 +619,120 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); + +- // PBKDF2 +- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +- null); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- +- /* +- * MAC +- */ +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); +- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", +- attrs); +- psA("Mac", "HmacSHA224", +- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); +- psA("Mac", "HmacSHA256", +- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); +- psA("Mac", "HmacSHA384", +- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); +- psA("Mac", "HmacSHA512", +- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); +- psA("Mac", "HmacSHA512/224", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); +- psA("Mac", "HmacSHA512/256", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); +- psA("Mac", "HmacSHA3-224", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); +- psA("Mac", "HmacSHA3-256", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); +- psA("Mac", "HmacSHA3-384", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); +- psA("Mac", "HmacSHA3-512", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); +- +- ps("Mac", "HmacPBESHA1", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", +- null, attrs); +- ps("Mac", "HmacPBESHA224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", +- null, attrs); +- ps("Mac", "HmacPBESHA256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", +- null, attrs); +- ps("Mac", "HmacPBESHA384", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", +- null, attrs); +- ps("Mac", "HmacPBESHA512", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", +- null, attrs); +- ps("Mac", "HmacPBESHA512/224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", +- null, attrs); +- ps("Mac", "HmacPBESHA512/256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", +- null, attrs); +- +- +- // PBMAC1 +- ps("Mac", "PBEWithHmacSHA1", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); +- ps("Mac", "PBEWithHmacSHA224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); +- ps("Mac", "PBEWithHmacSHA256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); +- ps("Mac", "PBEWithHmacSHA384", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); +- ps("Mac", "PBEWithHmacSHA512", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "SslMacMD5", +- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); +- ps("Mac", "SslMacSHA1", +- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); +- +- /* +- * KeyStore +- */ +- ps("KeyStore", "JCEKS", +- "com.sun.crypto.provider.JceKeyStore"); +- +- /* +- * SSL/TLS mechanisms +- * +- * These are strictly internal implementations and may +- * be changed at any time. These names were chosen +- * because PKCS11/SunPKCS11 does not yet have TLS1.2 +- * mechanisms, and it will cause calls to come here. +- */ +- ps("KeyGenerator", "SunTlsPrf", +- "com.sun.crypto.provider.TlsPrfGenerator$V10"); +- ps("KeyGenerator", "SunTls12Prf", +- "com.sun.crypto.provider.TlsPrfGenerator$V12"); +- +- ps("KeyGenerator", "SunTlsMasterSecret", +- "com.sun.crypto.provider.TlsMasterSecretGenerator", +- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), +- null); +- +- ps("KeyGenerator", "SunTlsKeyMaterial", +- "com.sun.crypto.provider.TlsKeyMaterialGenerator", +- List.of("SunTls12KeyMaterial"), null); +- +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { ++ // PBKDF2 ++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", ++ null); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ++ /* ++ * MAC ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); ++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", ++ attrs); ++ psA("Mac", "HmacSHA224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); ++ psA("Mac", "HmacSHA256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); ++ psA("Mac", "HmacSHA384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); ++ psA("Mac", "HmacSHA512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); ++ psA("Mac", "HmacSHA512/224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); ++ psA("Mac", "HmacSHA512/256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); ++ psA("Mac", "HmacSHA3-224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); ++ psA("Mac", "HmacSHA3-256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); ++ psA("Mac", "HmacSHA3-384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); ++ psA("Mac", "HmacSHA3-512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); ++ ++ ps("Mac", "HmacPBESHA1", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", ++ null, attrs); ++ ps("Mac", "HmacPBESHA224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", ++ null, attrs); ++ ps("Mac", "HmacPBESHA384", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", ++ null, attrs); ++ ++ ++ // PBMAC1 ++ ps("Mac", "PBEWithHmacSHA1", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); ++ ps("Mac", "PBEWithHmacSHA224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); ++ ps("Mac", "PBEWithHmacSHA384", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "SslMacMD5", ++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); ++ ps("Mac", "SslMacSHA1", ++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); ++ ++ /* ++ * KeyStore ++ */ ++ ps("KeyStore", "JCEKS", ++ "com.sun.crypto.provider.JceKeyStore"); ++ ++ /* ++ * SSL/TLS mechanisms ++ * ++ * These are strictly internal implementations and may ++ * be changed at any time. These names were chosen ++ * because PKCS11/SunPKCS11 does not yet have TLS1.2 ++ * mechanisms, and it will cause calls to come here. ++ */ ++ ps("KeyGenerator", "SunTlsPrf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V10"); ++ ps("KeyGenerator", "SunTls12Prf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V12"); ++ ++ ps("KeyGenerator", "SunTlsMasterSecret", ++ "com.sun.crypto.provider.TlsMasterSecretGenerator", ++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), ++ null); ++ ++ ps("KeyGenerator", "SunTlsKeyMaterial", ++ "com.sun.crypto.provider.TlsKeyMaterialGenerator", ++ List.of("SunTls12KeyMaterial"), null); ++ ++ ps("KeyGenerator", "SunTlsRsaPremasterSecret", ++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", ++ List.of("SunTls12RsaPremasterSecret"), null); ++ } + } + + // Return the instance of this class or create one if needed. +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index ff2bc942c03..96a3ba4040c 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ import java.net.URL; + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -47,12 +48,20 @@ import sun.security.jca.*; + * implementation-specific location, which is typically the properties file + * {@code conf/security/java.security} in the Java installation directory. + * ++ *

Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + * @since 1.1 + */ + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -67,6 +76,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -84,6 +106,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -99,6 +122,7 @@ public final class Security { + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -193,6 +217,61 @@ public final class Security { + } + } + ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + } + + /* +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..98ffced455b +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,249 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ boolean systemSecPropsLoaded = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ systemSecPropsLoaded = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ return systemSecPropsLoaded; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..3f3caac64dc +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index f6d3638c3dd..a1ee182d913 100644 +--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -39,6 +39,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -81,6 +82,7 @@ public class SharedSecrets { + private static JavaSecuritySpecAccess javaSecuritySpecAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -442,4 +444,15 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index 63bb580eb3a..dbbf11bbb22 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -152,6 +152,8 @@ module java.base { + java.naming, + java.rmi, + jdk.charsets, ++ jdk.crypto.cryptoki, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.net, +diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java +index 912cad59714..709d32912ca 100644 +--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -30,6 +30,7 @@ import java.net.*; + import java.util.*; + import java.security.*; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetPropertyAction; + import sun.security.util.SecurityProviderConstants; +@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -94,99 +99,101 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); +- } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); +- +- attrs.remove("KeySize"); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); +- /* +- * Key Pair Generator engines +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("KeySize", "2048"); // for DSA KPG and APG only ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ /* ++ * Key Pair Generator engines ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("KeySize", "2048"); // for DSA KPG and APG only + +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + + /* + * Algorithm Parameter Generator engines +@@ -201,40 +208,42 @@ public final class SunEntries { + addWithAlias(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", attrs); + +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- +- /* +- * Digest engines +- */ +- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); +- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); + +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); ++ /* ++ * Digest engines ++ */ ++ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); ++ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); ++ } + + /* + * Certificates +diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +index ca79f25cc44..225517ac69b 100644 +--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -56,49 +61,58 @@ public final class SunRsaSignEntries { + // start populating content using the specified provider + // common attribute map + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ } + + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); +- add(p, "KeyPairGenerator", "RSA", +- "sun.security.rsa.RSAKeyPairGenerator$Legacy", +- getAliases("PKCS1"), null); +- addA(p, "Signature", "MD2withRSA", +- "sun.security.rsa.RSASignature$MD2withRSA", attrs); +- addA(p, "Signature", "MD5withRSA", +- "sun.security.rsa.RSASignature$MD5withRSA", attrs); +- addA(p, "Signature", "SHA1withRSA", +- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); +- addA(p, "Signature", "SHA224withRSA", +- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); +- addA(p, "Signature", "SHA256withRSA", +- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); +- addA(p, "Signature", "SHA384withRSA", +- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); +- addA(p, "Signature", "SHA512withRSA", +- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); +- addA(p, "Signature", "SHA512/224withRSA", +- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); +- addA(p, "Signature", "SHA512/256withRSA", +- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); +- addA(p, "Signature", "SHA3-224withRSA", +- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); +- addA(p, "Signature", "SHA3-256withRSA", +- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); +- addA(p, "Signature", "SHA3-384withRSA", +- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); +- addA(p, "Signature", "SHA3-512withRSA", +- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ ++ if (!systemFipsEnabled) { ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); ++ ++ if (!systemFipsEnabled) { ++ addA(p, "KeyPairGenerator", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); ++ addA(p, "Signature", "RSASSA-PSS", ++ "sun.security.rsa.RSAPSSSignature", attrs); ++ } ++ + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +index 6ffdfeda18d..82e896170f0 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -32,6 +32,7 @@ import java.security.cert.*; + import java.util.*; + import java.util.concurrent.locks.ReentrantLock; + import javax.net.ssl.*; ++import jdk.internal.access.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java +new file mode 100644 +index 00000000000..dc8bc72fccb +--- /dev/null ++++ b/src/java.base/share/classes/sun/security/util/PBEUtil.java +@@ -0,0 +1,297 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.util; ++ ++import java.security.AlgorithmParameters; ++import java.security.InvalidAlgorithmParameterException; ++import java.security.InvalidKeyException; ++import java.security.Key; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.SecureRandom; ++import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidParameterSpecException; ++import java.util.Arrays; ++import javax.crypto.Cipher; ++import javax.crypto.SecretKey; ++import javax.crypto.spec.IvParameterSpec; ++import javax.crypto.spec.PBEKeySpec; ++import javax.crypto.spec.PBEParameterSpec; ++ ++public final class PBEUtil { ++ ++ // Used by SunJCE and SunPKCS11 ++ public final static class PBES2Helper { ++ private int iCount; ++ private byte[] salt; ++ private IvParameterSpec ivSpec; ++ private final int defaultSaltLength; ++ private final int defaultCount; ++ ++ public PBES2Helper(int defaultSaltLength, int defaultCount) { ++ this.defaultSaltLength = defaultSaltLength; ++ this.defaultCount = defaultCount; ++ } ++ ++ public IvParameterSpec getIvSpec() { ++ return ivSpec; ++ } ++ ++ public AlgorithmParameters getAlgorithmParameters( ++ int blkSize, String pbeAlgo, Provider p, SecureRandom random) { ++ AlgorithmParameters params = null; ++ if (salt == null) { ++ // generate random salt and use default iteration count ++ salt = new byte[defaultSaltLength]; ++ random.nextBytes(salt); ++ iCount = defaultCount; ++ } ++ if (ivSpec == null) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } ++ PBEParameterSpec pbeSpec = new PBEParameterSpec( ++ salt, iCount, ivSpec); ++ try { ++ params = (p == null) ? ++ AlgorithmParameters.getInstance(pbeAlgo) : ++ AlgorithmParameters.getInstance(pbeAlgo, p); ++ params.init(pbeSpec); ++ } catch (NoSuchAlgorithmException nsae) { ++ // should never happen ++ throw new RuntimeException("AlgorithmParameters for " ++ + pbeAlgo + " not configured"); ++ } catch (InvalidParameterSpecException ipse) { ++ // should never happen ++ throw new RuntimeException("PBEParameterSpec not supported"); ++ } ++ return params; ++ } ++ ++ public PBEKeySpec getPBEKeySpec( ++ int blkSize, int keyLength, int opmode, Key key, ++ AlgorithmParameterSpec params, SecureRandom random) ++ throws InvalidKeyException, InvalidAlgorithmParameterException { ++ ++ if (key == null) { ++ throw new InvalidKeyException("Null key"); ++ } ++ ++ byte[] passwdBytes = key.getEncoded(); ++ char[] passwdChars = null; ++ PBEKeySpec pbeSpec; ++ try { ++ if ((passwdBytes == null) || !(key.getAlgorithm().regionMatches( ++ true, 0, "PBE", 0, 3))) { ++ throw new InvalidKeyException("Missing password"); ++ } ++ ++ // TBD: consolidate the salt, ic and IV parameter checks below ++ ++ // Extract salt and iteration count from the key, if present ++ if (key instanceof javax.crypto.interfaces.PBEKey) { ++ salt = ((javax.crypto.interfaces.PBEKey)key).getSalt(); ++ if (salt != null && salt.length < 8) { ++ throw new InvalidAlgorithmParameterException( ++ "Salt must be at least 8 bytes long"); ++ } ++ iCount = ((javax.crypto.interfaces.PBEKey)key) ++ .getIterationCount(); ++ if (iCount == 0) { ++ iCount = defaultCount; ++ } else if (iCount < 0) { ++ throw new InvalidAlgorithmParameterException( ++ "Iteration count must be a positive number"); ++ } ++ } ++ ++ // Extract salt, iteration count and IV from the params, ++ // if present ++ if (params == null) { ++ if (salt == null) { ++ // generate random salt and use default iteration count ++ salt = new byte[defaultSaltLength]; ++ random.nextBytes(salt); ++ iCount = defaultCount; ++ } ++ if ((opmode == Cipher.ENCRYPT_MODE) || ++ (opmode == Cipher.WRAP_MODE)) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } ++ } else { ++ if (!(params instanceof PBEParameterSpec)) { ++ throw new InvalidAlgorithmParameterException ++ ("Wrong parameter type: PBE expected"); ++ } ++ // salt and iteration count from the params take precedence ++ byte[] specSalt = ((PBEParameterSpec) params).getSalt(); ++ if (specSalt != null && specSalt.length < 8) { ++ throw new InvalidAlgorithmParameterException( ++ "Salt must be at least 8 bytes long"); ++ } ++ salt = specSalt; ++ int specICount = ((PBEParameterSpec) params) ++ .getIterationCount(); ++ if (specICount == 0) { ++ specICount = defaultCount; ++ } else if (specICount < 0) { ++ throw new InvalidAlgorithmParameterException( ++ "Iteration count must be a positive number"); ++ } ++ iCount = specICount; ++ ++ AlgorithmParameterSpec specParams = ++ ((PBEParameterSpec) params).getParameterSpec(); ++ if (specParams != null) { ++ if (specParams instanceof IvParameterSpec) { ++ ivSpec = (IvParameterSpec)specParams; ++ } else { ++ throw new InvalidAlgorithmParameterException( ++ "Wrong parameter type: IV expected"); ++ } ++ } else if ((opmode == Cipher.ENCRYPT_MODE) || ++ (opmode == Cipher.WRAP_MODE)) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } else { ++ throw new InvalidAlgorithmParameterException( ++ "Missing parameter type: IV expected"); ++ } ++ } ++ ++ passwdChars = new char[passwdBytes.length]; ++ for (int i = 0; i < passwdChars.length; i++) ++ passwdChars[i] = (char) (passwdBytes[i] & 0x7f); ++ ++ pbeSpec = new PBEKeySpec(passwdChars, salt, iCount, keyLength); ++ // password char[] was cloned in PBEKeySpec constructor, ++ // so we can zero it out here ++ } finally { ++ if (passwdChars != null) Arrays.fill(passwdChars, '\0'); ++ if (passwdBytes != null) Arrays.fill(passwdBytes, (byte)0x00); ++ } ++ return pbeSpec; ++ } ++ ++ public static AlgorithmParameterSpec getParameterSpec( ++ AlgorithmParameters params) ++ throws InvalidAlgorithmParameterException { ++ AlgorithmParameterSpec pbeSpec = null; ++ if (params != null) { ++ try { ++ pbeSpec = params.getParameterSpec(PBEParameterSpec.class); ++ } catch (InvalidParameterSpecException ipse) { ++ throw new InvalidAlgorithmParameterException( ++ "Wrong parameter type: PBE expected"); ++ } ++ } ++ return pbeSpec; ++ } ++ } ++ ++ // Used by SunJCE and SunPKCS11 ++ public static PBEKeySpec getPBAKeySpec(Key key, AlgorithmParameterSpec params) ++ throws InvalidKeyException, InvalidAlgorithmParameterException { ++ char[] passwdChars; ++ byte[] salt = null; ++ int iCount = 0; ++ if (key instanceof javax.crypto.interfaces.PBEKey) { ++ javax.crypto.interfaces.PBEKey pbeKey = ++ (javax.crypto.interfaces.PBEKey) key; ++ passwdChars = pbeKey.getPassword(); ++ salt = pbeKey.getSalt(); // maybe null if unspecified ++ iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified ++ } else if (key instanceof SecretKey) { ++ byte[] passwdBytes; ++ if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || ++ (passwdBytes = key.getEncoded()) == null) { ++ throw new InvalidKeyException("Missing password"); ++ } ++ passwdChars = new char[passwdBytes.length]; ++ for (int i=0; i ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef LINUX ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} ++ ++#else // !LINUX ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; ++} ++ ++#endif +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..8cfa2734d4e +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,461 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.security.interfaces.RSAPrivateCrtKey; ++import java.security.interfaces.RSAPrivateKey; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.SecretKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAPrivateCrtKeyImpl; ++import sun.security.rsa.RSAUtil; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static volatile P11Key importerKey = null; ++ private static SecretKeySpec exporterKey = null; ++ private static volatile P11Key exporterKeyP11 = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ // Do not take the exporterKeyLock with the importerKeyLock held. ++ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); ++ private static volatile CK_MECHANISM importerKeyMechanism = null; ++ private static volatile CK_MECHANISM exporterKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ private static Cipher exporterCipher = null; ++ ++ private static volatile Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static volatile KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ importerKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, ++ long keyClass, long keyType, Map sensitiveAttrs) ++ throws PKCS11Exception { ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be exported in" + ++ " system FIPS mode."); ++ } ++ if (exporterKeyP11 == null) { ++ try { ++ exporterKeyLock.lock(); ++ if (exporterKeyP11 == null) { ++ if (exporterKeyMechanism == null) { ++ // Exporter Key creation has not been tried yet. Try it. ++ createExporterKey(token); ++ } ++ if (exporterKeyP11 == null || exporterCipher == null) { ++ if (debug != null) { ++ debug.println("Exporter Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ if (debug != null) { ++ debug.println("Exporter Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ } ++ long exporterKeyID = exporterKeyP11.getKeyID(); ++ try { ++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, ++ exporterKeyMechanism, exporterKeyID, hObject); ++ byte[] plainExportedKey = null; ++ exporterKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ if (keyClass == CKO_PRIVATE_KEY) { ++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); ++ } else if (keyClass == CKO_SECRET_KEY) { ++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ exporterKeyP11.releaseKeyID(); ++ } ++ } ++ ++ private static void exportPrivateKey( ++ Map sensitiveAttrs, long keyType, ++ byte[] plainExportedKey) throws Throwable { ++ if (keyType == CKK_RSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, ++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); ++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey ++ ); ++ CK_ATTRIBUTE attr; ++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { ++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); ++ } ++ if (rsaPKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { ++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); ++ } ++ } else { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT); ++ } ++ } else if (keyType == CKK_DSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ new sun.security.provider.DSAPrivateKey(plainExportedKey) ++ .getX().toByteArray(); ++ } else if (keyType == CKK_EC) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) ++ .getS().toByteArray(); ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " unsupported CKO_PRIVATE_KEY key type: " + keyType); ++ } ++ } ++ ++ private static void checkAttrs(Map sensitiveAttrs, ++ String keyName, long... validAttrs) ++ throws PKCS11Exception { ++ int sensitiveAttrsCount = sensitiveAttrs.size(); ++ if (sensitiveAttrsCount <= validAttrs.length) { ++ int validAttrsCount = 0; ++ for (long validAttr : validAttrs) { ++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; ++ } ++ if (validAttrsCount == sensitiveAttrsCount) return; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " invalid attribute types for a " + keyName + " key object"); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec( ++ (byte[])importerKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Importer Key"); ++ } ++ } ++ } ++ ++ private static void createExporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Exporter Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ byte[] exporterKeyRaw = new byte[32]; ++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); ++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); ++ try { ++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); ++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); ++ if (exporterKeyP11 != null) { ++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, ++ new IvParameterSpec( ++ (byte[])exporterKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ exporterKey = null; ++ exporterKeyP11 = null; ++ exporterCipher = null; ++ // exporterKeyMechanism value is kept initialized to indicate that ++ // Exporter Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Exporter Key"); ++ } ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +index 9b69072280e..5696b904979 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +@@ -37,6 +37,8 @@ import javax.crypto.*; + import javax.crypto.interfaces.*; + import javax.crypto.spec.*; + ++import jdk.internal.access.SharedSecrets; ++ + import sun.security.rsa.RSAUtil.KeyType; + import sun.security.rsa.RSAPublicKeyImpl; + import sun.security.rsa.RSAPrivateCrtKeyImpl; +@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil; + */ + abstract class P11Key implements Key, Length { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + private static final long serialVersionUID = -2575874101938349339L; + + private static final String PUBLIC = "public"; +@@ -136,9 +141,7 @@ abstract class P11Key implements Key, Length { + this.tokenObject = tokenObject; + this.sensitive = sensitive; + this.extractable = extractable; +- char[] tokenLabel = this.token.tokenInfo.label; +- boolean isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' +- && tokenLabel[2] == 'S'); ++ boolean isNSS = P11Util.isNSS(this.token); + boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS && + extractable && !tokenObject); + this.keyIDHolder = new NativeKeyHolder(this, keyID, session, +@@ -379,7 +382,9 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_SENSITIVE), + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); +- if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ if (!exportable && (attributes[1].getBoolean() || ++ (attributes[2].getBoolean() == false))) { + return new P11PrivateKey + (session, keyID, algorithm, keyLength, attributes); + } else { +@@ -461,7 +466,8 @@ abstract class P11Key implements Key, Length { + } + public String getFormat() { + token.ensureValid(); +- if (sensitive || (extractable == false)) { ++ if (!plainKeySupportEnabled && ++ (sensitive || (extractable == false))) { + return null; + } else { + return "RAW"; +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +index ba0b7faf3f8..4840a116b34 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +@@ -29,14 +29,17 @@ import java.nio.ByteBuffer; + + import java.security.*; + import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidKeySpecException; + + import javax.crypto.MacSpi; ++import javax.crypto.spec.PBEKeySpec; + + import sun.nio.ch.DirectBuffer; + + import sun.security.pkcs11.wrapper.*; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.util.PBEUtil; + + /** + * MAC implementation class. This class currently supports HMAC using +@@ -202,12 +205,23 @@ final class P11Mac extends MacSpi { + // see JCE spec + protected void engineInit(Key key, AlgorithmParameterSpec params) + throws InvalidKeyException, InvalidAlgorithmParameterException { +- if (params != null) { +- throw new InvalidAlgorithmParameterException +- ("Parameters not supported"); ++ if (algorithm.startsWith("HmacPBE")) { ++ PBEKeySpec pbeSpec = PBEUtil.getPBAKeySpec(key, params); ++ reset(true); ++ try { ++ p11Key = P11SecretKeyFactory.derivePBEKey( ++ token, pbeSpec, algorithm); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ } else { ++ if (params != null) { ++ throw new InvalidAlgorithmParameterException ++ ("Parameters not supported"); ++ } ++ reset(true); ++ p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); + } +- reset(true); +- p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); + try { + initialize(); + } catch (PKCS11Exception e) { +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java +new file mode 100644 +index 00000000000..ae4262703e6 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java +@@ -0,0 +1,200 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.security.AlgorithmParameters; ++import java.security.Key; ++import java.security.InvalidAlgorithmParameterException; ++import java.security.InvalidKeyException; ++import java.security.NoSuchAlgorithmException; ++import java.security.SecureRandom; ++import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidKeySpecException; ++import javax.crypto.BadPaddingException; ++import javax.crypto.CipherSpi; ++import javax.crypto.IllegalBlockSizeException; ++import javax.crypto.NoSuchPaddingException; ++import javax.crypto.ShortBufferException; ++import javax.crypto.spec.PBEKeySpec; ++ ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.util.PBEUtil; ++ ++final class P11PBECipher extends CipherSpi { ++ ++ private static final int DEFAULT_SALT_LENGTH = 20; ++ private static final int DEFAULT_COUNT = 4096; ++ ++ private final Token token; ++ private final String pbeAlg; ++ private final P11Cipher cipher; ++ private final int blkSize; ++ private final int keyLen; ++ private final PBEUtil.PBES2Helper pbes2Helper = new PBEUtil.PBES2Helper( ++ DEFAULT_SALT_LENGTH, DEFAULT_COUNT); ++ ++ P11PBECipher(Token token, String pbeAlg, long cipherMech) ++ throws PKCS11Exception, NoSuchAlgorithmException { ++ super(); ++ String cipherTrans; ++ if (cipherMech == CKM_AES_CBC_PAD || cipherMech == CKM_AES_CBC) { ++ cipherTrans = "AES/CBC/PKCS5Padding"; ++ } else { ++ throw new NoSuchAlgorithmException( ++ "Cipher transformation not supported."); ++ } ++ cipher = new P11Cipher(token, cipherTrans, cipherMech); ++ blkSize = cipher.engineGetBlockSize(); ++ assert P11Util.kdfDataMap.get(pbeAlg) != null; ++ keyLen = P11Util.kdfDataMap.get(pbeAlg).keyLen; ++ this.pbeAlg = pbeAlg; ++ this.token = token; ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineSetMode(String mode) ++ throws NoSuchAlgorithmException { ++ cipher.engineSetMode(mode); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineSetPadding(String padding) ++ throws NoSuchPaddingException { ++ cipher.engineSetPadding(padding); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetBlockSize() { ++ return cipher.engineGetBlockSize(); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetOutputSize(int inputLen) { ++ return cipher.engineGetOutputSize(inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineGetIV() { ++ return cipher.engineGetIV(); ++ } ++ ++ // see JCE spec ++ @Override ++ protected AlgorithmParameters engineGetParameters() { ++ return pbes2Helper.getAlgorithmParameters( ++ blkSize, pbeAlg, null, JCAUtil.getSecureRandom()); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ SecureRandom random) throws InvalidKeyException { ++ try { ++ engineInit(opmode, key, (AlgorithmParameterSpec) null, random); ++ } catch (InvalidAlgorithmParameterException e) { ++ throw new InvalidKeyException("requires PBE parameters", e); ++ } ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ AlgorithmParameterSpec params, SecureRandom random) ++ throws InvalidKeyException, ++ InvalidAlgorithmParameterException { ++ ++ PBEKeySpec pbeSpec = pbes2Helper.getPBEKeySpec(blkSize, keyLen, ++ opmode, key, params, random); ++ ++ Key derivedKey; ++ try { ++ derivedKey = P11SecretKeyFactory.derivePBEKey( ++ token, pbeSpec, pbeAlg); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ cipher.engineInit(opmode, derivedKey, pbes2Helper.getIvSpec(), random); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ AlgorithmParameters params, SecureRandom random) ++ throws InvalidKeyException, ++ InvalidAlgorithmParameterException { ++ engineInit(opmode, key, PBEUtil.PBES2Helper.getParameterSpec(params), ++ random); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineUpdate(byte[] input, int inputOffset, ++ int inputLen) { ++ return cipher.engineUpdate(input, inputOffset, inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineUpdate(byte[] input, int inputOffset, ++ int inputLen, byte[] output, int outputOffset) ++ throws ShortBufferException { ++ return cipher.engineUpdate(input, inputOffset, inputLen, ++ output, outputOffset); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineDoFinal(byte[] input, int inputOffset, ++ int inputLen) ++ throws IllegalBlockSizeException, BadPaddingException { ++ return cipher.engineDoFinal(input, inputOffset, inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineDoFinal(byte[] input, int inputOffset, ++ int inputLen, byte[] output, int outputOffset) ++ throws ShortBufferException, IllegalBlockSizeException, ++ BadPaddingException { ++ return cipher.engineDoFinal(input, inputOffset, inputLen, output, ++ outputOffset); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetKeySize(Key key) ++ throws InvalidKeyException { ++ return cipher.engineGetKeySize(key); ++ } ++ ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +index c98960f7fcc..c14319a5356 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.spec.*; + + import javax.crypto.*; ++import javax.crypto.interfaces.PBEKey; + import javax.crypto.spec.*; + + import static sun.security.pkcs11.TemplateManager.*; +@@ -193,6 +194,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + return p11Key; + } + ++ static P11Key derivePBEKey(Token token, PBEKeySpec keySpec, String algo) ++ throws InvalidKeySpecException { ++ token.ensureValid(); ++ if (keySpec == null) { ++ throw new InvalidKeySpecException("PBEKeySpec must not be null"); ++ } ++ Session session = null; ++ try { ++ session = token.getObjSession(); ++ P11Util.KDFData kdfData = P11Util.kdfDataMap.get(algo); ++ CK_MECHANISM ckMech; ++ char[] password = keySpec.getPassword(); ++ byte[] salt = keySpec.getSalt(); ++ int itCount = keySpec.getIterationCount(); ++ int keySize = keySpec.getKeyLength(); ++ if (kdfData.keyLen != -1) { ++ if (keySize == 0) { ++ keySize = kdfData.keyLen; ++ } else if (keySize != kdfData.keyLen) { ++ throw new InvalidKeySpecException( ++ "Key length is invalid for " + algo); ++ } ++ } ++ ++ if (kdfData.kdfMech == CKM_PKCS5_PBKD2) { ++ CK_VERSION p11Ver = token.p11.getInfo().cryptokiVersion; ++ if (P11Util.isNSS(token) || p11Ver.major < 2 || ++ p11Ver.major == 2 && p11Ver.minor < 40) { ++ // NSS keeps using the old structure beyond PKCS #11 v2.40 ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PKCS5_PBKD2_PARAMS(password, salt, ++ itCount, kdfData.prfMech)); ++ } else { ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PKCS5_PBKD2_PARAMS2(password, salt, ++ itCount, kdfData.prfMech)); ++ } ++ } else { ++ // PKCS #12 "General Method" PBKD (RFC 7292, Appendix B.2) ++ if (P11Util.isNSS(token)) { ++ // According to PKCS #11, "password" in CK_PBE_PARAMS has ++ // a CK_UTF8CHAR_PTR type. This suggests that it is encoded ++ // in UTF-8. However, NSS expects the password to be encoded ++ // as BMPString with a NULL terminator when C_GenerateKey ++ // is called for a PKCS #12 "General Method" derivation ++ // (see RFC 7292, Appendix B.1). ++ // ++ // The char size in Java is 2 bytes. When a char is ++ // converted to a CK_UTF8CHAR, the high-order byte is ++ // discarded (see jCharArrayToCKUTF8CharArray in ++ // p11_util.c). In order to have a BMPString passed to ++ // C_GenerateKey, we need to account for that and expand: ++ // the high and low parts of each char are split into 2 ++ // chars. As an example, this is the transformation for ++ // a NULL terminated password "a": ++ // char[] => [ 0x0061, 0x0000 ] ++ // / \ / \ ++ // Expansion => [0x0000, 0x0061, 0x0000, 0x0000] ++ // | | | | ++ // BMPString => [ 0x00, 0x61, 0x00, 0x00] ++ // ++ int inputLength = (password == null) ? 0 : password.length; ++ char[] expPassword = new char[inputLength * 2 + 2]; ++ for (int i = 0, j = 0; i < inputLength; i++, j += 2) { ++ expPassword[j] = (char) ((password[i] >>> 8) & 0xFF); ++ expPassword[j + 1] = (char) (password[i] & 0xFF); ++ } ++ password = expPassword; ++ } ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PBE_PARAMS(password, salt, itCount)); ++ } ++ ++ long keyType = getKeyType(kdfData.keyAlgo); ++ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[ ++ switch (kdfData.op) { ++ case ENCRYPTION, AUTHENTICATION -> 4; ++ case GENERIC -> 5; ++ }]; ++ attrs[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); ++ attrs[1] = new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3); ++ attrs[2] = new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType); ++ switch (kdfData.op) { ++ case ENCRYPTION -> attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; ++ case AUTHENTICATION -> attrs[3] = CK_ATTRIBUTE.SIGN_TRUE; ++ case GENERIC -> { ++ attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; ++ attrs[4] = CK_ATTRIBUTE.SIGN_TRUE; ++ } ++ } ++ CK_ATTRIBUTE[] attr = token.getAttributes( ++ O_GENERATE, CKO_SECRET_KEY, keyType, attrs); ++ long keyID = token.p11.C_GenerateKey(session.id(), ckMech, attr); ++ return (P11Key)P11Key.secretKey( ++ session, keyID, kdfData.keyAlgo, keySize, attr); ++ } catch (PKCS11Exception e) { ++ throw new InvalidKeySpecException("Could not create key", e); ++ } finally { ++ token.releaseSession(session); ++ } ++ } ++ ++ static P11Key derivePBEKey(Token token, PBEKey key, String algo) ++ throws InvalidKeyException { ++ token.ensureValid(); ++ if (key == null) { ++ throw new InvalidKeyException("PBEKey must not be null"); ++ } ++ P11Key p11Key = token.secretCache.get(key); ++ if (p11Key != null) { ++ return p11Key; ++ } ++ try { ++ p11Key = derivePBEKey(token, new PBEKeySpec(key.getPassword(), ++ key.getSalt(), key.getIterationCount()), algo); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ token.secretCache.put(key, p11Key); ++ return p11Key; ++ } ++ + static void fixDESParity(byte[] key, int offset) { + for (int i = 0; i < 8; i++) { + int b = key[offset] & 0xfe; +@@ -319,6 +442,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + keySpec = new SecretKeySpec(keyBytes, "DESede"); + return engineGenerateSecret(keySpec); + } ++ } else if (keySpec instanceof PBEKeySpec) { ++ return (SecretKey)derivePBEKey(token, ++ (PBEKeySpec)keySpec, algorithm); + } + throw new InvalidKeySpecException + ("Unsupported spec: " + keySpec.getClass().getName()); +@@ -372,6 +498,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + // see JCE spec + protected SecretKey engineTranslateKey(SecretKey key) + throws InvalidKeyException { ++ if (key instanceof PBEKey) { ++ return (SecretKey)derivePBEKey(token, (PBEKey)key, algorithm); ++ } + return (SecretKey)convertKey(token, key, algorithm); + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +index 262cfc062ad..72b64f72c0a 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +@@ -27,6 +27,10 @@ package sun.security.pkcs11; + + import java.math.BigInteger; + import java.security.*; ++import java.util.HashMap; ++import java.util.Map; ++ ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + /** + * Collection of static utility methods. +@@ -40,10 +44,106 @@ public final class P11Util { + + private static volatile Provider sun, sunRsaSign, sunJce; + ++ // Used by PBE ++ static final class KDFData { ++ public enum Operation {ENCRYPTION, AUTHENTICATION, GENERIC} ++ public long kdfMech; ++ public long prfMech; ++ public String keyAlgo; ++ public int keyLen; ++ public Operation op; ++ KDFData(long kdfMech, long prfMech, String keyAlgo, ++ int keyLen, Operation op) { ++ this.kdfMech = kdfMech; ++ this.prfMech = prfMech; ++ this.keyAlgo = keyAlgo; ++ this.keyLen = keyLen; ++ this.op = op; ++ } ++ ++ public static void addPbkdf2Data(String algo, long kdfMech, ++ long prfMech) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, ++ "Generic", -1, Operation.GENERIC)); ++ } ++ ++ public static void addPbkdf2AesData(String algo, long kdfMech, ++ long prfMech, int keyLen) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, ++ "AES", keyLen, Operation.ENCRYPTION)); ++ } ++ ++ public static void addPkcs12KDData(String algo, long kdfMech, ++ int keyLen) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, -1, ++ "Generic", keyLen, Operation.AUTHENTICATION)); ++ } ++ } ++ ++ static final Map kdfDataMap = new HashMap<>(); ++ ++ static { ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 256); ++ ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA1", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA224", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA384", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA512", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512); ++ ++ KDFData.addPkcs12KDData("HmacPBESHA1", ++ CKM_PBA_SHA1_WITH_SHA1_HMAC, 160); ++ KDFData.addPkcs12KDData("HmacPBESHA224", ++ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, 224); ++ KDFData.addPkcs12KDData("HmacPBESHA256", ++ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, 256); ++ KDFData.addPkcs12KDData("HmacPBESHA384", ++ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, 384); ++ KDFData.addPkcs12KDData("HmacPBESHA512", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ KDFData.addPkcs12KDData("HmacPBESHA512/224", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ KDFData.addPkcs12KDData("HmacPBESHA512/256", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ } ++ + private P11Util() { + // empty + } + ++ static boolean isNSS(Token token) { ++ char[] tokenLabel = token.tokenInfo.label; ++ if (tokenLabel != null && tokenLabel.length >= 3) { ++ return (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' ++ && tokenLabel[2] == 'S'); ++ } ++ return false; ++ } ++ + static Provider getSunProvider() { + Provider p = sun; + if (p == null) { +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 112b639aa96..3e170b4c115 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; +@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ private static final MethodHandle fipsExportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ MethodHandle fipsExportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ fipsExportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "exportKey", ++ MethodType.methodType(void.class, SunPKCS11.class, ++ long.class, long.class, ++ long.class, long.class, Map.class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer-exporter" + ++ " initialization failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ fipsExportKey = fipsExportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -320,10 +355,19 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ MethodHandle fipsKeyExporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ fipsKeyExporter = MethodHandles.insertArguments( ++ fipsExportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -339,11 +383,12 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } + p11 = tmpPKCS11; + +- CK_INFO p11Info = p11.C_GetInfo(); ++ CK_INFO p11Info = p11.getInfo(); + if (p11Info.cryptokiVersion.major < 2) { + throw new ProviderException("Only PKCS#11 v2.0 and later " + + "supported, library version is v" + p11Info.cryptokiVersion); +@@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException +@@ -417,14 +480,19 @@ public final class SunPKCS11 extends AuthProvider { + final String className; + final List aliases; + final int[] mechanisms; ++ final int[] requiredMechs; + ++ // mechanisms is a list of possible mechanisms that implement the ++ // algorithm, at least one of them must be available. requiredMechs ++ // is a list of auxiliary mechanisms, all of them must be available + private Descriptor(String type, String algorithm, String className, +- List aliases, int[] mechanisms) { ++ List aliases, int[] mechanisms, int[] requiredMechs) { + this.type = type; + this.algorithm = algorithm; + this.className = className; + this.aliases = aliases; + this.mechanisms = mechanisms; ++ this.requiredMechs = requiredMechs; + } + private P11Service service(Token token, int mechanism) { + return new P11Service +@@ -458,18 +526,29 @@ public final class SunPKCS11 extends AuthProvider { + + private static void d(String type, String algorithm, String className, + int[] m) { +- register(new Descriptor(type, algorithm, className, null, m)); ++ register(new Descriptor(type, algorithm, className, null, m, null)); + } + + private static void d(String type, String algorithm, String className, + List aliases, int[] m) { +- register(new Descriptor(type, algorithm, className, aliases, m)); ++ register(new Descriptor(type, algorithm, className, aliases, m, null)); ++ } ++ ++ private static void d(String type, String algorithm, String className, ++ int[] m, int[] requiredMechs) { ++ register(new Descriptor(type, algorithm, className, null, m, ++ requiredMechs)); ++ } ++ private static void dA(String type, String algorithm, String className, ++ int[] m, int[] requiredMechs) { ++ register(new Descriptor(type, algorithm, className, ++ getAliases(algorithm), m, requiredMechs)); + } + + private static void dA(String type, String algorithm, String className, + int[] m) { + register(new Descriptor(type, algorithm, className, +- getAliases(algorithm), m)); ++ getAliases(algorithm), m, null)); + } + + private static void register(Descriptor d) { +@@ -525,6 +604,7 @@ public final class SunPKCS11 extends AuthProvider { + String P11Cipher = "sun.security.pkcs11.P11Cipher"; + String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; + String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; ++ String P11PBECipher = "sun.security.pkcs11.P11PBECipher"; + String P11Signature = "sun.security.pkcs11.P11Signature"; + String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; + +@@ -587,6 +667,30 @@ public final class SunPKCS11 extends AuthProvider { + d(MAC, "SslMacSHA1", P11Mac, + m(CKM_SSL3_SHA1_MAC)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBA HMacs ++ * ++ * KeyDerivationMech must be supported ++ * for these services to be available. ++ * ++ */ ++ d(MAC, "HmacPBESHA1", P11Mac, m(CKM_SHA_1_HMAC), ++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); ++ d(MAC, "HmacPBESHA224", P11Mac, m(CKM_SHA224_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA256", P11Mac, m(CKM_SHA256_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA384", P11Mac, m(CKM_SHA384_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512", P11Mac, m(CKM_SHA512_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512/224", P11Mac, m(CKM_SHA512_224_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512/256", P11Mac, m(CKM_SHA512_256_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ } ++ + d(KPG, "RSA", P11KeyPairGenerator, + getAliases("PKCS1"), + m(CKM_RSA_PKCS_KEY_PAIR_GEN)); +@@ -685,6 +789,66 @@ public final class SunPKCS11 extends AuthProvider { + d(SKF, "ChaCha20", P11SecretKeyFactory, + m(CKM_CHACHA20_POLY1305)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBE Secret Key Factories ++ * ++ * KeyDerivationPrf must be supported for these services ++ * to be available. ++ * ++ */ ++ d(SKF, "PBEWithHmacSHA1AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBEWithHmacSHA224AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBEWithHmacSHA256AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBEWithHmacSHA384AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBEWithHmacSHA512AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ d(SKF, "PBEWithHmacSHA1AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBEWithHmacSHA224AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBEWithHmacSHA256AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBEWithHmacSHA384AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBEWithHmacSHA512AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ /* ++ * PBA Secret Key Factories ++ */ ++ d(SKF, "HmacPBESHA1", P11SecretKeyFactory, ++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); ++ d(SKF, "HmacPBESHA224", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA256", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA384", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512/224", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512/256", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ /* ++ * PBKDF2 Secret Key Factories ++ */ ++ dA(SKF, "PBKDF2WithHmacSHA1", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA224", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA256", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA384", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA512", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ } ++ + // XXX attributes for Ciphers (supported modes, padding) + dA(CIP, "ARCFOUR", P11Cipher, + m(CKM_RC4)); +@@ -754,6 +918,46 @@ public final class SunPKCS11 extends AuthProvider { + d(CIP, "RSA/ECB/NoPadding", P11RSACipher, + m(CKM_RSA_X_509)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBE Ciphers ++ * ++ * KeyDerivationMech and KeyDerivationPrf must be supported ++ * for these services to be available. ++ * ++ */ ++ d(CIP, "PBEWithHmacSHA1AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); ++ d(CIP, "PBEWithHmacSHA224AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); ++ d(CIP, "PBEWithHmacSHA256AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); ++ d(CIP, "PBEWithHmacSHA384AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); ++ d(CIP, "PBEWithHmacSHA512AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); ++ d(CIP, "PBEWithHmacSHA1AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); ++ d(CIP, "PBEWithHmacSHA224AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); ++ d(CIP, "PBEWithHmacSHA256AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); ++ d(CIP, "PBEWithHmacSHA384AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); ++ d(CIP, "PBEWithHmacSHA512AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); ++ } ++ + d(SIG, "RawDSA", P11Signature, + List.of("NONEwithDSA"), + m(CKM_DSA)); +@@ -1144,9 +1348,21 @@ public final class SunPKCS11 extends AuthProvider { + if (ds == null) { + continue; + } ++ descLoop: + for (Descriptor d : ds) { + Integer oldMech = supportedAlgs.get(d); + if (oldMech == null) { ++ if (d.requiredMechs != null) { ++ // Check that other mechanisms required for the ++ // service are supported before listing it as ++ // available for the first time. ++ for (int requiredMech : d.requiredMechs) { ++ if (token.getMechanismInfo( ++ requiredMech & 0xFFFFFFFFL) == null) { ++ continue descLoop; ++ } ++ } ++ } + supportedAlgs.put(d, integerMech); + continue; + } +@@ -1244,6 +1460,8 @@ public final class SunPKCS11 extends AuthProvider { + } else if (algorithm.endsWith("GCM/NoPadding") || + algorithm.startsWith("ChaCha20-Poly1305")) { + return new P11AEADCipher(token, algorithm, mechanism); ++ } else if (algorithm.startsWith("PBE")) { ++ return new P11PBECipher(token, algorithm, mechanism); + } else { + return new P11Cipher(token, algorithm, mechanism); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java +index 88ff8a71fc3..47a2f97eddf 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java +@@ -100,9 +100,9 @@ public class CK_ECDH1_DERIVE_PARAMS { + } + + /** +- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. ++ * Returns the string representation of CK_ECDH1_DERIVE_PARAMS. + * +- * @return the string representation of CK_PKCS5_PBKD2_PARAMS ++ * @return the string representation of CK_ECDH1_DERIVE_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +index 0c9ebb289c1..b4b2448464d 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +@@ -160,6 +160,18 @@ public class CK_MECHANISM { + init(mechanism, params); + } + ++ public CK_MECHANISM(long mechanism, CK_PBE_PARAMS params) { ++ init(mechanism, params); ++ } ++ ++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS params) { ++ init(mechanism, params); ++ } ++ ++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS2 params) { ++ init(mechanism, params); ++ } ++ + // For PSS. the parameter may be set multiple times, use the + // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS) + // methods instead of creating yet another constructor +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java +index e8b048869c4..a25fa1c39e5 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java +@@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper; + + + /** +- * class CK_PBE_PARAMS provides all of the necessary information required byte ++ * class CK_PBE_PARAMS provides all the necessary information required by + * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.

+ * PKCS#11 structure: + * 

+  * typedef struct CK_PBE_PARAMS {
+- *   CK_CHAR_PTR pInitVector;
+- *   CK_CHAR_PTR pPassword;
++ *   CK_BYTE_PTR pInitVector;
++ *   CK_UTF8CHAR_PTR pPassword;
+  *   CK_ULONG ulPasswordLen;
+- *   CK_CHAR_PTR pSalt;
++ *   CK_BYTE_PTR pSalt;
+  *   CK_ULONG ulSaltLen;
+  *   CK_ULONG ulIteration;
+  * } CK_PBE_PARAMS;
+@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pInitVector;
++     *   CK_BYTE_PTR pInitVector;
+      * 

+      */
+-    public char[] pInitVector;
++    public byte[] pInitVector;
+ 
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pPassword;
++     *   CK_UTF8CHAR_PTR pPassword;
+      *   CK_ULONG ulPasswordLen;
+      * 

+      */
+@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pSalt
++     *   CK_BYTE_PTR pSalt
+      *   CK_ULONG ulSaltLen;
+      * 

+      */
+-    public char[] pSalt;
++    public byte[] pSalt;
+ 
+     /**
+      * PKCS#11:
+@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
+      */
+     public long ulIteration;
+ 
++    public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
++         this.pPassword = pPassword;
++         this.pSalt = pSalt;
++         this.ulIteration = ulIteration;
++     }
++
+     /**
+      * Returns the string representation of CK_PBE_PARAMS.
+      *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+index fb90bfced27..a01beb0753a 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+@@ -47,7 +47,7 @@
+ 
+ package sun.security.pkcs11.wrapper;
+ 
+-
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ 
+ /**
+  * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
+@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
+  * PKCS#11 structure:
+  * 
+  * typedef struct CK_PKCS5_PBKD2_PARAMS {
+- *   CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
++ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+  *   CK_VOID_PTR pSaltSourceData;
+  *   CK_ULONG ulSaltSourceDataLen;
+  *   CK_ULONG iterations;
+  *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+  *   CK_VOID_PTR pPrfData;
+  *   CK_ULONG ulPrfDataLen;
++ *   CK_UTF8CHAR_PTR pPassword;
++ *   CK_ULONG_PTR ulPasswordLen;
+  * } CK_PKCS5_PBKD2_PARAMS;
+  * 

+  *
+@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
+      */
+     public byte[] pPrfData;
+ 
++    /**
++     * PKCS#11:
++     * 
++     *   CK_UTF8CHAR_PTR pPassword
++     *   CK_ULONG_PTR ulPasswordLen;
++     * 

++     */
++    public char[] pPassword;
++
++    public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
++            long iterations, long prf) {
++        this.pPassword = pPassword;
++        this.pSaltSourceData = pSalt;
++        this.iterations = iterations;
++        this.prf = prf;
++        this.saltSource = CKZ_SALT_SPECIFIED;
++    }
++
+     /**
+      * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
+      *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+new file mode 100644
+index 00000000000..935db656639
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+@@ -0,0 +1,156 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11.wrapper;
++
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++
++/**
++ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
++ * mechanism.

++ * PKCS#11 structure:
++ * 
++ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
++ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ *   CK_VOID_PTR pSaltSourceData;
++ *   CK_ULONG ulSaltSourceDataLen;
++ *   CK_ULONG iterations;
++ *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ *   CK_VOID_PTR pPrfData;
++ *   CK_ULONG ulPrfDataLen;
++ *   CK_UTF8CHAR_PTR pPassword;
++ *   CK_ULONG ulPasswordLen;
++ * } CK_PKCS5_PBKD2_PARAMS2;
++ * 

++ *
++ */
++public class CK_PKCS5_PBKD2_PARAMS2 {
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++     * 

++     */
++    public long saltSource;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_VOID_PTR pSaltSourceData;
++     *   CK_ULONG ulSaltSourceDataLen;
++     * 

++     */
++    public byte[] pSaltSourceData;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_ULONG iterations;
++     * 

++     */
++    public long iterations;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++     * 

++     */
++    public long prf;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_VOID_PTR pPrfData;
++     *   CK_ULONG ulPrfDataLen;
++     * 

++     */
++    public byte[] pPrfData;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_UTF8CHAR_PTR pPassword
++     *   CK_ULONG ulPasswordLen;
++     * 

++     */
++    public char[] pPassword;
++
++    public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
++            long iterations, long prf) {
++        this.pPassword = pPassword;
++        this.pSaltSourceData = pSalt;
++        this.iterations = iterations;
++        this.prf = prf;
++        this.saltSource = CKZ_SALT_SPECIFIED;
++    }
++
++    /**
++     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
++     *
++     * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
++     */
++    public String toString() {
++        StringBuilder sb = new StringBuilder();
++
++        sb.append(Constants.INDENT);
++        sb.append("saltSource: ");
++        sb.append(saltSource);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("pSaltSourceData: ");
++        sb.append(Functions.toHexString(pSaltSourceData));
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("ulSaltSourceDataLen: ");
++        sb.append(pSaltSourceData.length);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("iterations: ");
++        sb.append(iterations);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("prf: ");
++        sb.append(prf);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("pPrfData: ");
++        sb.append(Functions.toHexString(pPrfData));
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("ulPrfDataLen: ");
++        sb.append(pPrfData.length);
++
++        return sb.toString();
++    }
++
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+index 1f9c4d39f57..5e3c1b9d29f 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
+     public byte[] pPublicData;
+ 
+     /**
+-     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
++     * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
+      *
+-     * @return the string representation of CK_PKCS5_PBKD2_PARAMS
++     * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
+      */
+     public String toString() {
+         StringBuilder sb = new StringBuilder();
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 5c0aacd1a67..5fbf8addcba 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
+ 
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+ 
+ import java.security.AccessController;
+@@ -113,6 +116,8 @@ public class PKCS11 {
+ 
+     private long pNativeData;
+ 
++    private CK_INFO pInfo;
++
+     /**
+      * This method does the initialization of the native library. It is called
+      * exactly once for this class.
+@@ -145,23 +150,49 @@ public class PKCS11 {
+      * @postconditions
+      */
+     PKCS11(String pkcs11ModulePath, String functionListName)
+-            throws IOException {
++            throws IOException, PKCS11Exception {
+         connect(pkcs11ModulePath, functionListName);
+         this.pkcs11ModulePath = pkcs11ModulePath;
++        pInfo = C_GetInfo();
++    }
++
++    /*
++     * Compatibility wrapper to allow this method to work as before
++     * when FIPS mode support is not active.
++     */
++    public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++           String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++           boolean omitInitialize) throws IOException, PKCS11Exception {
++        return getInstance(pkcs11ModulePath, functionList,
++                           pInitArgs, omitInitialize, null, null);
+     }
+ 
+     public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+             String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+-            boolean omitInitialize) throws IOException, PKCS11Exception {
++            boolean omitInitialize, MethodHandle fipsKeyImporter,
++            MethodHandle fipsKeyExporter)
++                    throws IOException, PKCS11Exception {
+         // we may only call C_Initialize once per native .so/.dll
+         // so keep a cache using the (non-canonicalized!) path
+         PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+         if (pkcs11 == null) {
++            boolean nssFipsMode = fipsKeyImporter != null &&
++                    fipsKeyExporter != null;
+             if ((pInitArgs != null)
+                     && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+-                pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++                if (nssFipsMode) {
++                    pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++                            fipsKeyImporter, fipsKeyExporter);
++                } else {
++                    pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++                }
+             } else {
+-                pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++                if (nssFipsMode) {
++                    pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++                            functionList, fipsKeyImporter, fipsKeyExporter);
++                } else {
++                    pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++                }
+             }
+             if (omitInitialize == false) {
+                 try {
+@@ -179,6 +210,14 @@ public class PKCS11 {
+         return pkcs11;
+     }
+ 
++    /**
++     * Returns the CK_INFO structure fetched at initialization with
++     * C_GetInfo. This structure represent Cryptoki library information.
++     */
++    public CK_INFO getInfo() {
++        return pInfo;
++    }
++
+     /**
+      * Connects this object to the specified PKCS#11 library. This method is for
+      * internal use only.
+@@ -1625,7 +1664,7 @@ public class PKCS11 {
+ static class SynchronizedPKCS11 extends PKCS11 {
+ 
+     SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
+-            throws IOException {
++            throws IOException, PKCS11Exception {
+         super(pkcs11ModulePath, functionListName);
+     }
+ 
+@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+         super.C_GenerateRandom(hSession, randomData);
+     }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++    private MethodHandle fipsKeyImporter;
++    private MethodHandle fipsKeyExporter;
++    private MethodHandle hC_GetAttributeValue;
++    FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++                    throws IOException, PKCS11Exception {
++        super(pkcs11ModulePath, functionListName);
++        this.fipsKeyImporter = fipsKeyImporter;
++        this.fipsKeyExporter = fipsKeyExporter;
++        try {
++            hC_GetAttributeValue = MethodHandles.insertArguments(
++                    MethodHandles.lookup().findSpecial(PKCS11.class,
++                            "C_GetAttributeValue", MethodType.methodType(
++                                    void.class, long.class, long.class,
++                                    CK_ATTRIBUTE[].class),
++                            FIPSPKCS11.class), 0, this);
++        } catch (Throwable t) {
++            throw new RuntimeException(
++                    "sun.security.pkcs11.wrapper.PKCS11" +
++                    "::C_GetAttributeValue method not found.", t);
++        }
++    }
++
++    public long C_CreateObject(long hSession,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        // Creating sensitive key objects from plain key material in a
++        // FIPS-configured NSS Software Token is not allowed. We apply
++        // a key-unwrapping scheme to achieve so.
++        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++            try {
++                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++                        .longValue();
++            } catch (Throwable t) {
++                if (t instanceof PKCS11Exception) {
++                    throw (PKCS11Exception)t;
++                }
++                throw new PKCS11Exception(CKR_GENERAL_ERROR,
++                        t.getMessage());
++            }
++        }
++        return super.C_CreateObject(hSession, pTemplate);
++    }
++
++    public void C_GetAttributeValue(long hSession, long hObject,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++                fipsKeyExporter, hSession, hObject, pTemplate);
++    }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++    private MethodHandle fipsKeyImporter;
++    private MethodHandle fipsKeyExporter;
++    private MethodHandle hC_GetAttributeValue;
++    SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++                    throws IOException, PKCS11Exception {
++        super(pkcs11ModulePath, functionListName);
++        this.fipsKeyImporter = fipsKeyImporter;
++        this.fipsKeyExporter = fipsKeyExporter;
++        try {
++            hC_GetAttributeValue = MethodHandles.insertArguments(
++                    MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
++                            "C_GetAttributeValue", MethodType.methodType(
++                                    void.class, long.class, long.class,
++                                    CK_ATTRIBUTE[].class),
++                            SynchronizedFIPSPKCS11.class), 0, this);
++        } catch (Throwable t) {
++            throw new RuntimeException(
++                    "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
++                    "::C_GetAttributeValue method not found.", t);
++        }
++    }
++
++    public synchronized long C_CreateObject(long hSession,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        // See FIPSPKCS11::C_CreateObject.
++        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++            try {
++                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++                        .longValue();
++            } catch (Throwable t) {
++                if (t instanceof PKCS11Exception) {
++                    throw (PKCS11Exception)t;
++                }
++                throw new PKCS11Exception(CKR_GENERAL_ERROR,
++                        t.getMessage());
++            }
++        }
++        return super.C_CreateObject(hSession, pTemplate);
++    }
++
++    public synchronized void C_GetAttributeValue(long hSession, long hObject,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++                fipsKeyExporter, hSession, hObject, pTemplate);
++    }
++}
++
++private static class FIPSPKCS11Helper {
++    static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++        for (CK_ATTRIBUTE attr : pTemplate) {
++            if (attr.type == CKA_CLASS &&
++                    (attr.getLong() == CKO_PRIVATE_KEY ||
++                    attr.getLong() == CKO_SECRET_KEY)) {
++                return true;
++            }
++        }
++        return false;
++    }
++    static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
++            MethodHandle fipsKeyExporter, long hSession, long hObject,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        Map sensitiveAttrs = new HashMap<>();
++        List nonSensitiveAttrs = new LinkedList<>();
++        FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
++                sensitiveAttrs, nonSensitiveAttrs);
++        try {
++            if (sensitiveAttrs.size() > 0) {
++                long keyClass = -1L;
++                long keyType = -1L;
++                try {
++                    // Secret and private keys have both class and type
++                    // attributes, so we can query them at once.
++                    CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
++                            new CK_ATTRIBUTE(CKA_CLASS),
++                            new CK_ATTRIBUTE(CKA_KEY_TYPE),
++                    };
++                    hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
++                    keyClass = queryAttrs[0].getLong();
++                    keyType = queryAttrs[1].getLong();
++                } catch (PKCS11Exception e) {
++                    // If the query fails, the object is neither a secret nor a
++                    // private key. As this case won't be handled with the FIPS
++                    // Key Exporter, we keep keyClass initialized to -1L.
++                }
++                if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
++                    fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
++                            sensitiveAttrs);
++                    if (nonSensitiveAttrs.size() > 0) {
++                        CK_ATTRIBUTE[] pNonSensitiveAttrs =
++                                new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
++                        int i = 0;
++                        for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++                            pNonSensitiveAttrs[i++] = nonSensAttr;
++                        }
++                        hC_GetAttributeValue.invoke(hSession, hObject,
++                                pNonSensitiveAttrs);
++                        // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
++                        // update the reference on the previous CK_ATTRIBUTEs
++                        i = 0;
++                        for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++                            nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
++                        }
++                    }
++                    return;
++                }
++            }
++            hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
++        } catch (Throwable t) {
++            if (t instanceof PKCS11Exception) {
++                throw (PKCS11Exception)t;
++            }
++            throw new PKCS11Exception(CKR_GENERAL_ERROR,
++                    t.getMessage());
++        }
++    }
++    private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
++            Map sensitiveAttrs,
++            List nonSensitiveAttrs) {
++        for (CK_ATTRIBUTE attr : pTemplate) {
++            long type = attr.type;
++            // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
++            if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
++                    type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
++                    type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
++                    type == CKA_COEFFICIENT) {
++                sensitiveAttrs.put(type, attr);
++            } else {
++                nonSensitiveAttrs.add(attr);
++            }
++        }
++    }
++}
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+index d22844cfba8..9e02958b4b0 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
+     public static final long  CKD_BLAKE2B_384_KDF      = 0x00000019L;
+     public static final long  CKD_BLAKE2B_512_KDF      = 0x0000001aL;
+ 
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
+-
+-    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
+-
+     public static final long  CK_OTP_VALUE            = 0x00000000L;
+     public static final long  CK_OTP_PIN              = 0x00000001L;
+     public static final long  CK_OTP_CHALLENGE        = 0x00000002L;
+@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
+     public static final long  CKF_HKDF_SALT_KEY    = 0x00000004L;
+     */
+ 
++    // PBKDF2 support, used in P11Util
++    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
++
+     // private NSS attribute (for DSA and DH private keys)
+     public static final long  CKA_NETSCAPE_DB         = 0xD5A0DB00L;
+ 
+     // base number of NSS private attributes
+     public static final long  CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
+-                                                      = 0xCE534350L;
++    /*          now known as CKM_NSS ^        */      = 0xCE534350L;
+ 
+     // object type for NSS trust
+     public static final long  CKO_NETSCAPE_TRUST      = 0xCE534353L;
+@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
+                                                              = 0xCE534355L;
+     public static final long  CKT_NETSCAPE_VALID             = 0xCE53435AL;
+     public static final long  CKT_NETSCAPE_VALID_DELEGATOR   = 0xCE53435BL;
++
++    // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
++    public static final long  CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 29) */ = 0xCE53436DL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 30) */ = 0xCE53436EL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 31) */ = 0xCE53436FL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 32) */ = 0xCE534370L;
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+index 666c5eb9b3b..5523dafcdb4 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+         case CKM_PBE_SHA1_DES3_EDE_CBC:
+         case CKM_PBE_SHA1_DES2_EDE_CBC:
+         case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++        case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+             ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
+             break;
+         case CKM_PKCS5_PBKD2:
+@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+     // retrieve java values
+     jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
+     if (jPbeParamsClass == NULL) { return NULL; }
+-    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
++    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
+     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
+     if (fieldID == NULL) { return NULL; }
+     jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+-    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
++    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jSalt = (*env)->GetObjectField(env, jParam, fieldID);
+     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
+@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ 
+     // populate using java values
+     ckParamPtr->ulIteration = jLongToCKULong(jIteration);
+-    jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
++    jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
++    jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
++    jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
+     }
+ }
+ 
++#define PBKD2_PARAM_SET(member, value)                              \
++    do {                                                            \
++        if(ckParamPtr->version == PARAMS) {                         \
++            ckParamPtr->params.v1.member = value;                   \
++        } else {                                                    \
++            ckParamPtr->params.v2.member = value;                   \
++        }                                                           \
++    } while(0)
++
++#define PBKD2_PARAM_ADDR(member)                                    \
++    (                                                               \
++        (ckParamPtr->version == PARAMS) ?                           \
++        (void*) &ckParamPtr->params.v1.member :                     \
++        (void*) &ckParamPtr->params.v2.member                       \
++    )
++
+ /*
+- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
+  * pointer
+  *
+- * @param env - used to call JNI funktions to get the Java classes and objects
+- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
++ * @param env - used to call JNI functions to get the Java classes and objects
++ * @param jParam - the Java object to convert
+  * @param pLength - length of the allocated memory of the returned pointer
+- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
++ * @return pointer to the new structure
+  */
+-CK_PKCS5_PBKD2_PARAMS_PTR
++CK_VOID_PTR
+ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ {
+-    CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
++    VersionedPbkd2ParamsPtr ckParamPtr;
++    ParamVersion paramVersion;
++    CK_ULONG_PTR pUlPasswordLen;
+     jclass jPkcs5Pbkd2ParamsClass;
+     jfieldID fieldID;
+     jlong jSaltSource, jIteration, jPrf;
+-    jobject jSaltSourceData, jPrfData;
++    jobject jSaltSourceData, jPrfData, jPassword;
+ 
+     if (pLength != NULL) {
+         *pLength = 0L;
+     }
+ 
+     // retrieve java values
+-    jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
+-    if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
++    if ((jPkcs5Pbkd2ParamsClass =
++            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
++            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++        paramVersion = PARAMS;
++    } else if ((jPkcs5Pbkd2ParamsClass =
++            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
++            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++        paramVersion = PARAMS2;
++    } else {
++        return NULL;
++    }
+     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
+     if (fieldID == NULL) { return NULL; }
+     jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
+@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
+     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
++    fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
++    if (fieldID == NULL) { return NULL; }
++    jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+ 
+-    // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
+-    ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
++    // allocate memory for VersionedPbkd2Params and store the structure version
++    ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
+     if (ckParamPtr == NULL) {
+         throwOutOfMemoryError(env, 0);
+         return NULL;
+     }
++    ckParamPtr->version = paramVersion;
+ 
+     // populate using java values
+-    ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
+-    jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
+-            &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
++    PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
++    jByteArrayToCKByteArray(env, jSaltSourceData,
++            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
++            PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    ckParamPtr->iterations = jLongToCKULong(jIteration);
+-    ckParamPtr->prf = jLongToCKULong(jPrf);
+-    jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
+-            &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
++    PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
++    PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
++    jByteArrayToCKByteArray(env, jPrfData,
++            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
++            PBKD2_PARAM_ADDR(ulPrfDataLen));
++    if ((*env)->ExceptionCheck(env)) {
++        goto cleanup;
++    }
++    if (ckParamPtr->version == PARAMS) {
++        pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
++        if (pUlPasswordLen == NULL) {
++            throwOutOfMemoryError(env, 0);
++            goto cleanup;
++        }
++        ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
++    } else {
++        pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
++    }
++    jCharArrayToCKUTF8CharArray(env, jPassword,
++            (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
++            pUlPasswordLen);
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+ 
+     if (pLength != NULL) {
+-        *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
++        *pLength = (ckParamPtr->version == PARAMS ?
++            sizeof(ckParamPtr->params.v1) :
++            sizeof(ckParamPtr->params.v2));
+     }
++    // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
+     return ckParamPtr;
+ cleanup:
+-    free(ckParamPtr->pSaltSourceData);
+-    free(ckParamPtr->pPrfData);
++    FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
+     free(ckParamPtr);
+     return NULL;
+ 
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+index 520bd52a2cd..aa76945283d 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
+                  case CKM_CAMELLIA_CTR:
+                      // params do not contain pointers
+                      break;
++                 case CKM_PKCS5_PBKD2:
++                     // get the versioned structure from behind memory
++                     TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
++                             "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
++                             "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
++                     FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
++                     break;
++                 case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++                 case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
++                     break;
+                  default:
+                      // currently unsupported mechs by SunPKCS11 provider
+                      // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
+                      // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
+-                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
++                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
+                      // PBE mechs, WTLS mechs, CMS mechs,
+                      // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
+                      // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
+@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
+     jboolean* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
+     jbyte* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
+     jlong* jTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
+     if (jTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
+     jchar* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
+     jchar* jTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+     if (jTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+index eb6d01b9e47..450e4d27d62 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+@@ -68,6 +68,7 @@
+ /* extra PKCS#11 constants not in the standard include files */
+ 
+ #define CKA_NETSCAPE_BASE                       (0x80000000 + 0x4E534350)
++/*             ^ now known as CKM_NSS   (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
+ #define CKA_NETSCAPE_TRUST_BASE                 (CKA_NETSCAPE_BASE + 0x2000)
+ #define CKA_NETSCAPE_TRUST_SERVER_AUTH          (CKA_NETSCAPE_TRUST_BASE + 8)
+ #define CKA_NETSCAPE_TRUST_CLIENT_AUTH          (CKA_NETSCAPE_TRUST_BASE + 9)
+@@ -76,6 +77,12 @@
+ #define CKA_NETSCAPE_DB                         0xD5A0DB00
+ #define CKM_NSS_TLS_PRF_GENERAL                 0x80000373
+ 
++/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 29)
++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 30)
++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 31)
++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 32)
++
+ /*
+ 
+  Define the PKCS#11 functions to include and exclude. Reduces the size
+@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
+ #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
+ #define PBE_INIT_VECTOR_SIZE 8
+ #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
++#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
+ #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
+ 
+ #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
+@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
+ CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
+     jobject jParam, CK_ULONG* pLength);
+ CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+-CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
++CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
+@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
+ CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ 
++/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
++typedef enum {PARAMS=0, PARAMS2} ParamVersion;
++
++typedef struct {
++    union {
++        CK_PKCS5_PBKD2_PARAMS v1;
++        CK_PKCS5_PBKD2_PARAMS2 v2;
++    } params;
++    ParamVersion version;
++} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
++
++#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr)                  \
++    do {                                                            \
++        if ((verParamsPtr)->version == PARAMS) {                    \
++            free((verParamsPtr)->params.v1.pSaltSourceData);        \
++            free((verParamsPtr)->params.v1.pPrfData);               \
++            free((verParamsPtr)->params.v1.pPassword);              \
++            free((verParamsPtr)->params.v1.ulPasswordLen);          \
++        } else {                                                    \
++            free((verParamsPtr)->params.v2.pSaltSourceData);        \
++            free((verParamsPtr)->params.v2.pPrfData);               \
++            free((verParamsPtr)->params.v2.pPassword);              \
++        }                                                           \
++    } while(0)
++
+ /* functions to copy the returned values inside CK-mechanism back to Java object */
+ 
+ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
+diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+index 8c9e4f9dbe6..883dc04758e 100644
+--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -38,6 +38,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.List;
+ 
++import jdk.internal.access.SharedSecrets;
+ import sun.security.ec.ed.EdDSAAlgorithmParameters;
+ import sun.security.ec.ed.EdDSAKeyFactory;
+ import sun.security.ec.ed.EdDSAKeyPairGenerator;
+@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
+ 
+     private static final long serialVersionUID = -2279741672933606418L;
+ 
++    private static final boolean systemFipsEnabled =
++            SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++            .isSystemFipsEnabled();
++
+     private static class ProviderServiceA extends ProviderService {
+         ProviderServiceA(Provider p, String type, String algo, String cn,
+             HashMap attrs) {
+@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
+ 
+         putXDHEntries();
+         putEdDSAEntries();
+-
+-        /*
+-         * Signature engines
+-         */
+-        putService(new ProviderService(this, "Signature",
+-            "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+-            null, ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+-            ATTRS));
+-
+-        putService(new ProviderService(this, "Signature",
+-             "NONEwithECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$RawinP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-             "SHA1withECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-             "SHA224withECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-             "SHA256withECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-            "SHA384withECDSAinP1363Format",
+-            "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-            "SHA512withECDSAinP1363Format",
+-            "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+-
+-        putService(new ProviderService(this, "Signature",
+-             "SHA3-224withECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-             "SHA3-256withECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-            "SHA3-384withECDSAinP1363Format",
+-            "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-            "SHA3-512withECDSAinP1363Format",
+-            "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+-
+-        /*
+-         *  Key Pair Generator engine
+-         */
+-        putService(new ProviderService(this, "KeyPairGenerator",
+-            "EC", "sun.security.ec.ECKeyPairGenerator",
+-            List.of("EllipticCurve"), ATTRS));
+-
+-        /*
+-         * Key Agreement engine
+-         */
+-        putService(new ProviderService(this, "KeyAgreement",
+-            "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++        if (!systemFipsEnabled) {
++            /*
++             * Signature engines
++             */
++            putService(new ProviderService(this, "Signature",
++                "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
++                null, ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
++                ATTRS));
++
++            putService(new ProviderService(this, "Signature",
++                 "NONEwithECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$RawinP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                 "SHA1withECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                 "SHA224withECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                 "SHA256withECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                "SHA384withECDSAinP1363Format",
++                "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                "SHA512withECDSAinP1363Format",
++                "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
++
++            putService(new ProviderService(this, "Signature",
++                 "SHA3-224withECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                 "SHA3-256withECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                "SHA3-384withECDSAinP1363Format",
++                "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                "SHA3-512withECDSAinP1363Format",
++                "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
++
++            /*
++             *  Key Pair Generator engine
++             */
++            putService(new ProviderService(this, "KeyPairGenerator",
++                "EC", "sun.security.ec.ECKeyPairGenerator",
++                List.of("EllipticCurve"), ATTRS));
++
++            /*
++             * Key Agreement engine
++             */
++            putService(new ProviderService(this, "KeyAgreement",
++                "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++        }
+     }
+ 
+     private void putXDHEntries() {
+@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
+             "X448", "sun.security.ec.XDHKeyFactory.X448",
+             ATTRS));
+ 
+-        putService(new ProviderService(this, "KeyPairGenerator",
+-            "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+-        putService(new ProviderServiceA(this, "KeyPairGenerator",
+-            "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "KeyPairGenerator",
+-            "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+-            ATTRS));
+-
+-        putService(new ProviderService(this, "KeyAgreement",
+-            "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+-        putService(new ProviderServiceA(this, "KeyAgreement",
+-            "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "KeyAgreement",
+-            "X448", "sun.security.ec.XDHKeyAgreement.X448",
+-            ATTRS));
++        if (!systemFipsEnabled) {
++            putService(new ProviderService(this, "KeyPairGenerator",
++                "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
++            putService(new ProviderServiceA(this, "KeyPairGenerator",
++                "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
++                ATTRS));
++            putService(new ProviderServiceA(this, "KeyPairGenerator",
++                "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
++                ATTRS));
++
++            putService(new ProviderService(this, "KeyAgreement",
++                "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
++            putService(new ProviderServiceA(this, "KeyAgreement",
++                "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
++                ATTRS));
++            putService(new ProviderServiceA(this, "KeyAgreement",
++                "X448", "sun.security.ec.XDHKeyAgreement.X448",
++                ATTRS));
++        }
+     }
+ 
+     private void putEdDSAEntries() {
+@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
+         putService(new ProviderServiceA(this, "KeyFactory",
+             "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
+ 
+-        putService(new ProviderService(this, "KeyPairGenerator",
+-            "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+-        putService(new ProviderServiceA(this, "KeyPairGenerator",
+-            "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "KeyPairGenerator",
+-            "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+-            ATTRS));
+-
+-        putService(new ProviderService(this, "Signature",
+-            "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++        if (!systemFipsEnabled) {
++            putService(new ProviderService(this, "KeyPairGenerator",
++                "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
++            putService(new ProviderServiceA(this, "KeyPairGenerator",
++                "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
++                ATTRS));
++            putService(new ProviderServiceA(this, "KeyPairGenerator",
++                "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
++                ATTRS));
++
++            putService(new ProviderService(this, "Signature",
++                "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++        }
+ 
+     }
+ }
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
new file mode 100644
index 0000000..2b6c729
--- /dev/null
+++ b/java-17-openjdk.spec
@@ -0,0 +1,3551 @@
+# RPM conditionals so as to be able to dynamically produce
+# slowdebug/release builds. See:
+# http://rpm.org/user_doc/conditional_builds.html
+#
+# Examples:
+#
+# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
+# $ rpmbuild -ba java-17-openjdk.spec
+#
+# Produce only release builds (no debug builds) on x86_64:
+# $ rpmbuild -ba java-17-openjdk.spec --without slowdebug --without fastdebug
+#
+# Only produce a release build on x86_64:
+# $ fedpkg mockbuild --without slowdebug --without fastdebug
+
+# Enable fastdebug builds by default on relevant arches.
+%bcond_without fastdebug
+# Enable slowdebug builds by default on relevant arches.
+%bcond_without slowdebug
+# Enable release builds by default on relevant arches.
+%bcond_without release
+# Enable static library builds by default.
+%bcond_without staticlibs
+# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
+%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
+
+# Workaround for stripping of debug symbols from static libraries
+%if %{with staticlibs}
+%define __brp_strip_static_archive %{nil}
+%global include_staticlibs 1
+%else
+%global include_staticlibs 0
+%endif
+
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+%if %{with fresh_libjvm}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
+
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# This fixes detailed NMT and other tools which need minimal debug info.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
+%global _find_debuginfo_opts -g
+
+# With LTO flags enabled, debuginfo checks fail for some reason. Disable
+# LTO for a passing build. This really needs to be looked at.
+%define _lto_cflags %{nil}
+
+# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
+# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
+# see the difference between global and define:
+# See https://github.com/rpm-software-management/rpm/issues/127 to comments at  "pmatilai commented on Aug 18, 2017"
+# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
+%global debug_suffix_unquoted -slowdebug
+%global fastdebug_suffix_unquoted -fastdebug
+%global main_suffix_unquoted -main
+%global staticlibs_suffix_unquoted -staticlibs
+# quoted one for shell operations
+%global debug_suffix "%{debug_suffix_unquoted}"
+%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
+%global normal_suffix ""
+%global main_suffix "%{main_suffix_unquoted}"
+%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
+
+%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
+%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
+%global debug_on unoptimised with full debugging on
+%global fastdebug_on optimised with full debugging on
+%global for_fastdebug for packages with debugging on and optimisation
+%global for_debug for packages with debugging on and no optimisation
+
+%if %{with release}
+%global include_normal_build 1
+%else
+%global include_normal_build 0
+%endif
+
+%if %{include_normal_build}
+%global normal_build %{normal_suffix}
+%else
+%global normal_build %{nil}
+%endif
+
+# We have hardcoded list of files, which  is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+#    rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm  | grep bin
+# == rpm -ql           java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm  | grep bin
+# != rpm -ql           java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm  | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
+
+# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
+# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+%global is_system_jdk 0
+
+%global aarch64         aarch64 arm64 armv8
+# we need to distinguish between big and little endian PPC64
+%global ppc64le         ppc64le
+%global ppc64be         ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
+%global multilib_arches %{power64} sparc64 x86_64
+# Set of architectures for which we build slowdebug builds
+%global debug_arches    %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
+# Set of architectures for which we build fastdebug builds
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches      %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
+# Set of architectures which use the Zero assembler port (!jit_arches)
+%global zero_arches ppc s390
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures with a Ahead-Of-Time (AOT) compiler
+%global aot_arches      x86_64 %{aarch64}
+# Set of architectures which support the serviceability agent
+%global sa_arches       %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
+# See https://bugzilla.redhat.com/show_bug.cgi?id=513605
+# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT
+%global share_arches    %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x
+# Set of architectures for which we build the Shenandoah garbage collector
+%global shenandoah_arches x86_64 %{aarch64}
+# Set of architectures for which we build the Z garbage collector
+%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
+# Set of architectures for which java has short vector math library (libjsvml.so)
+%global svml_arches x86_64
+# Set of architectures where we verify backtraces with gdb
+%global gdb_arches %{jit_arches} %{zero_arches}
+
+# By default, we build a debug build during main build on JIT architectures
+%if %{with slowdebug}
+%ifarch %{debug_arches}
+%global include_debug_build 1
+%else
+%global include_debug_build 0
+%endif
+%else
+%global include_debug_build 0
+%endif
+
+# On certain architectures, we compile the Shenandoah GC
+%ifarch %{shenandoah_arches}
+%global use_shenandoah_hotspot 1
+%else
+%global use_shenandoah_hotspot 0
+%endif
+
+# By default, we build a fastdebug build during main build only on fastdebug architectures
+%if %{with fastdebug}
+%ifarch %{fastdebug_arches}
+%global include_fastdebug_build 1
+%else
+%global include_fastdebug_build 0
+%endif
+%else
+%global include_fastdebug_build 0
+%endif
+
+%if %{include_debug_build}
+%global slowdebug_build %{debug_suffix}
+%else
+%global slowdebug_build %{nil}
+%endif
+
+%if %{include_fastdebug_build}
+%global fastdebug_build %{fastdebug_suffix}
+%else
+%global fastdebug_build %{nil}
+%endif
+
+# If you disable all builds, then the build fails
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+
+%if %{include_staticlibs}
+%global staticlibs_loop %{staticlibs_suffix}
+%else
+%global staticlibs_loop %{nil}
+%endif
+
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
+%ifarch %{bootstrap_arches}
+%global bootstrap_build true
+%else
+%global bootstrap_build false
+%endif
+%endif
+
+%if %{include_staticlibs}
+# Extra target for producing the static-libraries. Separate from
+# other targets since this target is configured to use in-tree
+# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
+# and possibly others
+%global static_libs_target static-libs-image
+%else
+%global static_libs_target %{nil}
+%endif
+
+# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
+%global debug_symbols internal
+
+# unlike portables,the rpms have to use static_libs_target very dynamically
+%global bootstrap_targets images
+%global release_targets images docs-zip
+# No docs nor bootcycle for debug builds
+%global debug_targets images
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
+
+# JDK to use for bootstrapping
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
+
+
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
+
+# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
+# the initialization must be here. Later the pkg-config have buggy behavior
+# looks like openjdk RPM specific bug
+# Always set this so the nss.cfg file is not broken
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+
+# In some cases, the arch used by the JDK does
+# not match _arch.
+# Also, in some cases, the machine name used by SystemTap
+# does not match that given by _target_cpu
+%ifarch x86_64
+%global archinstall amd64
+%global stapinstall x86_64
+%endif
+%ifarch ppc
+%global archinstall ppc
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64be}
+%global archinstall ppc64
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64le}
+%global archinstall ppc64le
+%global stapinstall powerpc
+%endif
+%ifarch %{ix86}
+%global archinstall i686
+%global stapinstall i386
+%endif
+%ifarch ia64
+%global archinstall ia64
+%global stapinstall ia64
+%endif
+%ifarch s390
+%global archinstall s390
+%global stapinstall s390
+%endif
+%ifarch s390x
+%global archinstall s390x
+%global stapinstall s390
+%endif
+%ifarch %{arm}
+%global archinstall arm
+%global stapinstall arm
+%endif
+%ifarch %{aarch64}
+%global archinstall aarch64
+%global stapinstall arm64
+%endif
+# 32 bit sparc, optimized for v9
+%ifarch sparcv9
+%global archinstall sparc
+%global stapinstall %{_target_cpu}
+%endif
+# 64 bit sparc
+%ifarch sparc64
+%global archinstall sparcv9
+%global stapinstall %{_target_cpu}
+%endif
+# Need to support noarch for srpm build
+%ifarch noarch
+%global archinstall %{nil}
+%global stapinstall %{nil}
+%endif
+
+%ifarch %{systemtap_arches}
+%global with_systemtap 1
+%else
+%global with_systemtap 0
+%endif
+
+# New Version-String scheme-style defines
+%global featurever 17
+%global interimver 0
+%global updatever 5
+%global patchver 0
+# buildjdkver is usually same as %%{featurever},
+# but in time of bootstrap of next jdk, it is featurever-1,
+# and this it is better to change it here, on single place
+%global buildjdkver 17
+# We don't add any LTS designator for STS packages (Fedora and EPEL).
+# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
+%if 0%{?rhel} && !0%{?epel}
+  %global lts_designator "LTS"
+  %global lts_designator_zip -%{lts_designator}
+%else
+ %global lts_designator ""
+ %global lts_designator_zip ""
+%endif
+
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%else
+%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
+
+# Define IcedTea version used for SystemTap tapsets and desktop file
+%global icedteaver      6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 0bd5ca9ccc5
+
+# Standard JPackage naming and versioning defines
+%global origin          openjdk
+%global origin_nice     OpenJDK
+%global top_level_dir_name   %{origin}
+%global top_level_dir_name_backup %{top_level_dir_name}-backup
+%global buildver        8
+%global rpmrelease      2
+# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
+%if %is_system_jdk
+# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
+# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
+# This means 11.0.9.0+11 would have had a priority of 11000911 as before
+# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11
+%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
+%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
+%else
+# for techpreview, using 1, so slowdebugs can have 0
+%global priority %( printf '%08d' 1 )
+%endif
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver         %{featurever}
+
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga           1
+%if %{is_ga}
+%global build_type GA
+%global ea_designator ""
+%global ea_designator_zip ""
+%global extraver %{nil}
+%global eaprefix %{nil}
+%else
+%global build_type EA
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
+%global eaprefix 0.
+%endif
+
+# parametrized macros are order-sensitive
+%global compatiblename  java-%{featurever}-%{origin}
+%global fullversion     %{compatiblename}-%{version}-%{release}
+# images directories from upstream build
+%global jdkimage                jdk
+%global static_libs_image       static-libs
+# output dir stub
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+# we can copy the javadoc to not arched dir, or make it not noarch
+%define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
+# main id and dir of this jdk
+%define uniquesuffix()        %{expand:%{fullversion}.%{_arch}%{?1}}
+
+#################################################################
+# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
+#         https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
+#         https://bugzilla.redhat.com/show_bug.cgi?id=1655938
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
+%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
+%if %is_system_jdk
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+# Never generate lib-style provides/requires for any debug packages
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%else
+# Don't generate provides/requires for JDK provided shared libraries at all.
+%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%endif
+
+
+%global etcjavasubdir     %{_sysconfdir}/java/java-%{javaver}-%{origin}
+%define etcjavadir()      %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
+# Standard JPackage directories and symbolic links.
+%define sdkdir()        %{expand:%{uniquesuffix -- %{?1}}}
+%define jrelnk()        %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
+
+%define sdkbindir()     %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%define jrebindir()     %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+
+%global alt_java_name     alt-java
+
+%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
+
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
+%if 0%{?flatpak}
+%global alternatives_requires /usr/sbin/alternatives
+%else
+%global alternatives_requires %{_sbindir}/alternatives
+%endif
+
+%global family %{name}.%{_arch}
+%global family_noarch  %{name}
+
+%if %{with_systemtap}
+# Where to install systemtap tapset (links)
+# We would like these to be in a package specific sub-dir,
+# but currently systemtap doesn't support that, so we have to
+# use the root tapset dir for now. To distinguish between 64
+# and 32 bit architectures we place the tapsets under the arch
+# specific dir (note that systemtap will only pickup the tapset
+# for the primary arch for now). Systemtap uses the machine name
+# aka target_cpu as architecture specific directory name.
+%global tapsetroot /usr/share/systemtap
+%global tapsetdirttapset %{tapsetroot}/tapset/
+%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
+%endif
+
+# not-duplicated scriptlets for normal/debug packages
+%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
+
+%define save_alternatives() %{expand:
+  # warning! alternatives are localised!
+  # LANG=cs_CZ.UTF-8  alternatives --display java | head
+  # LANG=en_US.UTF-8  alternatives --display java | head
+  function nonLocalisedAlternativesDisplayOfMaster() {
+    LANG=en_US.UTF-8 alternatives --display "$MASTER"
+  }
+  function headOfAbove() {
+    nonLocalisedAlternativesDisplayOfMaster | head -n $1
+  }
+  MASTER="%{?1}"
+  LOCAL_LINK="%{?2}"
+  FAMILY="%{?3}"
+  rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
+  if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
+      if headOfAbove 1 | grep -q manual ; then
+        if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
+           headOfAbove 2  > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
+        fi
+      fi
+  fi
+}
+
+%define save_and_remove_alternatives() %{expand:
+  if [ "x$debug"  == "xtrue" ] ; then
+    set -x
+  fi
+  upgrade1_uninstal0=%{?3}
+  if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
+    %{save_alternatives %{?1} %{?2} %{?4}}
+  fi
+  alternatives --remove  "%{?1}" "%{?2}"
+}
+
+%define set_if_needed_alternatives() %{expand:
+  MASTER="%{?1}"
+  FAMILY="%{?2}"
+  ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
+  if [ -e  "$ALTERNATIVES_FILE" ] ; then
+    rm "$ALTERNATIVES_FILE"
+    alternatives --set $MASTER $FAMILY
+  fi
+}
+
+
+%define post_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+exit 0
+}
+
+%define alternatives_java_install() %{expand:
+if [ "x$debug"  == "xtrue" ] ; then
+  set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+  let PRIORITY=PRIORITY-1
+fi
+
+ext=.gz
+key=java
+alternatives \\
+  --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY  --family %{family} \\
+  --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
+  --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+  --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
+  --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
+  --slave %{_mandir}/man1/java.1$ext java.1$ext \\
+  %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
+  %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
+  %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
+  %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
+
+%{set_if_needed_alternatives $key %{family}}
+
+for X in %{origin} %{javaver} ; do
+  key=jre_"$X"
+  alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+  %{set_if_needed_alternatives $key %{family}}
+done
+
+key=jre_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY  --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+
+%define post_headless() %{expand:
+%ifarch %{share_arches}
+%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
+%endif
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+# see pretrans where this file is declared
+# also see that pretrans is only for non-debug
+if [ ! "%{?1}" == %{debug_suffix} ]; then
+  if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then
+    sh  %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch}  %{_jvmdir}/%{sdkdir -- %{?1}}
+  fi
+fi
+
+exit 0
+}
+
+%define postun_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+if [ $1 -eq 0 ] ; then
+    /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+    %{update_desktop_icons}
+fi
+exit 0
+}
+
+
+%define postun_headless() %{expand:
+  if [ "x$debug"  == "xtrue" ] ; then
+    set -x
+  fi
+  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+  %{save_and_remove_alternatives  java  %{jrebindir -- %{?1}}/java $post_state %{family}}
+  %{save_and_remove_alternatives  jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+  %{save_and_remove_alternatives  jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+  %{save_and_remove_alternatives  jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
+}
+
+%define posttrans_script() %{expand:
+%{update_desktop_icons}
+}
+
+
+%define alternatives_javac_install() %{expand:
+if [ "x$debug"  == "xtrue" ] ; then
+  set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+  let PRIORITY=PRIORITY-1
+fi
+
+ext=.gz
+key=javac
+alternatives \\
+  --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY  --family %{family} \\
+  --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
+  --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
+  --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+  --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
+%endif
+%endif
+  --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
+  --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
+  --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
+  --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
+  --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
+  --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
+  --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
+  --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
+  --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\
+  --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\
+  --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\
+  --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\
+  --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\
+  --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\
+  --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\
+  --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\
+  --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\
+  --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\
+  --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\
+  --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\
+  --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\
+  --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\
+  %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\
+  %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\
+  %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\
+  %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
+  %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
+  %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
+  %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
+  %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\
+  %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\
+  %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\
+  %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\
+  %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\
+  %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\
+  %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\
+  %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\
+  %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\
+  %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
+  %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
+
+%{set_if_needed_alternatives  $key %{family}}
+
+for X in %{origin} %{javaver} ; do
+  key=java_sdk_"$X"
+  alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{family}
+  %{set_if_needed_alternatives  $key %{family}}
+done
+
+key=java_sdk_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{family}
+%{set_if_needed_alternatives  $key %{family}}
+}
+
+%define post_devel() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+exit 0
+}
+
+%define postun_devel() %{expand:
+  if [ "x$debug"  == "xtrue" ] ; then
+    set -x
+  fi
+  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+  %{save_and_remove_alternatives  javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
+  %{save_and_remove_alternatives  java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+  %{save_and_remove_alternatives  java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+  %{save_and_remove_alternatives  java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+
+if [ $1 -eq 0 ] ; then
+    /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+    %{update_desktop_icons}
+fi
+exit 0
+}
+
+%define posttrans_devel() %{expand:
+%{alternatives_javac_install --  %{?1}}
+%{update_desktop_icons}
+}
+
+%define alternatives_javadoc_install() %{expand:
+if [ "x$debug"  == "xtrue" ] ; then
+  set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+  let PRIORITY=PRIORITY-1
+fi
+
+key=javadocdir
+alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY  --family %{family_noarch}
+%{set_if_needed_alternatives  $key %{family_noarch}}
+exit 0
+}
+
+%define postun_javadoc() %{expand:
+if [ "x$debug"  == "xtrue" ] ; then
+  set -x
+fi
+  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+  %{save_and_remove_alternatives  javadocdir  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+exit 0
+}
+
+%define alternatives_javadoczip_install() %{expand:
+if [ "x$debug"  == "xtrue" ] ; then
+  set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+  let PRIORITY=PRIORITY-1
+fi
+key=javadoczip
+alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY  --family %{family_noarch}
+%{set_if_needed_alternatives  $key %{family_noarch}}
+exit 0
+}
+
+%define postun_javadoc_zip() %{expand:
+  if [ "x$debug"  == "xtrue" ] ; then
+    set -x
+  fi
+  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+  %{save_and_remove_alternatives  javadoczip  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+exit 0
+}
+
+%define files_jre() %{expand:
+%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
+}
+
+
+%define files_jre_headless() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
+%dir %{_sysconfdir}/.java/.systemPrefs
+%dir %{_sysconfdir}/.java
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}
+%{_jvmdir}/%{sdkdir -- %{?1}}/release
+%{_jvmdir}/%{jrelnk -- %{?1}}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
+%ifarch %{jit_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%if ! %{system_libs}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
+%endif
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
+%ifarch %{svml_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsvml.so
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
+%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/
+%ifarch %{share_arches}
+%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa
+%endif
+%dir %{etcjavasubdir}
+%dir %{etcjavadir -- %{?1}}
+%dir %{etcjavadir -- %{?1}}/lib
+%dir %{etcjavadir -- %{?1}}/lib/security
+%{etcjavadir -- %{?1}}/lib/security/cacerts
+%dir %{etcjavadir -- %{?1}}/conf
+%dir %{etcjavadir -- %{?1}}/conf/sdp
+%dir %{etcjavadir -- %{?1}}/conf/management
+%dir %{etcjavadir -- %{?1}}/conf/security
+%dir %{etcjavadir -- %{?1}}/conf/security/policy
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy
+ %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
+# This is a config template, thus not config-noreplace
+%config  %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
+%config  %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/conf
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/java
+%ghost %{_bindir}/%{alt_java_name}
+%ghost %{_jvmdir}/jre
+%ghost %{_bindir}/keytool
+%ghost %{_bindir}/pack200
+%ghost %{_bindir}/rmid
+%ghost %{_bindir}/rmiregistry
+%ghost %{_bindir}/unpack200
+%ghost %{_jvmdir}/jre-%{origin}
+%ghost %{_jvmdir}/jre-%{javaver}
+%ghost %{_jvmdir}/jre-%{javaver}-%{origin}
+%endif
+%endif
+# https://bugzilla.redhat.com/show_bug.cgi?id=1820172
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
+%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
+%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
+}
+
+%define files_devel() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
+%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
+%endif
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver
+%{_jvmdir}/%{sdkdir -- %{?1}}/include
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym
+%if %{with_systemtap}
+%{_jvmdir}/%{sdkdir -- %{?1}}/tapset
+%endif
+%{_datadir}/applications/*jconsole%{?1}.desktop
+%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
+
+%if %{with_systemtap}
+%dir %{tapsetroot}
+%dir %{tapsetdirttapset}
+%dir %{tapsetdir}
+%{tapsetdir}/*%{_arch}%{?1}.stp
+%endif
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/javac
+%ghost %{_jvmdir}/java
+%ghost %{_jvmdir}/%{alt_java_name}
+%ghost %{_bindir}/jlink
+%ghost %{_bindir}/jmod
+%ghost %{_bindir}/jhsdb
+%ghost %{_bindir}/jar
+%ghost %{_bindir}/jarsigner
+%ghost %{_bindir}/javadoc
+%ghost %{_bindir}/javap
+%ghost %{_bindir}/jcmd
+%ghost %{_bindir}/jconsole
+%ghost %{_bindir}/jdb
+%ghost %{_bindir}/jdeps
+%ghost %{_bindir}/jdeprscan
+%ghost %{_bindir}/jimage
+%ghost %{_bindir}/jinfo
+%ghost %{_bindir}/jmap
+%ghost %{_bindir}/jps
+%ghost %{_bindir}/jrunscript
+%ghost %{_bindir}/jshell
+%ghost %{_bindir}/jstack
+%ghost %{_bindir}/jstat
+%ghost %{_bindir}/jstatd
+%ghost %{_bindir}/serialver
+%ghost %{_jvmdir}/java-%{origin}
+%ghost %{_jvmdir}/java-%{javaver}
+%ghost %{_jvmdir}/java-%{javaver}-%{origin}
+%endif
+%endif
+}
+
+%define files_jmods() %{expand:
+%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
+}
+
+%define files_demo() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/demo
+%{_jvmdir}/%{sdkdir -- %{?1}}/sample
+}
+
+%define files_src() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
+}
+
+%define files_static_libs() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
+}
+
+%define files_javadoc() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java
+%endif
+%endif
+}
+
+%define files_javadoc_zip() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java-zip
+%endif
+%endif
+}
+
+# x86 is not supported by OpenJDK 17
+ExcludeArch: %{ix86}
+
+# not-duplicated requires/provides/obsoletes for normal/debug packages
+%define java_rpo() %{expand:
+Requires: fontconfig%{?_isa}
+Requires: xorg-x11-fonts-Type1
+# Require libXcomposite explicitly since it's only dynamically loaded
+# at runtime. Fixes screenshot issues. See JDK-8150954.
+Requires: libXcomposite%{?_isa}
+# Requires rest of java
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# for java-X-openjdk package's desktop binding
+# Where recommendations are available, recommend Gtk+ for the Swing look and feel
+%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
+Recommends: gtk3%{?_isa}
+%endif
+
+Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+
+# Standard JPackage base provides
+Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_headless_rpo() %{expand:
+# Require /etc/pki/java/cacerts
+Requires: ca-certificates
+# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
+Requires: javapackages-filesystem
+# Require zone-info data provided by tzdata-java sub-package
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+Requires: tzdata-java >= 2022d
+# for support of kernel stream control
+# libsctp.so.1 is being `dlopen`ed on demand
+Requires: lksctp-tools%{?_isa}
+%if ! 0%{?flatpak}
+# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
+# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
+# considered as regression
+Requires: copy-jdk-configs >= 3.3
+OrderWithRequires: copy-jdk-configs
+%endif
+# for printing support
+Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
+# for FIPS PKCS11 provider
+Requires: nss
+# Post requires alternatives to install tool alternatives
+Requires(post):   %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+# Where suggestions are available, recommend the sctp and pcsc libraries
+# for optional support of kernel stream control and card reader
+%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
+Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa}
+%endif
+
+# Standard JPackage base provides
+Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-headless%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_devel_rpo() %{expand:
+# Requires base package
+Requires:         %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install tool alternatives
+Requires(post):   %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+
+# Standard JPackage devel provides
+Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_static_libs_rpo() %{expand:
+Requires:         %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+}
+
+%define java_jmods_rpo() %{expand:
+# Requires devel package
+# as jmods are bytecode, they should be OK without any _isa
+Requires:         %{name}-devel%{?1} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release}
+
+Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_demo_rpo() %{expand:
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+
+Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_javadoc_rpo() %{expand:
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install javadoc alternative
+Requires(post):   %{alternatives_requires}
+# Postun requires alternatives to uninstall javadoc alternative
+Requires(postun): %{alternatives_requires}
+
+# Standard JPackage javadoc provides
+Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_src_rpo() %{expand:
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+
+# Standard JPackage sources provides
+Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+# Prevent brp-java-repack-jars from being run
+%global __jar_repack 0
+
+Name:    java-%{javaver}-%{origin}
+Version: %{newjavaver}.%{buildver}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
+# and this change was brought into RHEL-4. java-1.5.0-ibm packages
+# also included the epoch in their virtual provides. This created a
+# situation where in-the-wild java-1.5.0-ibm packages provided "java =
+# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
+# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
+# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
+# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
+# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
+
+Epoch:   1
+Summary: %{origin_nice} %{featurever} Runtime Environment
+# Groups are only used up to RHEL 8 and on Fedora versions prior to F30
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+# HotSpot code is licensed under GPLv2
+# JDK library code is licensed under GPLv2 with the Classpath exception
+# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
+# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
+# The JSR166 concurrency code is in the public domain
+# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
+# The OpenJDK source tree includes:
+# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
+# - freetype (FTL), jline (BSD) and LCMS (MIT)
+# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
+# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
+# The test code includes copies of NSS under the Mozilla Public License v2.0
+# The PCSClite headers are under a BSD with advertising license
+# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
+License:  ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
+URL:      http://openjdk.java.net/
+
+
+# The source tarball, generated using generate_source_tarball.sh
+Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
+
+# Use 'icedtea_sync.sh' to update the following
+# They are based on code contained in the IcedTea project (6.x).
+# Systemtap tapsets. Zipped up to keep it small.
+Source8: tapsets-icedtea-%{icedteaver}.tar.xz
+
+# Desktop files. Adapted from IcedTea
+Source9: jconsole.desktop.in
+
+# Release notes
+Source10: NEWS
+
+# nss configuration file
+Source11: nss.cfg.in
+
+# Removed libraries that we link instead
+Source12: remove-intree-libraries.sh
+
+# Ensure we aren't using the limited crypto policy
+Source13: TestCryptoLevel.java
+
+# Ensure ECDSA is working
+Source14: TestECDSA.java
+
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
+# nss fips configuration file
+Source17: nss.fips.cfg.in
+
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
+############################################
+#
+# RPM/distribution specific patches
+#
+############################################
+
+# NSS via SunPKCS11 Provider (disabled comment
+# due to memory leak).
+Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
+Patch600: rh1750419-redhat_alt_java.patch
+
+# Ignore AWTError when assistive technologies are loaded
+Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+# Restrict access to java-atk-wrapper classes
+Patch2:    rh1648644-java_access_bridge_privileged_security.patch
+Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
+Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
+# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3183, RH1340845: Follow system wide crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+# RH1929465: Improve system FIPS detection
+# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
+# RH1996182: Login to the NSS software token in FIPS mode
+# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
+# RH2021263: Resolve outstanding FIPS issues
+# RH2052819: Fix FIPS reliance on crypto policies
+# RH2052829: Detect NSS at Runtime for FIPS detection
+# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+# RH2023467: Enable FIPS keys export
+# RH2094027: SunEC runtime permission for FIPS
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+# RH2104724: Avoid import/export of DH private keys
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+# Build the systemconf library on all platforms
+# RH2048582: Support PKCS#12 keystores
+# RH2020290: Support TLS 1.3 in FIPS mode
+Patch1001: fips-17u-%{fipsver}.patch
+
+#############################################
+#
+# OpenJDK patches in need of upstreaming
+#
+#############################################
+# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+Patch2000: jdk8275535-rh2053256-ldap_auth.patch
+
+#############################################
+#
+# OpenJDK patches appearing in 17.0.5
+#
+#############################################
+
+#############################################
+#
+# OpenJDK patches targetted for 17.0.6
+#
+#############################################
+# JDK-8293834: Update CLDR data following tzdata 2022c update
+Patch2001: jdk8293834-kyiv_cldr_update.patch
+# JDK-8294357: (tz) Update Timezone Data to 2022d
+Patch2002: jdk8294357-tzdata2022d.patch
+# JDK-8295173: (tz) Update Timezone Data to 2022e
+Patch2003: jdk8295173-tzdata2022e.patch
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
+BuildRequires: desktop-file-utils
+# elfutils only are OK for build without AOT
+BuildRequires: elfutils-devel
+BuildRequires: fontconfig-devel
+BuildRequires: gcc-c++
+BuildRequires: gdb
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirement for setting up nss.cfg and nss.fips.cfg
+BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
+BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
+BuildRequires: zip
+BuildRequires: javapackages-filesystem
+BuildRequires: java-17-openjdk-devel
+# Zero-assembler build requirement
+%ifarch %{zero_arches}
+BuildRequires: libffi-devel
+%endif
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+BuildRequires: tzdata-java >= 2022d
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
+
+%if %{with_systemtap}
+BuildRequires: systemtap-sdt-devel
+%endif
+BuildRequires: make
+
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
+Provides: bundled(freetype) = 2.12.1
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 4.4.1
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.12.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
+# this is always built, also during debug-only build
+# when it is built in debug-only this package is just placeholder
+%{java_rpo %{nil}}
+
+%description
+The %{origin_nice} %{featurever} runtime environment.
+
+%if %{include_debug_build}
+%package slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_rpo -- %{debug_suffix_unquoted}}
+%description slowdebug
+The %{origin_nice} %{featurever} runtime environment.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_rpo -- %{fastdebug_suffix_unquoted}}
+%description fastdebug
+The %{origin_nice} %{featurever} runtime environment.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package headless
+Summary: %{origin_nice} %{featurever} Headless Runtime Environment
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_headless_rpo %{nil}}
+
+%description headless
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%endif
+
+%if %{include_debug_build}
+%package headless-slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_headless_rpo -- %{debug_suffix_unquoted}}
+
+%description headless-slowdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package headless-fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_headless_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description headless-fastdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package devel
+Summary: %{origin_nice} %{featurever} Development Environment
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_devel_rpo %{nil}}
+
+%description devel
+The %{origin_nice} %{featurever} development tools.
+%endif
+
+%if %{include_debug_build}
+%package devel-slowdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_devel_rpo -- %{debug_suffix_unquoted}}
+
+%description devel-slowdebug
+The %{origin_nice} %{featurever} development tools.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package devel-fastdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Tools
+%endif
+
+%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description devel-fastdebug
+The %{origin_nice} %{featurever} development tools              .
+%{fastdebug_warning}
+%endif
+
+%if %{include_staticlibs}
+
+%if %{include_normal_build}
+%package static-libs
+Summary: %{origin_nice} %{featurever} libraries for static linking
+
+%{java_static_libs_rpo %{nil}}
+
+%description static-libs
+The %{origin_nice} %{featurever} libraries for static linking.
+%endif
+
+%if %{include_debug_build}
+%package static-libs-slowdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on}
+
+%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
+
+%description static-libs-slowdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package static-libs-fastdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on}
+
+%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description static-libs-fastdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%{fastdebug_warning}
+%endif
+
+# staticlibs
+%endif
+
+%if %{include_normal_build}
+%package jmods
+Summary: JMods for %{origin_nice} %{featurever}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_jmods_rpo %{nil}}
+
+%description jmods
+The JMods for %{origin_nice} %{featurever}.
+%endif
+
+%if %{include_debug_build}
+%package jmods-slowdebug
+Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_jmods_rpo -- %{debug_suffix_unquoted}}
+
+%description jmods-slowdebug
+The JMods for %{origin_nice} %{featurever}.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package jmods-fastdebug
+Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Tools
+%endif
+
+%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description jmods-fastdebug
+The JMods for %{origin_nice} %{featurever}.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package demo
+Summary: %{origin_nice} %{featurever} Demos
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_demo_rpo %{nil}}
+
+%description demo
+The %{origin_nice} %{featurever} demos.
+%endif
+
+%if %{include_debug_build}
+%package demo-slowdebug
+Summary: %{origin_nice} %{featurever} Demos %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_demo_rpo -- %{debug_suffix_unquoted}}
+
+%description demo-slowdebug
+The %{origin_nice} %{featurever} demos.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package demo-fastdebug
+Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_demo_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description demo-fastdebug
+The %{origin_nice} %{featurever} demos.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package src
+Summary: %{origin_nice} %{featurever} Source Bundle
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_src_rpo %{nil}}
+
+%description src
+The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever}
+class library source code for use by IDE indexers and debuggers.
+%endif
+
+%if %{include_debug_build}
+%package src-slowdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_src_rpo -- %{debug_suffix_unquoted}}
+
+%description src-slowdebug
+The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_debug}.
+%endif
+
+%if %{include_fastdebug_build}
+%package src-fastdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_src_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description src-fastdebug
+The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_fastdebug}.
+%endif
+
+%if %{include_normal_build}
+%package javadoc
+Summary: %{origin_nice} %{featurever} API documentation
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Documentation
+%endif
+Requires: javapackages-filesystem
+Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling
+
+%{java_javadoc_rpo -- %{nil} %{nil}}
+
+%description javadoc
+The %{origin_nice} %{featurever} API documentation.
+%endif
+
+%if %{include_normal_build}
+%package javadoc-zip
+Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Documentation
+%endif
+Requires: javapackages-filesystem
+Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling
+
+%{java_javadoc_rpo -- %{nil} -zip}
+%{java_javadoc_rpo -- %{nil} %{nil}}
+
+%description javadoc-zip
+The %{origin_nice} %{featurever} API documentation compressed in a single archive.
+%endif
+
+%prep
+
+echo "Preparing %{oj_vendor_version}"
+
+# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
+%if 0%{?stapinstall:1}
+  echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
+%else
+  %{error:Unrecognised architecture %{_target_cpu}}
+%endif
+
+if [ %{include_normal_build} -eq 0 -o  %{include_normal_build} -eq 1 ] ; then
+  echo "include_normal_build is %{include_normal_build}"
+else
+  echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
+  exit 11
+fi
+if [ %{include_debug_build} -eq 0 -o  %{include_debug_build} -eq 1 ] ; then
+  echo "include_debug_build is %{include_debug_build}"
+else
+  echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
+  exit 12
+fi
+if [ %{include_fastdebug_build} -eq 0 -o  %{include_fastdebug_build} -eq 1 ] ; then
+  echo "include_fastdebug_build is %{include_fastdebug_build}"
+else
+  echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
+  exit 13
+fi
+if [ %{include_debug_build} -eq 0 -a  %{include_normal_build} -eq 0 -a  %{include_fastdebug_build} -eq 0 ] ; then
+  echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
+  exit 14
+fi
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
+# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
+prioritylength=`expr length %{priority}`
+if [ $prioritylength -ne 8 ] ; then
+ echo "priority must be 8 digits in total, violated"
+ exit 14
+fi
+
+# OpenJDK patches
+
+%if %{system_libs}
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
+%endif
+
+# Patch the JDK
+pushd %{top_level_dir_name}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch6 -p1
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
+# tzdata updates targetted for 17.0.6
+%patch2001 -p1
+%patch2002 -p1
+%patch2003 -p1
+popd # openjdk
+
+%patch600
+
+%patch2000
+
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+    UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+    echo "Could not find OpenJDK version file.";
+    exit 16
+fi
+if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
+    echo "WARNING: Designator mismatch";
+    echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
+    echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
+    # Don't fail at present as upstream are not maintaining the value correctly
+    #exit 17
+fi
+
+# Extract systemtap tapsets
+%if %{with_systemtap}
+tar --strip-components=1 -x -I xz -f %{SOURCE8}
+%if %{include_debug_build}
+cp -r tapset tapset%{debug_suffix}
+%endif
+%if %{include_fastdebug_build}
+cp -r tapset tapset%{fastdebug_suffix}
+%endif
+
+for suffix in %{build_loop} ; do
+  for file in "tapset"$suffix/*.in; do
+    OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
+    sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
+    sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2
+# TODO find out which architectures other than i686 have a client vm
+%ifarch %{ix86}
+    sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE
+%else
+    sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE
+%endif
+    sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
+    sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
+    sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
+  done
+done
+# systemtap tapsets ends
+%endif
+
+# Prepare desktop files
+# The _X_ syntax indicates variables that are replaced by make upstream
+# The @X@ syntax indicates variables that are replaced by configure upstream
+for suffix in %{build_loop} ; do
+for file in %{SOURCE9}; do
+    FILE=`basename $file | sed -e s:\.in$::g`
+    EXT="${FILE##*.}"
+    NAME="${FILE%.*}"
+    OUTPUT_FILE=$NAME$suffix.$EXT
+    sed    -e  "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE
+    sed -i -e  "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE
+    sed -i -e  "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE
+    sed -i -e  "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE
+    sed -i -e  "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE
+done
+done
+
+# Setup nss.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
+
+# Setup nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
+
+%build
+# How many CPU's do we have?
+export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
+export NUM_PROC=${NUM_PROC:-1}
+%if 0%{?_smp_ncpus_max}
+# Honor %%_smp_ncpus_max
+[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
+%endif
+
+%ifarch s390x sparc64 alpha %{power64} %{aarch64}
+export ARCH_DATA_MODEL=64
+%endif
+%ifarch alpha
+export CFLAGS="$CFLAGS -mieee"
+%endif
+
+# We use ourcppflags because the OpenJDK build seems to
+# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
+# Explicitly set the C++ standard as the default has changed on GCC >= 6
+EXTRA_CFLAGS="%ourcppflags"
+EXTRA_CPP_FLAGS="%ourcppflags"
+
+%ifarch %{power64} ppc
+# fix rpmlint warnings
+EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
+%endif
+%ifarch %{ix86}
+# Align stack boundary on x86_32
+EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+%endif
+export EXTRA_CFLAGS EXTRA_CPP_FLAGS
+
+function buildjdk() {
+    local outputdir=${1}
+    local buildjdk=${2}
+    local maketargets="${3}"
+    local debuglevel=${4}
+    local link_opt=${5}
+
+    local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
+    local top_dir_abs_build_path=$(pwd)/${outputdir}
+
+    # This must be set using the global, so that the
+    # static libraries still use a dynamic stdc++lib
+    if [ "x%{link_type}" = "xbundled" ] ; then
+        libc_link_opt="static";
+    else
+        libc_link_opt="dynamic";
+    fi
+
+    echo "Using output directory: ${outputdir}";
+    echo "Checking build JDK ${buildjdk} is operational..."
+    ${buildjdk}/bin/java -version
+    echo "Using make targets: ${maketargets}"
+    echo "Using debuglevel: ${debuglevel}"
+    echo "Using link_opt: ${link_opt}"
+    echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
+    mkdir -p ${outputdir}
+    pushd ${outputdir}
+
+    # Note: zlib and freetype use %{link_type}
+    # rather than ${link_opt} as the system versions
+    # are always used in a system_libs build, even
+    # for the static library build
+    bash ${top_dir_abs_src_path}/configure \
+%ifarch %{zero_arches}
+    --with-jvm-variants=zero \
+%endif
+%ifarch %{ppc64le}
+    --with-jobs=1 \
+%endif
+    --with-version-build=%{buildver} \
+    --with-version-pre="%{ea_designator}" \
+    --with-version-opt=%{lts_designator} \
+    --with-vendor-version-string="%{oj_vendor_version}" \
+    --with-vendor-name="%{oj_vendor}" \
+    --with-vendor-url="%{oj_vendor_url}" \
+    --with-vendor-bug-url="%{oj_vendor_bug_url}" \
+    --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
+    --with-boot-jdk=${buildjdk} \
+    --with-debug-level=${debuglevel} \
+    --with-native-debug-symbols="%{debug_symbols}" \
+    --disable-sysconf-nss \
+    --enable-unlimited-crypto \
+    --with-zlib=%{link_type} \
+    --with-freetype=%{link_type} \
+    --with-libjpeg=${link_opt} \
+    --with-giflib=${link_opt} \
+    --with-libpng=${link_opt} \
+    --with-lcms=${link_opt} \
+    --with-harfbuzz=${link_opt} \
+    --with-stdc++lib=${libc_link_opt} \
+    --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
+    --with-extra-cflags="$EXTRA_CFLAGS" \
+    --with-extra-ldflags="%{ourldflags}" \
+    --with-num-cores="$NUM_PROC" \
+    --with-source-date="${SOURCE_DATE_EPOCH}" \
+    --disable-javac-server \
+%ifarch %{zgc_arches}
+    --with-jvm-features=zgc \
+%endif
+    --disable-warnings-as-errors
+
+    cat spec.gmk
+
+    make \
+      LOG=trace \
+      WARNINGS_ARE_ERRORS="-Wno-error" \
+      CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
+      $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
+
+    popd
+}
+
+function installjdk() {
+    local imagepath=${1}
+
+    if [ -d ${imagepath} ] ; then
+	# the build (erroneously) removes read permissions from some jars
+	# this is a regression in OpenJDK 7 (our compiler):
+	# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+	find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+
+	# Build screws up permissions on binaries
+	# https://bugs.openjdk.java.net/browse/JDK-8173610
+	find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+	find ${imagepath}/bin/ -exec chmod +x {} \;
+
+	# Install nss.cfg right away as we will be using the JRE above
+	install -m 644 nss.cfg ${imagepath}/conf/security/
+
+	# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+	install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+
+	# Turn on system security properties
+	sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+	    ${imagepath}/conf/security/java.security
+
+	# Use system-wide tzdata
+	rm ${imagepath}/lib/tzdb.dat
+	ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+
+	# Create fake alt-java as a placeholder for future alt-java
+	pushd ${imagepath}
+	# add alt-java man page
+	echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+	cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+	popd
+    fi
+}
+
+%if %{build_hotspot_first}
+  # Build a fresh libjvm.so first and use it to bootstrap
+  cp -LR --preserve=mode,timestamps %{bootjdk} newboot
+  systemjdk=$(pwd)/newboot
+  buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
+  mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
+%else
+  systemjdk=%{bootjdk}
+%endif
+
+for suffix in %{build_loop} ; do
+
+  if [ "x$suffix" = "x" ] ; then
+      debugbuild=release
+  else
+      # change --something to something
+      debugbuild=`echo $suffix  | sed "s/-//g"`
+  fi
+
+
+  for loop in %{main_suffix} %{staticlibs_loop} ; do
+
+    builddir=%{buildoutputdir -- ${suffix}${loop}}
+    bootbuilddir=boot${builddir}
+
+    if test "x${loop}" = "x%{main_suffix}" ; then
+      link_opt="%{link_type}"
+%if %{system_libs}
+      # Copy the source tree so we can remove all in-tree libraries
+      cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
+      # Remove all libraries that are linked
+      sh %{SOURCE12} %{top_level_dir_name} full
+%endif
+      # Debug builds don't need same targets as release for
+      # build speed-up. We also avoid bootstrapping these
+      # slower builds.
+      if echo $debugbuild | grep -q "debug" ; then
+        maketargets="%{debug_targets}"
+        run_bootstrap=false
+      else
+        maketargets="%{release_targets}"
+        run_bootstrap=%{bootstrap_build}
+      fi
+      if ${run_bootstrap} ; then
+        buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
+        buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
+        rm -rf ${bootbuilddir}
+      else
+        buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+      fi
+%if %{system_libs}
+      # Restore original source tree we modified by removing full in-tree sources
+      rm -rf %{top_level_dir_name}
+      mv %{top_level_dir_name_backup} %{top_level_dir_name}
+%endif
+    else
+      # Use bundled libraries for building statically
+      link_opt="bundled"
+      # Static library cycle only builds the static libraries
+      maketargets="%{static_libs_target}"
+      # Always just do the one build for the static libraries
+      buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+    fi
+
+  done # end of main / staticlibs loop
+
+  # Final setup on the main image
+  top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+  installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+  # Print release information
+  cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
+
+# build cycles
+done # end of release / debug cycle loop
+
+%check
+
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
+%endif
+
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+# Pre-test setup
+
+#check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
+%endif
+
+so_suffix="so"
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+do
+  if [ -f "$lib" ] ; then
+    echo "Testing $lib for debug symbols"
+    # All these tests rely on RPM failing the build if the exit code of any set
+    # of piped commands is non-zero.
+
+    # Test for .debug_* sections in the shared object. This is the main test
+    # Stripped objects will not contain these
+    eu-readelf -S "$lib" | grep "] .debug_"
+    test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+    # Test FILE symbols. These will most likely be removed by anything that
+    # manipulates symbol tables because it's generally useless. So a nice test
+    # that nothing has messed with symbols
+    old_IFS="$IFS"
+    IFS=$'\n'
+    for line in $(eu-readelf -s "$lib" | grep "00000000      0 FILE    LOCAL  DEFAULT")
+    do
+     # We expect to see .cpp files, except for architectures like aarch64 and
+     # s390 where we expect .o and .oS files
+      echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
+    done
+    IFS="$old_IFS"
+
+    # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+    if [ "`basename $lib`" = "libjvm.so" ]; then
+      eu-readelf -s "$lib" | \
+        grep -E "00000000      0 FILE    LOCAL  DEFAULT      ABS javaCalls.(cpp|o)$"
+    fi
+
+    # Test that there are no .gnu_debuglink sections pointing to another
+    # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+    # no sense either
+    eu-readelf -S "$lib" | grep 'gnu'
+    if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+      echo "bad .gnu_debuglink section."
+      eu-readelf -x .gnu_debuglink "$lib"
+      false
+    fi
+  fi
+done
+
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" <
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre
+-- if copy-jdk-configs is in transaction, it installs in pretrans to temp
+-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction  and so is
+-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends
+-- whether copy-jdk-configs is installed or not. If so, then configs are copied
+-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
+local posix = require "posix"
+
+if (os.getenv("debug") == "true") then
+  debug = true;
+  print("cjc: in spec debug is on")
+else
+  debug = false;
+end
+
+SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
+SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
+
+local stat1 = posix.stat(SOURCE1, "type");
+local stat2 = posix.stat(SOURCE2, "type");
+
+  if (stat1 ~= nil) then
+  if (debug) then
+    print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.")
+  end;
+  package.path = package.path .. ";" .. SOURCE1
+else
+  if (stat2 ~= nil) then
+  if (debug) then
+    print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.")
+  end;
+  package.path = package.path .. ";" .. SOURCE2
+  else
+    if (debug) then
+      print(SOURCE1 .." does NOT exists")
+      print(SOURCE2 .." does NOT exists")
+      print("No config files will be copied")
+    end
+  return
+  end
+end
+-- run content of included file with fake args
+arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
+require "copy_jdk_configs.lua"
+
+%post
+%{post_script %{nil}}
+
+%post headless
+%{post_headless %{nil}}
+
+%postun
+%{postun_script %{nil}}
+
+%postun headless
+%{postun_headless %{nil}}
+
+%posttrans
+%{posttrans_script %{nil}}
+
+%posttrans headless
+%{alternatives_java_install %{nil}}
+
+%post devel
+%{post_devel %{nil}}
+
+%postun devel
+%{postun_devel %{nil}}
+
+%posttrans  devel
+%{posttrans_devel %{nil}}
+
+%posttrans javadoc
+%{alternatives_javadoc_install %{nil}}
+
+%postun javadoc
+%{postun_javadoc %{nil}}
+
+%posttrans javadoc-zip
+%{alternatives_javadoczip_install %{nil}}
+
+%postun javadoc-zip
+%{postun_javadoc_zip %{nil}}
+%endif
+
+%if %{include_debug_build}
+%post slowdebug
+%{post_script -- %{debug_suffix_unquoted}}
+
+%post headless-slowdebug
+%{post_headless -- %{debug_suffix_unquoted}}
+
+%posttrans headless-slowdebug
+%{alternatives_java_install -- %{debug_suffix_unquoted}}
+
+%postun slowdebug
+%{postun_script -- %{debug_suffix_unquoted}}
+
+%postun headless-slowdebug
+%{postun_headless -- %{debug_suffix_unquoted}}
+
+%posttrans slowdebug
+%{posttrans_script -- %{debug_suffix_unquoted}}
+
+%post devel-slowdebug
+%{post_devel -- %{debug_suffix_unquoted}}
+
+%postun devel-slowdebug
+%{postun_devel -- %{debug_suffix_unquoted}}
+
+%posttrans  devel-slowdebug
+%{posttrans_devel -- %{debug_suffix_unquoted}}
+%endif
+
+%if %{include_fastdebug_build}
+%post fastdebug
+%{post_script -- %{fastdebug_suffix_unquoted}}
+
+%post headless-fastdebug
+%{post_headless -- %{fastdebug_suffix_unquoted}}
+
+%postun fastdebug
+%{postun_script -- %{fastdebug_suffix_unquoted}}
+
+%postun headless-fastdebug
+%{postun_headless -- %{fastdebug_suffix_unquoted}}
+
+%posttrans fastdebug
+%{posttrans_script -- %{fastdebug_suffix_unquoted}}
+
+%posttrans headless-fastdebug
+%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
+
+%post devel-fastdebug
+%{post_devel -- %{fastdebug_suffix_unquoted}}
+
+%postun devel-fastdebug
+%{postun_devel -- %{fastdebug_suffix_unquoted}}
+
+%posttrans  devel-fastdebug
+%{posttrans_devel -- %{fastdebug_suffix_unquoted}}
+
+%endif
+
+%if %{include_normal_build}
+%files
+# main package builds always
+%{files_jre %{nil}}
+%else
+%files
+# placeholder
+%endif
+
+
+%if %{include_normal_build}
+%files headless
+# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+# all config/noreplace files (and more) have to be declared in pretrans. See pretrans
+%{files_jre_headless %{nil}}
+
+%files devel
+%{files_devel %{nil}}
+
+%if %{include_staticlibs}
+%files static-libs
+%{files_static_libs %{nil}}
+%endif
+
+%files jmods
+%{files_jmods %{nil}}
+
+%files demo
+%{files_demo %{nil}}
+
+%files src
+%{files_src %{nil}}
+
+%files javadoc
+%{files_javadoc %{nil}}
+
+# This puts a huge documentation file in /usr/share
+# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only
+# same for debug variant
+%files javadoc-zip
+%{files_javadoc_zip %{nil}}
+%endif
+
+%if %{include_debug_build}
+%files slowdebug
+%{files_jre -- %{debug_suffix_unquoted}}
+
+%files headless-slowdebug
+%{files_jre_headless -- %{debug_suffix_unquoted}}
+
+%files devel-slowdebug
+%{files_devel -- %{debug_suffix_unquoted}}
+
+%if %{include_staticlibs}
+%files static-libs-slowdebug
+%{files_static_libs -- %{debug_suffix_unquoted}}
+%endif
+
+%files jmods-slowdebug
+%{files_jmods -- %{debug_suffix_unquoted}}
+
+%files demo-slowdebug
+%{files_demo -- %{debug_suffix_unquoted}}
+
+%files src-slowdebug
+%{files_src -- %{debug_suffix_unquoted}}
+%endif
+
+%if %{include_fastdebug_build}
+%files fastdebug
+%{files_jre -- %{fastdebug_suffix_unquoted}}
+
+%files headless-fastdebug
+%{files_jre_headless -- %{fastdebug_suffix_unquoted}}
+
+%files devel-fastdebug
+%{files_devel -- %{fastdebug_suffix_unquoted}}
+
+%if %{include_staticlibs}
+%files static-libs-fastdebug
+%{files_static_libs -- %{fastdebug_suffix_unquoted}}
+%endif
+
+%files jmods-fastdebug
+%{files_jmods -- %{fastdebug_suffix_unquoted}}
+
+%files demo-fastdebug
+%{files_demo -- %{fastdebug_suffix_unquoted}}
+
+%files src-fastdebug
+%{files_src -- %{fastdebug_suffix_unquoted}}
+
+%endif
+
+%changelog
+* Wed Oct 26 2022 Andrew Hughes  - 1:17.0.5.0.8-2
+- Update to jdk-17.0.5+8 (GA)
+- Update release notes to 17.0.5+8 (GA)
+- Switch to GA mode for final release.
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Update CLDR data with Europe/Kyiv (JDK-8293834)
+- Drop JDK-8292223 patch which we found to be unnecessary
+- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
+- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
+- Remove freetype sources along with zlib sources
+- Resolves: rhbz#2133695
+
+* Tue Oct 04 2022 Andrew Hughes  - 1:17.0.5.0.7-0.2.ea
+- Update to jdk-17.0.5+7
+- Update release notes to 17.0.5+7
+- Drop JDK-8288985 patch that is now upstream
+- Resolves: rhbz#2130617
+
+* Mon Oct 03 2022 Andrew Hughes  - 1:17.0.5.0.1-0.2.ea
+- Update to jdk-17.0.5+1
+- Update release notes to 17.0.5+1
+- Switch to EA mode for 17.0.5 pre-release builds.
+- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
+- Bump FreeType bundled version to 2.12.1 following JDK-8290334
+- Related: rhbz#2130617
+
+* Tue Aug 30 2022 Andrew Hughes  - 1:17.0.4.1.1-6
+- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider
+- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650
+- Resolves: rhbz#2006351
+
+* Tue Aug 30 2022 Andrew Hughes  - 1:17.0.4.1.1-5
+- Switch to static builds, reducing system dependencies and making build more portable
+- Resolves: rhbz#2121263
+
+* Mon Aug 29 2022 Stephan Bergmann  - 1:17.0.4.1.1-4
+- Fix flatpak builds (catering for their uncompressed manual pages)
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102734
+
+* Mon Aug 29 2022 Andrew Hughes  - 1:17.0.4.1.1-3
+- Update FIPS support to bring in latest changes
+- * RH2104724: Avoid import/export of DH private keys
+- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+- * Build the systemconf library on all platforms
+- * RH2048582: Support PKCS#12 keystores
+- * RH2020290: Support TLS 1.3 in FIPS mode
+- Resolves: rhbz#2104724
+- Resolves: rhbz#2092507
+- Resolves: rhbz#2048582
+- Resolves: rhbz#2020290
+
+* Sun Aug 21 2022 Andrew Hughes  - 1:17.0.4.1.1-2
+- Update to jdk-17.0.4.1+1
+- Update release notes to 17.0.4.1+1
+- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
+- Add test to ensure timezones can be translated
+- Resolves: rhbz#2119531
+
+* Fri Jul 22 2022 Andrew Hughes  - 1:17.0.4.0.8-3
+- Update to jdk-17.0.4.0+8
+- Update release notes to 17.0.4.0+8
+- Switch to GA mode for release
+- Resolves: rhbz#2106522
+
+* Wed Jul 20 2022 Andrew Hughes  - 1:17.0.4.0.7-0.2.ea
+- Revert the following changes until copy-java-configs has adapted to relative symlinks:
+- * Move cacerts replacement to install section and retain original of this and tzdb.dat
+- * Run tests on the installed image, rather than the build image
+- * Introduce variables to refer to the static library installation directories
+- * Use relative symlinks so they work within the image
+- * Run debug symbols check during build stage, before the install strips them
+- The move of turning on system security properties is retained so we don't ship with them off
+- Related: rhbz#2100674
+
+* Wed Jul 20 2022 Jiri Vanek  - 1:17.0.4.0.7-0.2.ea
+- retutrned absolute symlinks
+- relative symlinks are breaking cjc, and deeper investigations are necessary
+-- why cjc intentionally skips relative symllinks
+- images have to be workarounded differently
+- Related: rhbz#2100674
+
+* Sat Jul 16 2022 Andrew Hughes  - 1:17.0.4.0.7-0.1.ea
+- Update to jdk-17.0.4.0+7
+- Update release notes to 17.0.4.0+7
+- Switch to EA mode for 17.0.4 pre-release builds.
+- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Move EA designator check to prep so failures can be caught earlier
+- Make EA designator check non-fatal while upstream is not maintaining it
+- Explicitly require crypto-policies during build and runtime for system security properties
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+- Include a test in the RPM to check the build has the correct vendor information.
+- Resolves: rhbz#2083316
+
+* Thu Jul 14 2022 Jayashree Huttanagoudar  - 1:17.0.4.0.1-0.2.ea
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+- Related: rhbz#2083316
+
+* Fri Jul 08 2022 Andrew Hughes  - 1:17.0.3.0.7-6
+- Fix whitespace in spec file
+- Related: rhbz#2100674
+
+* Fri Jul 08 2022 Andrew Hughes  - 1:17.0.3.0.7-6
+- Sequence spec file sections as they are run by rpmbuild (build, install then test)
+- Related: rhbz#2100674
+
+* Fri Jul 08 2022 Andrew Hughes  - 1:17.0.3.0.7-6
+- Turn on system security properties as part of the build's install section
+- Move cacerts replacement to install section and retain original of this and tzdb.dat
+- Run tests on the installed image, rather than the build image
+- Introduce variables to refer to the static library installation directories
+- Use relative symlinks so they work within the image
+- Run debug symbols check during build stage, before the install strips them
+- Related: rhbz#2100674
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet  - 1:17.0.3.0.7-5
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2007331
+
+* Tue Jun 28 2022 Andrew Hughes  - 1:17.0.3.0.7-4
+- Update FIPS support to bring in latest changes
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Resolves: rhbz#2099840
+- Resolves: rhbz#2100674
+
+* Tue Jun 28 2022 Andrew Hughes  - 1:17.0.3.0.7-3
+- Add rpminspect.yaml to turn off Java bytecode inspections
+- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
+- Resolves: rhbz#2101524
+
+* Sun Jun 12 2022 Andrew Hughes  - 1:17.0.3.0.7-2
+- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- RH2023467: Enable FIPS keys export
+- RH2094027: SunEC runtime permission for FIPS
+- Resolves: rhbz#2023467
+- Resolves: rhbz#2094027
+
+* Wed Apr 20 2022 Andrew Hughes  - 1:17.0.3.0.7-1
+- April 2022 security update to jdk 17.0.3+7
+- Update to jdk-17.0.3.0+7 release tarball
+- Update release notes to 17.0.3.0+6
+- Add missing README.md and generate_source_tarball.sh
+- Switch to GA mode for release
+- JDK-8283911 patch no longer needed now we're GA...
+- Resolves: rhbz#2073577
+
+* Wed Apr 06 2022 Andrew Hughes  - 1:17.0.3.0.5-0.1.ea
+- Update to jdk-17.0.3.0+5
+- Update release notes to 17.0.3.0+5
+- Resolves: rhbz#2050456
+
+* Tue Mar 29 2022 Andrew Hughes  - 1:17.0.3.0.1-0.1.ea
+- Update to jdk-17.0.3.0+1
+- Update release notes to 17.0.3.0+1
+- Switch to EA mode for 17.0.3 pre-release builds.
+- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
+- Related: rhbz#2050456
+
+* Mon Feb 28 2022 Andrew Hughes  - 1:17.0.2.0.8-15
+- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+- Resolves: rhbz#2052070
+
+* Sun Feb 27 2022 Andrew Hughes  - 1:17.0.2.0.8-14
+- Introduce tests/tests.yml, based on the one in java-11-openjdk
+- Resolves: rhbz#2058493
+
+* Sun Feb 27 2022 Severin Gehwolf  - 1:17.0.2.0.8-13
+- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
+  secmod.db file as part of nss
+- Resolves: rhbz#2023536
+
+* Sun Feb 27 2022 Andrew Hughes  - 1:17.0.2.0.8-12
+- Detect NSS at runtime for FIPS detection
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
+- Resolves: rhbz#2051605
+
+* Fri Feb 25 2022 Andrew Hughes  - 1:17.0.2.0.8-11
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053256
+
+* Fri Feb 25 2022 Jiri Vanek  - 1:17.0.2.0.8-10
+- Storing and restoring alterntives during update manually
+- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
+-- The move of alternatives creation to posttrans to fix:
+-- Bug 1200302 - dnf reinstall breaks alternatives
+-- Had caused the alternatives to be removed, and then created again,
+-- instead of being added, and then removing the old, and thus persisting
+-- the selection in family
+-- Thus this fix, is storing the family of manually selected master, and if
+-- stored, then it is restoring the family of the master
+- Resolves: rhbz#2008200
+
+* Fri Feb 25 2022 Jiri Vanek  - 1:17.0.2.0.8-9
+- Family extracted to globals
+- Resolves: rhbz#2008200
+
+* Fri Feb 25 2022 Jiri Vanek  - 1:17.0.2.0.8-8
+- alternatives creation moved to posttrans
+- Thus fixing the old reisntall issue:
+- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
+- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
+- Resolves: rhbz#2008200
+
+* Mon Feb 21 2022 Andrew Hughes  - 1:17.0.2.0.8-7
+- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
+- Resolves: rhbz#2051590
+
+* Fri Feb 18 2022 Andrew Hughes  - 1:17.0.2.0.8-6
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Resolves: rhbz#2023378
+
+* Thu Feb 17 2022 Andrew Hughes  - 1:17.0.2.0.8-5
+- Restructure the build so a minimal initial build is then used for the final build (with docs)
+- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
+- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
+- Handle Fedora in distro conditionals that currently only pertain to RHEL.
+- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace
+- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
+- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
+- Need to support noarch for creating source RPMs for non-scratch builds.
+- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
+- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
+- Explicitly list JIT architectures rather than relying on those with slowdebug builds
+- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
+- Resolves: rhbz#2022822
+
+* Thu Feb 17 2022 Jiri Vanek  - 1:17.0.2.0.8-5
+- Replaced tabs by sets of spaces to make rpmlint happy
+- javadoc-zip gets its own provides next to plain javadoc ones
+- Resolves: rhbz#2022822
+
+* Tue Feb 08 2022 Jiri Vanek  - 1:17.0.2.0.8-4
+- Minor cosmetic improvements to make spec more comparable between variants
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Andrew Hughes  - 1:17.0.2.0.8-3
+- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
+- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Andrew Hughes  - 1:17.0.2.0.8-2
+- Extend LTS check to exclude EPEL.
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Severin Gehwolf  - 1:17.0.2.0.8-2
+- Set LTS designator.
+- Related: rhbz#2022822
+
+* Wed Jan 12 2022 Andrew Hughes  - 1:17.0.2.0.8-1
+- January 2022 security update to jdk 17.0.2+8
+- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
+- Rename libsvml.so to libjsvml.so following JDK-8276025
+- Resolves: rhbz#2039366
+
+* Thu Oct 28 2021 Andrew Hughes  - 1:17.0.1.0.12-3
+- Sync desktop files with upstream IcedTea release 3.15.0 using new script
+- Related: rhbz#2013842
+
+* Tue Oct 26 2021 Andrew Hughes  - 1:17.0.1.0.12-2
+- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1
+- Resolves: rhbz#2013842
+
+* Wed Oct 20 2021 Petra Alice Mikova  - 1:17.0.1.0.12-2
+- October CPU update to jdk 17.0.1+12
+- Dropped commented-out source line
+- Resolves: rhbz#2013842
+
+* Sun Oct 10 2021 Andrew Hughes  - 1:17.0.0.0.35-6
+- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
+- Resolves: rhbz#1994661
+
+* Sun Oct 10 2021 Martin Balao  - 1:17.0.0.0.35-6
+- Add patch to allow plain key import.
+- Resolves: rhbz#1994661
+
+* Mon Sep 27 2021 Andrew Hughes  - 1:17.0.0.0.35-5
+- Update release notes to document the major changes between OpenJDK 11 & 17.
+- Resolves: rhbz#2003072
+
+* Thu Sep 16 2021 Andrew Hughes  - 1:17.0.0.0.35-3
+- Update to jdk-17+35, also known as jdk-17-ga.
+- Switch to GA mode.
+- Add JDK-8272332 fix so we actually link against HarfBuzz.
+- Resolves: rhbz#2003072
+- Resolves: rhbz#2004078
+
+* Mon Aug 30 2021 Andrew Hughes  - 1:17.0.0.0.33-0.5.ea
+- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
+- Resolves: rhbz#1996182
+
+* Sat Aug 28 2021 Andrew Hughes  - 1:17.0.0.0.33-0.4.ea
+- Fix unused function compiler warning found in systemconf.c
+- Related: rhbz#1995150
+
+* Sat Aug 28 2021 Martin Balao  - 1:17.0.0.0.33-0.4.ea
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1996182
+
+* Fri Aug 27 2021 Martin Balao  - 1:17.0.0.0.33-0.3.ea
+- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
+- Resolves: rhbz#1995150
+
+* Fri Aug 27 2021 Andrew Hughes  - 1:17.0.0.0.33-0.2.ea
+- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
+- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
+- Related: rhbz#1995150
+
+* Fri Aug 27 2021 Martin Balao  - 1:17.0.0.0.33-0.2.ea
+- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
+- Related: rhbz#1995150
+
+* Thu Aug 26 2021 Andrew Hughes  - 1:17.0.0.0.33-0.1.ea
+- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
+- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
+- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
+- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
+- Disable FIPS mode support unless com.redhat.fips is set to "true".
+- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
+- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
+- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
+- Related: rhbz#1995150
+
+* Thu Aug 26 2021 Martin Balao  - 1:17.0.0.0.33-0.1.ea
+- Support the FIPS mode crypto policy (RH1655466)
+- Use appropriate keystore types when in FIPS mode (RH1818909)
+- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
+- Related: rhbz#1995150
+
+* Thu Aug 26 2021 Andrew Hughes  - 1:17.0.0.0.33-0.0.ea
+- Update to jdk-17+33, including JDWP fix and July 2021 CPU
+- Resolves: rhbz#1959487
+
+* Thu Aug 26 2021 Andrew Hughes  - 1:17.0.0.0.26-0.5.ea
+- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
+- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
+- Resolves: rhbz#1959487
+
+* Wed Aug 25 2021 Petra Alice Mikova  - 1:17.0.0.0.26-0.4.ea
+- Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
+- Resolves: rhbz#1959487
+
+* Wed Aug 25 2021 Severin Gehwolf  - 1:17.0.0.0.26-0.3.ea
+- Re-enable TestSecurityProperties after inclusion of PR3695
+- Resolves: rhbz#1959487
+
+* Wed Aug 25 2021 Andrew Hughes  - 1:17.0.0.0.26-0.3.ea
+- Add PR3695 to allow the system crypto policy to be turned off
+- Resolves: rhbz#1959487
+
+* Wed Jul 14 2021 Andrew Hughes  - 1:17.0.0.0.26-0.2.ea
+- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
+- Resolves: rhbz#1959487
+
+* Wed Jul 14 2021 Severin Gehwolf  - 1:17.0.0.0.26-0.2.ea
+- Update buildjdkver to 17 so as to build with itself
+- Resolves: rhbz#1959487
+
+* Tue Jul 13 2021 Jiri Vanek  - 1:17.0.0.0.26-0.1.ea
+- Add gating support
+- Resolves: rhbz#1959487
+
+* Mon Jun 21 2021 Andrew Hughes  - 1:17.0.0.0.26-0.0.ea
+- Rename as java-17-openjdk and bootstrap using boot JDK in local sources
+- Exclude x86 as this is not supported by OpenJDK 17
+- Resolves: rhbz#1959487
+
+* Fri Jun 11 2021 Petra Alice Mikova  - 1:17.0.0.0.26-0.0.ea.rolling
+- update sources to jdk 17.0.0+26
+- set is_ga to 0, as this is early access build
+- change vendor_version_string
+- change path to the version-numbers.conf
+- removed rmid binary from files and from slaves
+- removed JAVAC_FLAGS=-g from make command, as it breaks the build since JDK-8258407
+- add lib/libsyslookup.so to files
+- renamed lib/security/blacklisted.certs to lib/security/blocked.certs
+- add lib/libsvml.so for intel
+- skip debuginfo check for libsyslookup.so on s390x
+
+* Thu Apr 29 2021 Jiri Vanek  -  1:16.0.1.0.9-2.rolling
+- adapted to debug handling  in newer cjc
+- The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution
+- Disable copy-jdk-configs for Flatpak builds
+
+* Sun Apr 25 2021 Petra Alice Mikova  - 1:16.0.1.0.9-1.rolling
+- update to 16.0.1+9 april cpu tag
+- dropped jdk8259949-allow_cf-protection_on_x86.patch
+
+* Thu Mar 11 2021 Andrew Hughes  - 1:16.0.0.0.36-2.rolling
+- Perform static library build on a separate source tree with bundled image libraries
+- Make static library build optional
+- Based on initial work by Severin Gehwolf
+
+* Tue Mar 09 2021 Jiri Vanek  - 1:16.0.0.0.36-1.rolling
+- fixed suggests of wrong pcsc-lite-devel%{?_isa} to correct pcsc-lite-libs%{?_isa}
+- bumped buildjdkver to build by itself - 16
+
+* Fri Feb 19 2021 Andrew Hughes  - 1:16.0.0.0.36-0.rolling
+- Update to jdk-16.0.0.0+36
+- Update tarball generation script to use git following OpenJDK's move to github
+- Update tarball generation script to use PR3823 which handles JDK-8235710 changes
+- Use upstream default for version-pre rather than setting it to "ea" or ""
+- Drop libsunec.so which is no longer generated, thanks to JDK-8235710
+- Drop unnecessary compiler flags, dating back to work on GCC 6 & 10
+- Adapt RH1750419 alt-java patch to still apply after some variable re-naming in the makefiles
+- Update filever to remove any trailing zeros, as in the OpenJDK build, and use for source filename
+- Use system harfbuzz now this is supported.
+- Pass SOURCE_DATE_EPOCH to build for reproducible builds
+
+* Fri Feb 19 2021 Stephan Bergmann  - 1:15.0.2.0.7-1.rolling
+- Hardcode /usr/sbin/alternatives for Flatpak builds
+
+* Tue Jan 26 2021 Fedora Release Engineering  - 1:15.0.2.0.7-0.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Andrew Hughes  - 1:15.0.2.0.7-0.rolling
+- Update to jdk-15.0.2.0+7
+- Add release notes for 15.0.1.0 & 15.0.2.0
+- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly.
+- Still use 15.0.x rather than 15.0.x.0 for file naming, as the trailing zero is omitted from tags.
+- Cleanup debug package descriptions and version number placement.
+- Remove unused patch files.
+
+* Tue Jan 19 2021 Andrew Hughes  - 1:15.0.1.9-10.rolling
+- Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV)
+
+* Tue Dec 22 2020 Jiri Vanek  - 1:15.0.1.9-9.rolling
+- fixed missing condition for fastdebug packages being counted as debug ones
+
+* Sat Dec 19 2020 Jiri Vanek  - 1:15.0.1.9-8.rolling
+- removed lib-style provides for fastdebug_suffix_unquoted
+
+* Sat Dec 19 2020 Jiri Vanek  - 1:15.0.1.9-6.rolling
+- many cosmetic changes taken from more maintained jdk11
+- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches
+  instead of various hardcoded ifarches
+- updated systemtap
+- added requires excludes for debug pkgs
+- removed redundant logic around jsa files
+- added runtime requires of lksctp-tools and libXcomposite%
+- added and used Source15 TestSecurityProperties.java, but is made always positive as jdk15 now does not honor system policies
+- s390x excluded form fastdebug build
+
+* Thu Dec 17 2020 Andrew Hughes  - 1:15.0.1.9-5.rolling
+- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
+- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly
+- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
+
+* Wed Dec 9 2020 Jiri Vanek  - 1:15.0.1.9-4.rolling
+- moved wrongly placed licenses to accompany other ones
+- this bad placement was killng parallel-installability and thus having bad impact to leapp if used
+
+* Tue Dec 01 2020 Jiri Vanek  - 1:15.0.1.9-3.rolling
+- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch
+- no longer copying of java->alt-java as it is created by  patch600
+
+* Mon Nov 23 2020 Jiri Vanek  - 1:15.0.1.9-2.rolling
+- Create a copy of java as alt-java with alternatives and man pages
+- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there...
+
+* Sun Oct 25 2020 Petra Alice Mikova  - 1:15.0.1.9-1.rolling
+- updated to October CPU 2020 sources
+
+* Thu Oct 22 2020 Severin Gehwolf  - 1:15.0.0.36-4.rolling
+- Fix directory ownership of -static-libs sub-package.
+
+* Fri Oct 09 2020 Jiri Vanek  - 1:15.0.0.36-3.rolling
+- Build static-libs-image and add resulting files via -static-libs sub-package.
+- Disable stripping of debug symbols for static libraries part of the -static-libs sub-package.
+- JDK-8245832 increases the set of static libraries, so try and include them all with a wildcard.
+- Update static-libs packaging to new layout
+
+* Mon Sep 21 2020 Petra Alice Mikova  - 1:15.0.0.36-2.rolling
+- Add support for fastdebug builds on 64 bit architectures
+
+* Tue Sep 15 2020 Severin Gehwolf  - 1:15.0.0.36-1.rolling
+- Remove EA designation
+- Re-generate sources with PR3803 patch
+
+* Mon Aug 31 2020 Petra Alice Mikova  - 1:15.0.0.36-0.1.ea.rolling
+- Update to jdk 15.0.0.36 tag
+- Modify rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+- Update vendor version string to 20.9
+- jjs removed from packaging after JEP 372: Nashorn removal
+- rmic removed from packaging after JDK-8225319
+
+* Mon Jul 27 2020 Severin Gehwolf  - 1:14.0.2.12-2.rolling
+- Disable LTO so as to pass debuginfo check
+
+* Wed Jul 22 2020 Petra Alice Mikova  - 1:14.0.2.12-1.rolling
+- update to jdk 14.0.2.12 CPU version
+- remove upstreamed patch jdk8237879-make_4_3_build_fixes.patch
+- remove upstreamed patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h.patch
+- remove upstreamed patch jdk8243059-build_fails_when_with_vendor_contains_comma.patch
+
+* Thu Jul 09 2020 Andrew Hughes  - 1:14.0.1.7-4.rolling
+- Re-introduce java-openjdk-src & java-openjdk-demo for system_jdk builds.
+- Fix accidental renaming of java-openjdk-devel to java-devel-openjdk.
+
+* Thu May 14 2020 Petra Alice Mikova  -  1:14.0.1.7-3.rolling
+- introduce patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h to fix build issues in rawhide
+- rename and reorganize patch sections
+
+* Thu Apr 23 2020 Severin Gehwolf  - 1:14.0.1.7-2.rolling
+- Fix vendor version to 20.3 (from 19.9)
+
+* Fri Apr 17 2020 Petra Alice Mikova  - 1:14.0.1.7-1.rolling
+- April security update
+- uploaded new src tarball
+
+* Wed Apr 08 2020 Jiri Vanek  - 1:14.0.0.36-4.rolling
+- set vendor property and vendor urls
+- made urls to be preconfigured by os
+
+* Tue Mar 24 2020 Petra Alice Mikova  - 1:14.0.0.36-3.rolling
+- Remove s390x workaround flags for GCC 10
+- bump buildjdkver to 14
+- uploaded new src tarball
+
+* Mon Mar 23 2020 Petra Alice Mikova  - 1:14.0.0.36-2.rolling
+- removed a whitespace causing fail of postinstall script
+- removed backslashes at the end of alternatives command
+
+* Fri Mar 13 2020 Petra Alice Mikova  - 1:14.0.0.36-1.rolling
+- update to jdk 14+36 ga build
+- remove JDK-8224851 patch, as OpenJDK 14 already contains it
+- removed pack200 and unpack200 binaries, slaves, manpages and libunpack.so library
+- added listings for jpackage binary, manpages and added slave records to alternatives
+
+* Thu Mar 12 2020 Petra Alice Mikova  - 1:13.0.2.8-4.rolling
+- add patch for build issues with make 4.3
+
+* Thu Feb 27 2020 Severin Gehwolf  - 1:13.0.2.8-3.rolling
+- add workaround for issues with build with GCC10 on s390x (see RHBZ#1799531)
+- fix issues with build with GCC10: JDK-8224851, -fcommon switch
+
+* Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling
+- Add JDK-8224851 patch to resolve aarch64 issues
+
+* Tue Feb 04 2020 Petra Alice Mikova  - 1:13.0.2.8-2.rolling
+- fix Release, as it was broken by last rpmdev-bumpspec
+
+* Wed Jan 29 2020 Fedora Release Engineering  - 1:13.0.2.8-1.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jan 17 2020 Petra Alice Mikova  - 1:13.0.2.8-1.rolling
+- removed patch jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
+- removed patch jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
+- updated sources to the 13.0.2+8 tag
+
+* Fri Oct 25 2019 Petra Alice Mikova  - 1:13.0.1.9-2.rolling
+- Fixed hardcoded major version in jdk13u to macro
+- added jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
+- added jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
+
+* Mon Oct 21 2019 Petra Alice Mikova  - 1:13.0.1.9-1.rolling
+- Updated to October 2019 CPU sources
+
+* Wed Oct 16 2019 Petra Alice Mikova  - 1:13.0.0.33-3.rolling
+- synced up generate tarball script with other OpenJDK packages
+- dropped pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch from the sources
+- regenerated sources with the updated script
+
+* Wed Oct 02 2019 Andrew Hughes  - 1:13.0.0.33-3.rolling
+- Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it.
+
+* Wed Oct 02 2019 Andrew John Hughes  -  1:13.0.0.33-3.rolling
+- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime.
+- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency
+- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency
+- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency
+
+* Wed Oct 02 2019 Andrew Hughes  - 1:13.0.0.33-3.rolling
+- Obsolete javadoc-slowdebug and javadoc-slowdebug-zip packages via javadoc and javadoc-zip respectively.
+
+* Tue Oct 01 2019 Severin Gehwolf  - 1:13.0.0.33-2.rolling
+- Don't produce javadoc/javadoc-zip sub packages for the
+  debug variant build.
+- Don't perform a bootcycle build for the debug variant build.
+
+* Mon Sep 30 2019 Severin Gehwolf  - 1:13.0.0.33-2.rolling
+- Fix vendor version as JDK 13 has been GA'ed September 2019: 19.3 => 19.9
+
+* Wed Aug 14 2019 Petra Alice Mikova  - 1:13.0.0.33-1.rolling
+- updated to 13+33 sources
+- added two manpages to file listings (jfr, jaotc)
+- set is_ga to 1 to match build from jdk.java.net
+
+* Fri Jul 26 2019 Severin Gehwolf  - 1:13.0.0.28-0.2.ea.rolling
+- Fix bootjdkver macro. It attempted to build with jdk 12, which is
+  no longer available in rawhide (it's 13 instead).
+- Fix Release as rpmdev-bumpspec doesn't do it correctly.
+
+* Thu Jul 25 2019 Fedora Release Engineering  - 1:13.0.0.28-0.1.ea.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jul 09 2019 Petra Alice Mikova  - 1:13.0.0.28-0.1.ea.rolling
+- updated to jdk 13
+- adapted pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch
+- adapted rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+- fixed file listings
+- included https://src.fedoraproject.org/rpms/java-11-openjdk/pull-request/49:
+- Include 'ea' designator in Release when appropriate
+- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately
+
+* Tue May 21 2019 Petra Alice Mikova  - 1:12.0.1.12-2.rolling
+- fixed requires/provides for the non-system JDK case (backport of RHBZ#1702324)
+
+* Thu Apr 18 2019 Petra Mikova  - 1:12.0.1.12-1.rolling
+- updated sources to current CPU release
+
+* Thu Apr 04 2019 Petra Mikova  - 1:12.0.0.33-4.rolling
+- added slave for jfr binary in devel package
+
+* Thu Mar 21 2019 Petra Mikova  - 1:12.0.0.33-3.rolling
+- Replaced pcsc-lite-devel (which is in optional channel) with pcsc-lite-libs.
+- added rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch to make jdk work with pcsc
+- removed LTS string from LTS designator, because epel builds get identified as rhel and JDK 12 is not LTS
+- removed duplicated dependency on lksctp-tools
+
+* Wed Mar 20 2019 Peter Robinson  1:12.0.0.33-2.ea.1.rolling
+- Drop chkconfig dep, 1.7 shipped in f24
+
+* Thu Mar 07 2019 Petra Mikova  - 1:12.0.0.33-1.ea.1.rolling
+- bumped sources to jdk12+33
+
+* Mon Feb 11 2019 Severin Gehwolf  - 1:12.0.0.30-1.ea.1.rolling
+- Only build 'bootcycle-images docs' target and 'images docs' targets, respectively.
+
+* Fri Feb 01 2019 Fedora Release Engineering  - 1:12.0.0.25-0.ea.1.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Dec 21 2018 Jiri Vanek  - 1:12.0.0.25-0.ea.1.rolling
+- bumped sources to jdk12. Crypto list synced.
+- adapted patches to usptream (removed are upstreamed)
+- removed fixed upstreamed patch6, jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch:
+- renamed patch5, pr1983-rh1565658-..._sunec_provider_jdk11.patch to pr1983-rh1565658-..._sunec_provider_jdk12.patch
+- adapted patch5, pr1983-rh1565658 to jdk12 (libraries.m4 and /Lib-jdk.crypto.ec.gmk)
+- removed patch8, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
+- removed patch9, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
+- removed patch10, jdk8210647-rh1632174. Is rummored to be in upstream
+- removed patch11, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch
+- removed patch12, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0
+- removed patch584, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+- removed patch585, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+- set build jdk to jdk11; buildjdkver set to 11
+- todo, revisit _privatelibs and slaves, discuse patch10, more?
+- now building with --no-print-directory to workaround JDK8215213
+- renamed original of docs zip to jdk-major+build
+- check shenandaoh with -XX:+UnlockExperimentalVMOptions
+- libjli moved from lib/libjli to lib
+- added lib/jspawnhelper and bin/jfr and conf/sdp/sdp.conf.template
+- added explanation to the --no-print-directory
+- re-added lts_designator_zip macro
+- added patch6 for rh1673833-remove_removal_of_wformat_during_test_compilation.patch
+
+* Wed Dec 5 2018 Jiri Vanek  - 1:11.0.1.13-10.rolling
+- for non debug supackages, ghosted all masters and slaves (rhbz1649776)
+- for tech-preview packages, if-outed versionless provides. Aligned versions to be %%{epoch}:%%{version}-%%{release} instead of chaotic
+- Removed all slowdebug provides (rhbz1655938); for tech-preview packages also removed all internal provides
+
+* Tue Dec 04 2018 Severin Gehwolf  - 1:11.0.1.13-9
+- Added %%global _find_debuginfo_opts -g
+- Resolves: RHBZ#1520879 (Detailed NMT issue)
+
+* Fri Nov 30 2018 Jiri Vanek  - 1:11.0.1.13-8
+- added rolling suffix to release (before dist) to prevent conflict with java-11-openjdk which now have same major version
+
+* Mon Nov 12 2018 Jiri Vanek  - 1:11.0.1.13-6
+- fixed tck failures of arraycopy and process exec with shenandoah on
+- added patch585 rh1648995-shenandoah_array_copy_broken_by_not_always_copy_forward_for_disjoint_arrays.patch
+
+* Wed Nov 07 2018 Jiri Vanek  - 1:11.0.1.13-5
+- headless' suggests of cups, replaced by Requires of cups-libs
+
+* Thu Nov 01 2018 Jiri Vanek  - 1:11.0.1.13-3
+- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+
+* Mon Oct 29 2018 Severin Gehwolf  - 1:11.0.1.13-3
+- Use upstream's version of Aarch64 intrinsics disable patch:
+  - Removed:
+    RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
+    RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
+  - Superceded by:
+    jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch
+
+* Thu Oct 18 2018 Severin Gehwolf  - 1:11.0.1.13-2
+- Use LTS designator in version output for RHEL.
+
+* Thu Oct 18 2018 Severin Gehwolf  - 1:11.0.1.13-1
+- Update to October 2018 CPU release, 11.0.1+13.
+
+* Wed Oct 17 2018 Severin Gehwolf  - 1:11.0.0.28-2
+- Use --with-vendor-version-string=18.9 so as to show original
+  GA date for the JDK.
+
+* Fri Sep 28 2018 Severin Gehwolf  - 1:11.0.0.28-1
+- Identify as GA version and no longer as early access (EA).
+- JDK 11 has been released for GA on 2018-09-25.
+
+* Fri Sep 28 2018 Severin Gehwolf  - 1:11.0.ea.28-9
+- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes
+  RHBZ-1624122.
+- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to
+  optimize compilation of fdlibm library.
+- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so
+  as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
+- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to
+  optimize compilation of libsaproc (extra c flags won't override
+  optimization).
+- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to
+  optimize compilation of libjsig.
+- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to
+  optimize compilation of vmStructs.cpp (part of libjvm.so).
+- Reinstate filtering of opt flags coming from redhat-rpm-config.
+
+* Thu Sep 27 2018 Jiri Vanek  - 1:11.0.ea.28-8
+- removed version less provides
+- javadocdir moved to arched dir as it is no longer noarch
+
+* Thu Sep 20 2018 Severin Gehwolf  - 1:11.0.ea.28-6
+- Add patch, RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch,
+  so as to disable log math intrinsic on aarch64. Work-around for
+  JDK-8210858
+
+* Thu Sep 13 2018 Severin Gehwolf  - 1:11.0.ea.28-5
+- Add patch, RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch,
+  so as to disable dsin/dcos math intrinsics on aarch64. Work-around for
+  JDK-8210461.
+
+* Wed Sep 12 2018 Severin Gehwolf  - 1:11.0.ea.22-6
+- Add patch, JDK-8210416-RHBZ-1624122-fdlibm-opt-fix.patch, so as to
+  optimize compilation of fdlibm library.
+- Add patch, JDK-8210425-RHBZ-1624122-sharedRuntimeTrig-opt-fix.patch, so
+  as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
+- Add patch, JDK-8210647-RHBZ-1624122-libsaproc-opt-fix.patch, so as to
+  optimize compilation of libsaproc (extra c flags won't override
+  optimization).
+- Add patch, JDK-8210703-RHBZ-1624122-vmStructs-opt-fix.patch, so as to
+  optimize compilation of vmStructs.cpp (part of libjvm.so).
+- No longer filter -O flags from C flags coming from
+  redhat-rpm-config.
+
+* Mon Sep 10 2018 Jiri Vanek  - 1:11.0.ea.28-4
+- link to jhsdb followed its file to ifarch jit_arches ifnarch s390x
+
+* Fri Sep 7 2018 Severin Gehwolf  - 1:11.0.ea.28-3
+- Enable ZGC on x86_64.
+
+* Tue Sep 4 2018 Jiri Vanek  - 1:11.0.ea.28-2
+- jfr/*jfc files listed for all arches
+- lib/classlist do not exists s390, ifarch-ed via jit_arches out
+
+* Fri Aug 31 2018 Severin Gehwolf  - 1:11.0.ea.28-1
+- Update to latest upstream build jdk11+28, the first release
+  candidate.
+
+* Wed Aug 29 2018 Severin Gehwolf  - 1:11.0.ea.22-8
+- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so
+  as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue.
+
+* Thu Aug 23 2018 Jiri Vanek  - 1:11.0.ea.22-6
+- dissabled accessibility, fixed provides for main package's debug variant
+
+* Mon Jul 30 2018 Jiri Vanek  - 1:11.0.ea.22-5
+- now buildrequires javapackages-filesystem as the  issue with macros should be fixed
+
+* Wed Jul 18 2018 Jiri Vanek  - 1:11.0.ea.22-2
+- changed to build by itself instead of by jdk10
+
+* Tue Jul 17 2018 Jiri Vanek  - 1:11.0.ea.22-1
+- added Recommends gtk3 for main package
+- changed BuildRequires from gtk2-devel to gtk3-devel (it can be more likely dropped)
+- added Suggests lksctp-tools, pcsc-lite-devel, cups for headless package
+- see RHBZ1598152
+- added trick to catch hs_err files (sgehwolf)
+- updated to shenandaoh-jdk-11+22
+
+* Sat Jul 07 2018 Jiri Vanek  - 1:11.0.ea.20-1
+- removed patch6 JDK-8205616-systemLcmsAndJpgFixFor-rev_f0aeede1b855.patch
+- improved a bit generate_source_tarball.sh to serve also for systemtap
+- thus deleted generate_tapsets.sh
+- simplified and cleared update_package.sh
+- moved to single source jdk - from shenandoah/jdk11
+- bumped to latest jdk11+20
+- adapted PR2126 to jdk11+20
+- adapted handling of systemtap sources to new style
+- (no (misleading) version inside (full version is in name), thus different sed on tapsets and different directory)
+- shortened summaries and descriptions to around 80 chars
+- Hunspell spell checked
+- license fixed to correct jdk11 (sgehwolf)
+- more correct handling of internal libraries (sgehwolf)
+- added lib/security/public_suffix_list.dat as +20 have added it (JDK-8201815)
+- added test for shenandaoh GC presence where expected
+- Removed workaround for broken aarch64 slowdebug build
+- Removed all defattrs
+- Removed no longer necessary cleanup of diz and  debuginfo files
+
+* Fri Jun 22 2018 Jiri Vanek  - 1:11.0.ea.19-1
+- updated sources to jdk-11+19
+- added patch6 systemLcmsAndJpgFixFor-f0aeede1b855.patch to fix regression of system libraries after f0aeede1b855 commit
+- adapted pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch to accommodate changes after f0aeede1b855 commit
+
+* Thu Jun 14 2018 Severin Gehwolf  - 1:11.0.ea.16-5
+- Revert rename: java-11-openjdk => java-openjdk.
+
+* Wed Jun 13 2018 Severin Gehwolf  - 1:11.0.ea.16-4
+- Add aarch64 to aot_arches.
+
+* Wed Jun 13 2018 Severin Gehwolf  - 1:11.0.ea.16-3
+- Rename to package java-11-openjdk.
+
+* Wed Jun 13 2018 Severin Gehwolf  - 1:11.0.ea.16-2
+- Disable Aarch64 slowdebug build (see JDK-8204331).
+- s390x doesn't have the SA even though it's a JIT arch.
+
+* Wed Jun 13 2018 Severin Gehwolf  - 1:11.0.ea.16-1
+- Initial version of JDK 11 ea based on tag jdk-11+16.
+- Removed patches no longer needed or upstream:
+  sorted-diff.patch (see JDK-8198844)
+  JDK-8201788-bootcycle-images-jobs.patch
+  JDK-8201509-s390-atomic_store.patch
+  JDK-8202262-libjsig.so-extra-link-flags.patch (never was an issue on 11)
+  JDK-8193802-npe-jar-getVersionMap.patch
+- Updated and renamed patches:
+  java-openjdk-s390-size_t.patch => JDK-8203030-s390-size_t.patch
+- Updated patches for JDK 11:
+  pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+* Tue Jun 12 2018 Severin Gehwolf  - 1:10.0.1.10-9
+- Use proper private_libs expression for filtering requires/provides.
+
+* Fri Jun 08 2018 Severin Gehwolf  - 1:10.0.1.10-8
+- Bump release and rebuild for fixed gdb. See RHBZ#1589118.
+
+* Mon Jun 04 2018 Jiri Vanek  - 1:10.0.1.10-7
+- quoted sed expressions, changed possibly confusing # by @
+- added vendor(origin) into icons
+- removed last trace of relative symlinks
+- added BuildRequires of javapackages-tools to fix build failure after Requires change to javapackages-filesystem
+
+* Thu May 17 2018 Severin Gehwolf  - 1:10.0.1.10-5
+- Move to javapackages-filesystem for directory ownership.
+  Resolves RHBZ#1500288
+
+* Mon Apr 30 2018 Severin Gehwolf  - 1:10.0.1.10-4
+- Add JDK-8193802-npe-jar-getVersionMap.patch so as to fix
+  RHBZ#1557375.
+
+* Mon Apr 23 2018 Severin Gehwolf  - 1:10.0.1.10-3
+- Inject build flags properly. See RHBZ#1571359
+- Added patch JDK-8202262-libjsig.so-extra-link-flags.patch
+  since libjsig.so doesn't get linker flags injected properly.
+
+* Fri Apr 20 2018 Severin Gehwolf  - 1:10.0.1.10-2
+- Removed unneeded patches:
+  PStack-808293.patch
+  multiple-pkcs11-library-init.patch
+  ppc_stack_overflow_fix.patch
+- Added patches for s390 Zero builds:
+  JDK-8201495-s390-java-opts.patch
+  JDK-8201509-s390-atomic_store.patch
+- Renamed patches for clarity:
+  aarch64BuildFailure.patch => JDK-8200556-aarch64-slowdebug-crash.patch
+  systemCryptoPolicyPR3183.patch => pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+  bootcycle_jobs.patch => JDK-8201788-bootcycle-images-jobs.patch
+  system-nss-ec-rh1565658.patch => pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+* Fri Apr 20 2018 Jiri Vanek  - 1:10.0.1.10-1
+- updated to security update 1
+- jexec unlinked from path
+- used java-openjdk as boot jdk
+- aligned provides/requires
+- renamed zip javadoc
+
+* Tue Apr 10 2018 Severin Gehwolf  - 1:10.0.0.46-12
+- Enable basic EC ciphers test in %%check.
+
+* Tue Apr 10 2018 Severin Gehwolf  - 1:10.0.0.46-11
+- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10.
+- Resolves RHBZ#1565658
+
+* Mon Apr 09 2018 Jiri Vanek  - 1:10.0.0.46-10
+- jexec linked to path
+
+* Fri Apr 06 2018 Jiri Vanek  - 1:10.0.0.46-9
+- subpackage(s) replaced by sub-package(s) and other cosmetic changes
+
+* Tue Apr 03 2018 Jiri Vanek  - 1:10.0.0.46-8
+- removed accessibility sub-packages
+- kept applied patch and properties files
+- debug sub-packages renamed to slowdebug
+
+* Fri Feb 23 2018 Jiri Vanek  - 1:10.0.0.46-1
+- initial load
diff --git a/jconsole.desktop.in b/jconsole.desktop.in
new file mode 100644
index 0000000..8a3b04d
--- /dev/null
+++ b/jconsole.desktop.in
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
+Comment=Monitor and manage OpenJDK applications
+Exec=_SDKBINDIR_/jconsole
+Icon=java-@JAVA_VER@-@JAVA_VENDOR@
+Terminal=false
+Type=Application
+StartupWMClass=sun-tools-jconsole-JConsole
+Categories=Development;Profiling;Java;
+Version=1.0
diff --git a/jdk8275535-rh2053256-ldap_auth.patch b/jdk8275535-rh2053256-ldap_auth.patch
new file mode 100644
index 0000000..51bd6d2
--- /dev/null
+++ b/jdk8275535-rh2053256-ldap_auth.patch
@@ -0,0 +1,26 @@
+diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+index 70903206ea0..09956084cf9 100644
+--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
++++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+                     ctx = getLdapCtxFromUrl(
+                             r.getDomainName(), url, new LdapURL(u), env);
+                     return ctx;
++                } catch (AuthenticationException e) {
++                    // do not retry on a different endpoint to avoid blocking
++                    // the user if authentication credentials are wrong.
++                    throw e;
+                 } catch (NamingException e) {
+                     // try the next element
+                     lastException = e;
+@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+         for (String u : urls) {
+             try {
+                 return getUsingURL(u, env);
++            } catch (AuthenticationException e) {
++                // do not retry on a different URL to avoid blocking
++                // the user if authentication credentials are wrong.
++                throw e;
+             } catch (NamingException e) {
+                 ex = e;
+             }
diff --git a/jdk8293834-kyiv_cldr_update.patch b/jdk8293834-kyiv_cldr_update.patch
new file mode 100644
index 0000000..b8dda24
--- /dev/null
+++ b/jdk8293834-kyiv_cldr_update.patch
@@ -0,0 +1,51 @@
+diff --git a/make/data/cldr/common/bcp47/timezone.xml b/make/data/cldr/common/bcp47/timezone.xml
+index 41ff6d236c8..e703020dcdd 100644
+--- a/make/data/cldr/common/bcp47/timezone.xml
++++ b/make/data/cldr/common/bcp47/timezone.xml
+@@ -393,7 +393,7 @@ For terms of use, see http://www.unicode.org/copyright.html
+             
+             
+             
+-            
++            
+             
+             
+             
+diff --git a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
+index eb56c087ad6..e398af3c151 100644
+--- a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
++++ b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
+@@ -23,7 +23,7 @@
+ 
+  /*
+  * @test
+- * @bug 8181157 8202537 8234347 8236548 8261279
++ * @bug 8181157 8202537 8234347 8236548 8261279 8293834
+  * @modules jdk.localedata
+  * @summary Checks CLDR time zone names are generated correctly at runtime
+  * @run testng/othervm -Djava.locale.providers=CLDR TimeZoneNamesTest
+@@ -102,6 +102,24 @@ public class TimeZoneNamesTest {
+                                                     "UTC+04:00",
+                                                     "heure : Astrakhan",
+                                                     "UTC+04:00"},
++            {"Europe/Kyiv",             Locale.US, "Eastern European Standard Time",
++                                                    "GMT+02:00",
++                                                    "Eastern European Summer Time",
++                                                    "GMT+03:00",
++                                                    "Eastern European Time",
++                                                    "GMT+02:00"},
++            {"Europe/Kyiv",             Locale.FRANCE, "heure normale d\u2019Europe de l\u2019Est",
++                                                    "UTC+02:00",
++                                                    "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est",
++                                                    "UTC+03:00",
++                                                    "heure d\u2019Europe de l\u2019Est",
++                                                    "UTC+02:00"},
++            {"Europe/Kyiv",             Locale.GERMANY, "Osteurop\u00e4ische Normalzeit",
++                                                    "OEZ",
++                                                    "Osteurop\u00e4ische Sommerzeit",
++                                                    "OESZ",
++                                                    "Osteurop\u00e4ische Zeit",
++                                                    "OEZ"},
+             {"Europe/Saratov",          Locale.US, "Saratov Standard Time",
+                                                     "GMT+04:00",
+                                                     "Saratov Daylight Time",
diff --git a/jdk8294357-tzdata2022d.patch b/jdk8294357-tzdata2022d.patch
new file mode 100644
index 0000000..9eb6727
--- /dev/null
+++ b/jdk8294357-tzdata2022d.patch
@@ -0,0 +1,303 @@
+commit 3d93fdc583ed1c03ecf355b64d41c5f5fe4c07ce
+Author: Goetz Lindenmaier 
+Date:   Wed Oct 5 07:13:43 2022 +0000
+
+    8294357: (tz) Update Timezone Data to 2022d
+    
+    Backport-of: f01573368f905f27d26f1d07d9cfd26dcc736a54
+
+diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
+index decb8716b22..889d0e6dad7 100644
+--- a/make/data/tzdata/VERSION
++++ b/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022c
++tzdata2022d
+diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
+index 3a150b0f36b..f9df7432947 100644
+--- a/make/data/tzdata/asia
++++ b/make/data/tzdata/asia
+@@ -3398,10 +3398,6 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
+ # The winter time in 2015 started on October 23 at 01:00.
+ # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
+ # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
+-#
+-# From Paul Eggert (2019-04-10):
+-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
+-# preceding March's last Sunday (i.e., Sat>=24).
+ 
+ # From P Chan (2021-10-18):
+ # http://wafa.ps/Pages/Details/34701
+@@ -3418,6 +3414,18 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
+ # From Heba Hamad (2022-03-10):
+ # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+ 
++# From Heba Hamad (2022-08-30):
++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
++# 60 minutes backwards.  Also the state of Palestine adopted the summer
++# and winter time for the years: 2023,2024,2025,2026 ...
++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
++# (2022-08-31): ... the Saturday before the last Sunday in March and October
++# at 2:00 AM ,for the years from 2023 to 2026.
++# (2022-09-05): https://mtit.pna.ps/Site/New/1453
++#
++# From Paul Eggert (2022-08-31):
++# For now, assume that this rule will also be used after 2026.
++
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
+ Rule EgyptAsia	1957	1958	-	Oct	 1	0:00	0	-
+@@ -3448,14 +3456,16 @@ Rule Palestine	2013	only	-	Sep	27	0:00	0	-
+ Rule Palestine	2014	only	-	Oct	24	0:00	0	-
+ Rule Palestine	2015	only	-	Mar	28	0:00	1:00	S
+ Rule Palestine	2015	only	-	Oct	23	1:00	0	-
+-Rule Palestine	2016	2018	-	Mar	Sat>=24	1:00	1:00	S
+-Rule Palestine	2016	2018	-	Oct	Sat>=24	1:00	0	-
++Rule Palestine	2016	2018	-	Mar	Sat<=30	1:00	1:00	S
++Rule Palestine	2016	2018	-	Oct	Sat<=30	1:00	0	-
+ Rule Palestine	2019	only	-	Mar	29	0:00	1:00	S
+-Rule Palestine	2019	only	-	Oct	Sat>=24	0:00	0	-
+-Rule Palestine	2020	2021	-	Mar	Sat>=24	0:00	1:00	S
++Rule Palestine	2019	only	-	Oct	Sat<=30	0:00	0	-
++Rule Palestine	2020	2021	-	Mar	Sat<=30	0:00	1:00	S
+ Rule Palestine	2020	only	-	Oct	24	1:00	0	-
+-Rule Palestine	2021	max	-	Oct	Fri>=23	1:00	0	-
+-Rule Palestine	2022	max	-	Mar	Sun>=25	0:00	1:00	S
++Rule Palestine	2021	only	-	Oct	29	1:00	0	-
++Rule Palestine	2022	only	-	Mar	27	0:00	1:00	S
++Rule Palestine	2022	max	-	Oct	Sat<=30	2:00	0	-
++Rule Palestine	2023	max	-	Mar	Sat<=30	2:00	1:00	S
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Gaza	2:17:52	-	LMT	1900 Oct
+diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward
+index d4a29e8cf29..7765d99aedf 100644
+--- a/make/data/tzdata/backward
++++ b/make/data/tzdata/backward
+@@ -113,6 +113,8 @@ Link	Etc/UTC			Etc/UCT
+ Link	Europe/London		Europe/Belfast
+ Link	Europe/Kyiv		Europe/Kiev
+ Link	Europe/Chisinau		Europe/Tiraspol
++Link	Europe/Kyiv		Europe/Uzhgorod
++Link	Europe/Kyiv		Europe/Zaporozhye
+ Link	Europe/London		GB
+ Link	Europe/London		GB-Eire
+ Link	Etc/GMT			GMT+0
+diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
+index 879b5337536..accc845dbaf 100644
+--- a/make/data/tzdata/europe
++++ b/make/data/tzdata/europe
+@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol	 2:16:24 -	LMT	1880
+ # From Alexander Krivenyshev (2014-03-17):
+ # time change at 2:00 (2am) on March 30, 2014
+ # https://vz.ru/news/2014/3/17/677464.html
+-# From Paul Eggert (2014-03-30):
+-# Simferopol and Sevastopol reportedly changed their central town clocks
+-# late the previous day, but this appears to have been ceremonial
+-# and the discrepancies are small enough to not worry about.
++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
++# The clocks at the railway station in Simferopol were put forward from 22:00
++# to 24:00 the previous day in a "symbolic ceremony"; however, per
++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
++# time switch at 2am" on Sunday.
++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
++# https://www.bbc.com/news/av/world-europe-26806583
+ 			 2:00	EU	EE%sT	2014 Mar 30  2:00
+ 			 4:00	-	MSK	2014 Oct 26  2:00s
+ 			 3:00	-	MSK
+@@ -3774,8 +3778,8 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
+ # US colleague David Cochrane) are still trying to get more
+ # information upon these local deviations from Kiev rules.
+ #
+-# From Paul Eggert (2022-02-08):
+-# For now, assume that Ukraine's other three zones followed the same rules,
++# From Paul Eggert (2022-08-27):
++# For now, assume that Ukraine's zones all followed the same rules,
+ # except that Crimea switched to Moscow time in 1994 as described elsewhere.
+ 
+ # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
+@@ -3845,21 +3849,7 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
+ # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
+ # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
+ 
+-# From Paul Eggert (2022-04-12):
+-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
+-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
+-# English for Ukraine's capital.  Although tzdb's former name was Europe/Kiev,
+-# "Kyiv" is now more common due to widespread reporting of the current conflict.
+-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
+-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
+-# certainly wrong as a transliteration of the Czech "Praha".
+-# English-language spelling of Ukrainian names is in flux, and
+-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
+-# common in English; in the meantime, do not change these
+-# English spellings as that means less disruption for our users.
+-
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-# This represents most of Ukraine.  See above for the spelling of "Kyiv".
+ Zone Europe/Kyiv	2:02:04 -	LMT	1880
+ 			2:02:04	-	KMT	1924 May  2 # Kyiv Mean Time
+ 			2:00	-	EET	1930 Jun 21
+@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv	2:02:04 -	LMT	1880
+ 			2:00	1:00	EEST	1991 Sep 29  3:00
+ 			2:00	C-Eur	EE%sT	1996 May 13
+ 			2:00	EU	EE%sT
+-# Transcarpathia used CET 1990/1991.
+-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
+-# "Uzhgorod" is more common in English.
+-Zone Europe/Uzhgorod	1:29:12 -	LMT	1890 Oct
+-			1:00	-	CET	1940
+-			1:00	C-Eur	CE%sT	1944 Oct
+-			1:00	1:00	CEST	1944 Oct 26
+-			1:00	-	CET	1945 Jun 29
+-			3:00	Russia	MSK/MSD	1990
+-			3:00	-	MSK	1990 Jul  1  2:00
+-			1:00	-	CET	1991 Mar 31  3:00
+-			2:00	-	EET	1992 Mar 20
+-			2:00	C-Eur	EE%sT	1996 May 13
+-			2:00	EU	EE%sT
+-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
+-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
+-# "Zaporozh'ye" is more common in English.  Use the common English
+-# spelling, except omit the apostrophe as it is not allowed in
+-# portable Posix file names.
+-Zone Europe/Zaporozhye	2:20:40 -	LMT	1880
+-			2:20	-	+0220	1924 May  2
+-			2:00	-	EET	1930 Jun 21
+-			3:00	-	MSK	1941 Aug 25
+-			1:00	C-Eur	CE%sT	1943 Oct 25
+-			3:00	Russia	MSK/MSD	1991 Mar 31  2:00
+-			2:00	E-Eur	EE%sT	1992 Mar 20
+-			2:00	C-Eur	EE%sT	1996 May 13
+-			2:00	EU	EE%sT
+ 
+ # Vatican City
+ # See Europe/Rome.
+diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica
+index 13ec081c7e0..3c0e0e2061c 100644
+--- a/make/data/tzdata/southamerica
++++ b/make/data/tzdata/southamerica
+@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco	-4:31:12 -	LMT	1914
+ # for America/Santiago will start on midnight of September 11th;
+ # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
+ # will keep UTC -3 "indefinitely"...  This is because on September 4th
+-# we will have a voting whether to approve a new Constitution....
+-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
++# we will have a voting whether to approve a new Constitution.
++#
++# From Eduardo Romero Urra (2022-08-17):
++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
++#
++# From Paul Eggert (2022-08-17):
++# Although the presidential decree stops at fall 2026, assume that
++# similar DST rules will continue thereafter.
+ 
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule	Chile	1927	1931	-	Sep	 1	0:00	1:00	-
+diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab
+index 51b65fa273c..ee025196e50 100644
+--- a/make/data/tzdata/zone.tab
++++ b/make/data/tzdata/zone.tab
+@@ -424,8 +424,6 @@ TV	-0831+17913	Pacific/Funafuti
+ TW	+2503+12130	Asia/Taipei
+ TZ	-0648+03917	Africa/Dar_es_Salaam
+ UA	+5026+03031	Europe/Kyiv	Ukraine (most areas)
+-UA	+4837+02218	Europe/Uzhgorod	Transcarpathia
+-UA	+4750+03510	Europe/Zaporozhye	Zaporozhye and east Lugansk
+ UG	+0019+03225	Africa/Kampala
+ UM	+2813-17722	Pacific/Midway	Midway Islands
+ UM	+1917+16637	Pacific/Wake	Wake Island
+diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+index 15c2f0d1275..6f6e190efcd 100644
+--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+@@ -574,12 +574,8 @@ public final class ZoneInfoFile {
+                     // we can then pass in the dom = -1, dow > 0 into ZoneInfo
+                     //
+                     // hacking, assume the >=24 is the result of ZRB optimization for
+-                    // "last", it works for now. From tzdata2020d this hacking
+-                    // will not work for Asia/Gaza and Asia/Hebron which follow
+-                    // Palestine DST rules.
+-                    if (dom < 0 || dom >= 24 &&
+-                                   !(zoneId.equals("Asia/Gaza") ||
+-                                     zoneId.equals("Asia/Hebron"))) {
++                    // "last", it works for now.
++                    if (dom < 0 || dom >= 24) {
+                         params[1] = -1;
+                         params[2] = toCalendarDOW[dow];
+                     } else {
+@@ -601,7 +597,6 @@ public final class ZoneInfoFile {
+                     params[7] = 0;
+                 } else {
+                     // hacking: see comment above
+-                    // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e
+                     if (dom < 0 || dom >= 24) {
+                         params[6] = -1;
+                         params[7] = toCalendarDOW[dow];
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+index c32bee39fba..71470168456 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022c
++tzdata2022d
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
+index a5e6428a3f5..e3ce742f887 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
+@@ -183,6 +183,8 @@ Link	Etc/UTC			Etc/UCT
+ Link	Europe/London		Europe/Belfast
+ Link	Europe/Kyiv		Europe/Kiev
+ Link	Europe/Chisinau		Europe/Tiraspol
++Link	Europe/Kyiv		Europe/Uzhgorod
++Link	Europe/Kyiv		Europe/Zaporozhye
+ Link	Europe/London		GB
+ Link	Europe/London		GB-Eire
+ Link	Etc/GMT			GMT+0
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+index fc148537f1f..b3823958ae4 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -163,11 +163,9 @@ Europe/Simferopol MSK
+ Europe/Sofia EET EEST
+ Europe/Tallinn EET EEST
+ Europe/Tirane CET CEST
+-Europe/Uzhgorod EET EEST
+ Europe/Vienna CET CEST
+ Europe/Vilnius EET EEST
+ Europe/Warsaw CET CEST
+-Europe/Zaporozhye EET EEST
+ Europe/Zurich CET CEST
+ HST HST
+ MET MET MEST
+diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
+index 7b50c342a0d..a7d14f1aa21 100644
+--- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
++++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
+@@ -176,11 +176,12 @@ public class TestZoneInfo310 {
+              * save time in IANA tzdata. This bug is tracked via JDK-8223388.
+              *
+              * These are the zones/rules that employ negative DST in vanguard
+-             * format (as of 2019a):
++             * format (as of 2019a), Palestine added in 2022d:
+              *
+              *  - Rule "Eire"
+              *  - Rule "Morocco"
+              *  - Rule "Namibia"
++             *  - Rule "Palestine"
+              *  - Zone "Europe/Prague"
+              *
+              * Tehran/Iran rule has rules beyond 2037, in which javazic assumes
+@@ -196,6 +197,8 @@ public class TestZoneInfo310 {
+                 zid.equals("Europe/Dublin") || // uses "Eire" rule
+                 zid.equals("Europe/Prague") ||
+                 zid.equals("Asia/Tehran") || // last rule mismatch
++                zid.equals("Asia/Gaza") || // uses "Palestine" rule
++                zid.equals("Asia/Hebron") || // uses "Palestine" rule
+                 zid.equals("Iran")) { // last rule mismatch
+                     continue;
+             }
diff --git a/jdk8295173-tzdata2022e.patch b/jdk8295173-tzdata2022e.patch
new file mode 100644
index 0000000..8ffd2ee
--- /dev/null
+++ b/jdk8295173-tzdata2022e.patch
@@ -0,0 +1,420 @@
+commit d159a377e0243bd2c80593689fd7cd20b2b578f7
+Author: duke 
+Date:   Fri Oct 14 03:37:19 2022 +0000
+
+    Backport 21407dec0156301871a83328615e4d975c4287c4
+
+diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
+index 889d0e6dad7..b8cb36e69f4 100644
+--- a/make/data/tzdata/VERSION
++++ b/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022d
++tzdata2022e
+diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
+index f9df7432947..5b2337fd0b6 100644
+--- a/make/data/tzdata/asia
++++ b/make/data/tzdata/asia
+@@ -2254,6 +2254,17 @@ Zone	Asia/Tokyo	9:18:59	-	LMT	1887 Dec 31 15:00u
+ # From the Arabic version, it seems to say it would be at midnight
+ # (assume 24:00) on the last Thursday in February, starting from 2022.
+ 
++# From Issam Al-Zuwairi (2022-10-05):
++# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
++# that daylight saving time (DST) will be throughout the year....
++#
++# From Brian Inglis (2022-10-06):
++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
++#
++# From Paul Eggert (2022-10-05):
++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
++
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule	Jordan	1973	only	-	Jun	6	0:00	1:00	S
+ Rule	Jordan	1973	1975	-	Oct	1	0:00	0	-
+@@ -2285,11 +2296,12 @@ Rule	Jordan	2005	only	-	Sep	lastFri	0:00s	0	-
+ Rule	Jordan	2006	2011	-	Oct	lastFri	0:00s	0	-
+ Rule	Jordan	2013	only	-	Dec	20	0:00	0	-
+ Rule	Jordan	2014	2021	-	Mar	lastThu	24:00	1:00	S
+-Rule	Jordan	2014	max	-	Oct	lastFri	0:00s	0	-
+-Rule	Jordan	2022	max	-	Feb	lastThu	24:00	1:00	S
++Rule	Jordan	2014	2022	-	Oct	lastFri	0:00s	0	-
++Rule	Jordan	2022	only	-	Feb	lastThu	24:00	1:00	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Amman	2:23:44 -	LMT	1931
+-			2:00	Jordan	EE%sT
++			2:00	Jordan	EE%sT	2022 Oct 28 0:00s
++			3:00	-	+03
+ 
+ 
+ # Kazakhstan
+@@ -3838,19 +3850,27 @@ Rule	Syria	2007	only	-	Nov	 Fri>=1	0:00	0	-
+ # Our brief summary:
+ # https://www.timeanddate.com/news/time/syria-dst-2012.html
+ 
+-# From Arthur David Olson (2012-03-27):
+-# Assume last Friday in March going forward XXX.
++# From Steffen Thorsen (2022-10-05):
++# Syria is adopting year-round DST, starting this autumn....
++# From https://www.enabbaladi.net/archives/607812
++# "This [the decision] came after the weekly government meeting today,
++# Tuesday 4 October ..."
++#
++# From Paul Eggert (2022-10-05):
++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
+ 
+ Rule	Syria	2008	only	-	Apr	Fri>=1	0:00	1:00	S
+ Rule	Syria	2008	only	-	Nov	1	0:00	0	-
+ Rule	Syria	2009	only	-	Mar	lastFri	0:00	1:00	S
+ Rule	Syria	2010	2011	-	Apr	Fri>=1	0:00	1:00	S
+-Rule	Syria	2012	max	-	Mar	lastFri	0:00	1:00	S
+-Rule	Syria	2009	max	-	Oct	lastFri	0:00	0	-
++Rule	Syria	2012	2022	-	Mar	lastFri	0:00	1:00	S
++Rule	Syria	2009	2022	-	Oct	lastFri	0:00	0	-
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Damascus	2:25:12 -	LMT	1920 # Dimashq
+-			2:00	Syria	EE%sT
++			2:00	Syria	EE%sT	2022 Oct 28 0:00
++			3:00	-	+03
+ 
+ # Tajikistan
+ # From Shanks & Pottenger.
+diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
+index accc845dbaf..2832c4b9763 100644
+--- a/make/data/tzdata/europe
++++ b/make/data/tzdata/europe
+@@ -3417,7 +3417,7 @@ Zone	Europe/Madrid	-0:14:44 -	LMT	1901 Jan  1  0:00u
+ 			 0:00	Spain	WE%sT	1940 Mar 16 23:00
+ 			 1:00	Spain	CE%sT	1979
+ 			 1:00	EU	CE%sT
+-Zone	Africa/Ceuta	-0:21:16 -	LMT	1900 Dec 31 23:38:44
++Zone	Africa/Ceuta	-0:21:16 -	LMT	1901 Jan  1  0:00u
+ 			 0:00	-	WET	1918 May  6 23:00
+ 			 0:00	1:00	WEST	1918 Oct  7 23:00
+ 			 0:00	-	WET	1924
+diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica
+index 114cef14cce..ce4ee74582c 100644
+--- a/make/data/tzdata/northamerica
++++ b/make/data/tzdata/northamerica
+@@ -462,7 +462,7 @@ Rule	Chicago	1922	1966	-	Apr	lastSun	2:00	1:00	D
+ Rule	Chicago	1922	1954	-	Sep	lastSun	2:00	0	S
+ Rule	Chicago	1955	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 12:09:24
++Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1920
+ 			-6:00	Chicago	C%sT	1936 Mar  1  2:00
+ 			-5:00	-	EST	1936 Nov 15  2:00
+@@ -471,7 +471,7 @@ Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 12:09:24
+ 			-6:00	Chicago	C%sT	1967
+ 			-6:00	US	C%sT
+ # Oliver County, ND switched from mountain to central time on 1992-10-25.
+-Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 12:14:48
++Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1992 Oct 25  2:00
+ 			-6:00	US	C%sT
+ # Morton County, ND, switched from mountain to central time on
+@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 12:14:48
+ # Jones, Mellette, and Todd Counties in South Dakota;
+ # but in practice these other counties were already observing central time.
+ # See .
+-Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	2003 Oct 26  2:00
+ 			-6:00	US	C%sT
+ 
+@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
+ # largest city in Mercer County).  Google Maps places Beulah's city hall
+ # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
+ 
+-Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 12:12:53
++Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	2010 Nov  7  2:00
+ 			-6:00	US	C%sT
+ 
+@@ -530,7 +530,7 @@ Rule	Denver	1921	only	-	May	22	2:00	0	S
+ Rule	Denver	1965	1966	-	Apr	lastSun	2:00	1:00	D
+ Rule	Denver	1965	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 12:00:04
++Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1920
+ 			-7:00	Denver	M%sT	1942
+ 			-7:00	US	M%sT	1946
+@@ -583,7 +583,7 @@ Rule	CA	1950	1966	-	Apr	lastSun	1:00	1:00	D
+ Rule	CA	1950	1961	-	Sep	lastSun	2:00	0	S
+ Rule	CA	1962	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 12:07:02
++Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 20:00u
+ 			-8:00	US	P%sT	1946
+ 			-8:00	CA	P%sT	1967
+ 			-8:00	US	P%sT
+@@ -845,7 +845,7 @@ Zone Pacific/Honolulu	-10:31:26 -	LMT	1896 Jan 13 12:00
+ # Go with the Arizona State Library instead.
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Phoenix	-7:28:18 -	LMT	1883 Nov 18 11:31:42
++Zone America/Phoenix	-7:28:18 -	LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1944 Jan  1  0:01
+ 			-7:00	-	MST	1944 Apr  1  0:01
+ 			-7:00	US	M%sT	1944 Oct  1  0:01
+@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
+ # switched four weeks late in 1974.
+ #
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 12:15:11
++Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 20:00u
+ 			-8:00	US	P%sT	1923 May 13  2:00
+ 			-7:00	US	M%sT	1974
+ 			-7:00	-	MST	1974 Feb  3  2:00
+@@ -945,7 +945,7 @@ Rule Indianapolis 1941	only	-	Jun	22	2:00	1:00	D
+ Rule Indianapolis 1941	1954	-	Sep	lastSun	2:00	0	S
+ Rule Indianapolis 1946	1954	-	Apr	lastSun	2:00	1:00	D
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Indianapolis -5:44:38 - LMT	1883 Nov 18 12:15:22
++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1920
+ 			-6:00 Indianapolis C%sT	1942
+ 			-6:00	US	C%sT	1946
+@@ -965,7 +965,7 @@ Rule	Marengo	1951	only	-	Sep	lastSun	2:00	0	S
+ Rule	Marengo	1954	1960	-	Apr	lastSun	2:00	1:00	D
+ Rule	Marengo	1954	1960	-	Sep	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Marengo -5:45:23 -	LMT	1883 Nov 18 12:14:37
++Zone America/Indiana/Marengo -5:45:23 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1951
+ 			-6:00	Marengo	C%sT	1961 Apr 30  2:00
+ 			-5:00	-	EST	1969
+@@ -989,7 +989,7 @@ Rule Vincennes	1960	only	-	Oct	lastSun	2:00	0	S
+ Rule Vincennes	1961	only	-	Sep	lastSun	2:00	0	S
+ Rule Vincennes	1962	1963	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Vincennes -5:50:07 - LMT	1883 Nov 18 12:09:53
++Zone America/Indiana/Vincennes -5:50:07 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00 Vincennes	C%sT	1964 Apr 26  2:00
+ 			-5:00	-	EST	1969
+@@ -1009,7 +1009,7 @@ Rule Perry	1955	1960	-	Sep	lastSun	2:00	0	S
+ Rule Perry	1956	1963	-	Apr	lastSun	2:00	1:00	D
+ Rule Perry	1961	1963	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Tell_City -5:47:03 - LMT	1883 Nov 18 12:12:57
++Zone America/Indiana/Tell_City -5:47:03 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00 Perry	C%sT	1964 Apr 26  2:00
+ 			-5:00	-	EST	1967 Oct 29  2:00
+@@ -1026,7 +1026,7 @@ Rule	Pike	1955	1960	-	Sep	lastSun	2:00	0	S
+ Rule	Pike	1956	1964	-	Apr	lastSun	2:00	1:00	D
+ Rule	Pike	1961	1964	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Petersburg -5:49:07 - LMT	1883 Nov 18 12:10:53
++Zone America/Indiana/Petersburg -5:49:07 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1955
+ 			-6:00	Pike	C%sT	1965 Apr 25  2:00
+ 			-5:00	-	EST	1966 Oct 30  2:00
+@@ -1048,7 +1048,7 @@ Rule	Starke	1955	1956	-	Oct	lastSun	2:00	0	S
+ Rule	Starke	1957	1958	-	Sep	lastSun	2:00	0	S
+ Rule	Starke	1959	1961	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Knox -5:46:30 -	LMT	1883 Nov 18 12:13:30
++Zone America/Indiana/Knox -5:46:30 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1947
+ 			-6:00	Starke	C%sT	1962 Apr 29  2:00
+ 			-5:00	-	EST	1963 Oct 27  2:00
+@@ -1064,7 +1064,7 @@ Rule	Pulaski	1946	1954	-	Sep	lastSun	2:00	0	S
+ Rule	Pulaski	1955	1956	-	Oct	lastSun	2:00	0	S
+ Rule	Pulaski	1957	1960	-	Sep	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 12:13:35
++Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00	Pulaski	C%sT	1961 Apr 30  2:00
+ 			-5:00	-	EST	1969
+@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 12:13:35
+ #
+ # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Vevay -5:40:16 -	LMT	1883 Nov 18 12:19:44
++Zone America/Indiana/Vevay -5:40:16 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1954 Apr 25  2:00
+ 			-5:00	-	EST	1969
+ 			-5:00	US	E%sT	1973
+@@ -1111,7 +1111,7 @@ Rule Louisville	1950	1961	-	Apr	lastSun	2:00	1:00	D
+ Rule Louisville	1950	1955	-	Sep	lastSun	2:00	0	S
+ Rule Louisville	1956	1961	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
++Zone America/Kentucky/Louisville -5:43:02 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1921
+ 			-6:00 Louisville C%sT	1942
+ 			-6:00	US	C%sT	1946
+@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
+ # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
+ # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
+ #
+-Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
++Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00	-	CST	1968
+ 			-6:00	US	C%sT	2000 Oct 29  2:00
+@@ -2640,6 +2640,8 @@ Zone America/Dawson	-9:17:40 -	LMT	1900 Aug 20
+ #    longitude they are located at.
+ 
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
++Rule	Mexico	1931	only	-	May	1	23:00	1:00	D
++Rule	Mexico	1931	only	-	Oct	1	0:00	0	S
+ Rule	Mexico	1939	only	-	Feb	5	0:00	1:00	D
+ Rule	Mexico	1939	only	-	Jun	25	0:00	0	S
+ Rule	Mexico	1940	only	-	Dec	9	0:00	1:00	D
+@@ -2656,13 +2658,13 @@ Rule	Mexico	2002	max	-	Apr	Sun>=1	2:00	1:00	D
+ Rule	Mexico	2002	max	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ # Quintana Roo; represented by Cancún
+-Zone America/Cancun	-5:47:04 -	LMT	1922 Jan  1  0:12:56
++Zone America/Cancun	-5:47:04 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1981 Dec 23
+ 			-5:00	Mexico	E%sT	1998 Aug  2  2:00
+ 			-6:00	Mexico	C%sT	2015 Feb  1  2:00
+ 			-5:00	-	EST
+ # Campeche, Yucatán; represented by Mérida
+-Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  0:01:32
++Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1981 Dec 23
+ 			-5:00	-	EST	1982 Dec  2
+ 			-6:00	Mexico	C%sT
+@@ -2676,23 +2678,21 @@ Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  0:01:32
+ # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
+ # 2016-03-12
+ # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
+-Zone America/Matamoros	-6:40:00 -	LMT	1921 Dec 31 23:20:00
++Zone America/Matamoros	-6:30:00 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1988
+ 			-6:00	US	C%sT	1989
+ 			-6:00	Mexico	C%sT	2010
+ 			-6:00	US	C%sT
+ # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
+-Zone America/Monterrey	-6:41:16 -	LMT	1921 Dec 31 23:18:44
++Zone America/Monterrey	-6:41:16 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1988
+ 			-6:00	US	C%sT	1989
+ 			-6:00	Mexico	C%sT
+ # Central Mexico
+-Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  0:23:24
++Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	Mexico	C%sT	2001 Sep 30  2:00
+ 			-6:00	-	CST	2002 Feb 20
+ 			-6:00	Mexico	C%sT
+@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  0:23:24
+ # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
+ # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
+ # (See the 2016-03-12 El Universal source mentioned above.)
+-Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  0:02:20
++Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1996
+ 			-6:00	Mexico	C%sT	1998
+ 			-6:00	-	CST	1998 Apr Sun>=1  3:00
+ 			-7:00	Mexico	M%sT	2010
+ 			-7:00	US	M%sT
+ # Chihuahua (away from US border)
+-Zone America/Chihuahua	-7:04:20 -	LMT	1921 Dec 31 23:55:40
++Zone America/Chihuahua	-7:04:20 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1996
+ 			-6:00	Mexico	C%sT	1998
+ 			-6:00	-	CST	1998 Apr Sun>=1  3:00
+ 			-7:00	Mexico	M%sT
+ # Sonora
+-Zone America/Hermosillo	-7:23:52 -	LMT	1921 Dec 31 23:36:08
++Zone America/Hermosillo	-7:23:52 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+@@ -2763,24 +2757,20 @@ Zone America/Hermosillo	-7:23:52 -	LMT	1921 Dec 31 23:36:08
+ # Use "Bahia_Banderas" to keep the name to fourteen characters.
+ 
+ # Mazatlán
+-Zone America/Mazatlan	-7:05:40 -	LMT	1921 Dec 31 23:54:20
++Zone America/Mazatlan	-7:05:40 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+ 			-7:00	Mexico	M%sT
+ 
+ # Bahía de Banderas
+-Zone America/Bahia_Banderas	-7:01:00 -	LMT	1921 Dec 31 23:59:00
++Zone America/Bahia_Banderas -7:01:00 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas	-7:01:00 -	LMT	1921 Dec 31 23:59:00
+ 			-6:00	Mexico	C%sT
+ 
+ # Baja California
+-Zone America/Tijuana	-7:48:04 -	LMT	1922 Jan  1  0:11:56
++Zone America/Tijuana	-7:48:04 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1924
+ 			-8:00	-	PST	1927 Jun 10 23:00
+ 			-7:00	-	MST	1930 Nov 15
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+index 71470168456..0cad939008f 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022d
++tzdata2022e
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+index b3823958ae4..2f2786f1c69 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -97,9 +97,7 @@ America/Winnipeg CST CDT
+ America/Yakutat AKST AKDT
+ America/Yellowknife MST MDT
+ Antarctica/Macquarie AEST AEDT
+-Asia/Amman EET EEST
+ Asia/Beirut EET EEST
+-Asia/Damascus EET EEST
+ Asia/Famagusta EET EEST
+ Asia/Gaza EET EEST
+ Asia/Hebron EET EEST
diff --git a/nss.cfg.in b/nss.cfg.in
new file mode 100644
index 0000000..377a39c
--- /dev/null
+++ b/nss.cfg.in
@@ -0,0 +1,5 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
+handleStartupErrors = ignoreMultipleInitialisation
diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in
new file mode 100644
index 0000000..2d9ec35
--- /dev/null
+++ b/nss.fips.cfg.in
@@ -0,0 +1,8 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = sql:/etc/pki/nssdb
+nssDbMode = readOnly
+nssModule = fips
+
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh
new file mode 100644
index 0000000..25c2fc8
--- /dev/null
+++ b/remove-intree-libraries.sh
@@ -0,0 +1,164 @@
+#!/bin/sh
+
+# Arguments:  
+TREE=${1}
+TYPE=${2}
+
+ZIP_SRC=src/java.base/share/native/libzip/zlib/
+FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
+JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
+GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
+PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
+LCMS_SRC=src/java.desktop/share/native/liblcms/
+
+if test "x${TREE}" = "x"; then
+    echo "$0  (MINIMAL|FULL)";
+    exit 1;
+fi
+
+if test "x${TYPE}" = "x"; then
+    TYPE=minimal;
+fi
+
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+    echo "Type must be minimal or full";
+    exit 2;
+fi
+
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+
+cd ${TREE}
+
+echo "Removing built-in libs (they will be linked)"
+
+# On full runs, allow for zlib & freetype having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+	echo "${ZIP_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi	
+rm -rvf ${ZIP_SRC}
+echo "Removing freetype"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
+	echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi
+rm -rvf ${FREETYPE_SRC}
+
+# Minimal is limited to just zlib and freetype so finish here
+if test "x${TYPE}" = "xminimal"; then
+    echo "Finished.";
+    exit 0;
+fi
+
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+	echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+	exit 1
+fi	
+
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+	echo "${GIF_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi	
+rm -rvf ${GIF_SRC}
+
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+	echo "${PNG_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi	
+rm -rvf ${PNG_SRC}
+
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+	echo "${LCMS_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h
diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
new file mode 100644
index 0000000..3042186
--- /dev/null
+++ b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
@@ -0,0 +1,16 @@
+diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
+--- a/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jun 13 19:37:49 2019 +0200
++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jul 04 10:35:42 2019 +0200
+@@ -595,7 +595,11 @@
+                 toolkit = new HeadlessToolkit(toolkit);
+             }
+             if (!GraphicsEnvironment.isHeadless()) {
+-                loadAssistiveTechnologies();
++                try {
++                    loadAssistiveTechnologies();
++                } catch (AWTError error) {
++                    // ignore silently
++                }
+             }
+         }
+         return toolkit;
diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
new file mode 100644
index 0000000..6d2342a
--- /dev/null
+++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -0,0 +1,12 @@
+diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
+index adfaf57d29e..abf89bbf327 100644
+--- a/src/java.base/share/conf/security/java.security
++++ b/src/java.base/share/conf/security/java.security
+@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
+ security.provider.tbd=Apple
+ #endif
+ security.provider.tbd=SunPKCS11
++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+ 
+ #
+ # Security providers used when FIPS mode support is active
diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch
new file mode 100644
index 0000000..53026ad
--- /dev/null
+++ b/rh1648644-java_access_bridge_privileged_security.patch
@@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+                sun.reflect.,\
++               org.GNOME.Accessibility.,\
++               org.GNOME.Bonobo.,\
+ 
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+                    sun.reflect.,\
++                   org.GNOME.Accessibility.,\
++                   org.GNOME.Bonobo.,\
+ 
+ #
+ # Determines whether this properties file can be appended to
diff --git a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
new file mode 100644
index 0000000..5e2b254
--- /dev/null
+++ b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
@@ -0,0 +1,13 @@
+--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:12.038189968 +0100
++++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:11.913188505 +0100
+@@ -48,8 +48,8 @@
+ 
+     private final static String PROP_NAME = "sun.security.smartcardio.library";
+ 
+-    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
+-    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
++    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
++    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
+     private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
+ 
+     PlatformPCSC() {
diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch
new file mode 100644
index 0000000..88f5e5a
--- /dev/null
+++ b/rh1750419-redhat_alt_java.patch
@@ -0,0 +1,117 @@
+diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
+index 700ddefda49..2882de68eb2 100644
+--- openjdk.orig/make/modules/java.base/Launcher.gmk
++++ openjdk/make/modules/java.base/Launcher.gmk
+@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
+     OPTIMIZATION := HIGH, \
+ ))
+ 
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
++$(eval $(call SetupBuildLauncher, alt-java, \
++    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
++    EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
++    VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
++    OPTIMIZATION := HIGH, \
++))
++
+ ifeq ($(call isTargetOs, windows), true)
+   $(eval $(call SetupBuildLauncher, javaw, \
+       CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
+diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
+new file mode 100644
+index 00000000000..697df2898ac
+--- /dev/null
++++ openjdk/src/java.base/share/native/launcher/alt_main.h
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#ifdef REDHAT_ALT_JAVA
++
++#include 
++
++
++/* Per task speculation control */
++#ifndef PR_GET_SPECULATION_CTRL
++# define PR_GET_SPECULATION_CTRL    52
++#endif
++#ifndef PR_SET_SPECULATION_CTRL
++# define PR_SET_SPECULATION_CTRL    53
++#endif
++/* Speculation control variants */
++#ifndef PR_SPEC_STORE_BYPASS
++# define PR_SPEC_STORE_BYPASS          0
++#endif
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
++
++#ifndef PR_SPEC_NOT_AFFECTED
++# define PR_SPEC_NOT_AFFECTED          0
++#endif
++#ifndef PR_SPEC_PRCTL
++# define PR_SPEC_PRCTL                 (1UL << 0)
++#endif
++#ifndef PR_SPEC_ENABLE
++# define PR_SPEC_ENABLE                (1UL << 1)
++#endif
++#ifndef PR_SPEC_DISABLE
++# define PR_SPEC_DISABLE               (1UL << 2)
++#endif
++#ifndef PR_SPEC_FORCE_DISABLE
++# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
++#endif
++#ifndef PR_SPEC_DISABLE_NOEXEC
++# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
++#endif
++
++static void set_speculation() __attribute__((constructor));
++static void set_speculation() {
++  if ( prctl(PR_SET_SPECULATION_CTRL,
++             PR_SPEC_STORE_BYPASS,
++             PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
++    return;
++  }
++  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
++}
++
++#endif // REDHAT_ALT_JAVA
+diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
+index b734fe2ba78..79dc8307650 100644
+--- openjdk.orig/src/java.base/share/native/launcher/main.c
++++ openjdk/src/java.base/share/native/launcher/main.c
+@@ -34,6 +34,14 @@
+ #include "jli_util.h"
+ #include "jni.h"
+ 
++#ifdef REDHAT_ALT_JAVA
++#if defined(__linux__) && defined(__x86_64__)
++#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
++#endif
++
+ #ifdef _MSC_VER
+ #if _MSC_VER > 1400 && _MSC_VER < 1600
+ 
diff --git a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
new file mode 100644
index 0000000..1b706a1
--- /dev/null
+++ b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
@@ -0,0 +1,19 @@
+Remove uses of FAR in jpeg code
+
+Upstream libjpeg-trubo removed the (empty) FAR macro:
+http://sourceforge.net/p/libjpeg-turbo/code/1312/
+
+Adjust our code to not use the undefined FAR macro anymore.
+
+diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+@@ -1385,7 +1385,7 @@
+     /* and fill it in */
+     dst_ptr = icc_data;
+     for (seq_no = first; seq_no < last; seq_no++) {
+-        JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
++        JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+         unsigned int length =
+             icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
+ 
diff --git a/sources b/sources
new file mode 100644
index 0000000..b1d8135
--- /dev/null
+++ b/sources
@@ -0,0 +1,2 @@
+SHA512 (openjdk-jdk17u-jdk-17.0.5+8.tar.xz) = 1acbda948374d7834347c9b98cfc25a7db24a5656e4466792831015158bdf24026a35a2cdbb8993c09e906a5f305b9e7749fa36b4dae3e75800a8976a2cb2b82
+SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30