rpms/java-17-openjdk
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-17-openjdk-17.0.2.0.8-2.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-03-01 06:13:21 -05:00 committed by Stepan Oksanichenko
parent 707b974fcf
commit 7b88c01e98
10 changed files with 1331 additions and 248 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-jdk17-jdk-17+35.tar.xz SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

4
.java-17-openjdk.metadata
View File

@ -1,2 +1,2 @@
a2bffc90da173240cdf0e3ea6971d4ba432b3cfe SOURCES/openjdk-jdk17-jdk-17+35.tar.xz 47c1e3a97ba6f63908c2a9f55e1514b52f0b8333 SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

468
SOURCES/NEWS
View File

@ -3,6 +3,474 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 17.0.2 (2022-01-18):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1702
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt
* Security fixes
- JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside
- JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
- JDK-8268488: More valuable DerValues
- JDK-8268494: Better inlining of inlined interfaces
- JDK-8268512: More content for ContentInfo
- JDK-8268813, CVE-2022-21283: Better String matching
- JDK-8269151: Better construction of EncryptedPrivateKeyInfo
- JDK-8269944: Better HTTP transport redux
- JDK-8270386, CVE-2022-21291: Better verification of scan methods
- JDK-8270392, CVE-2022-21293: Improve String constructions
- JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
- JDK-8270492, CVE-2022-21282: Better resolution of URIs
- JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
- JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
- JDK-8270952, CVE-2022-21277: Improve TIFF file handling
- JDK-8271962: Better TrueType font loading
- JDK-8271968: Better canonical naming
- JDK-8271987: Manifest improved manifest entries
- JDK-8272014, CVE-2022-21305: Better array indexing
- JDK-8272026, CVE-2022-21340: Verify Jar Verification
- JDK-8272236, CVE-2022-21341: Improve serial forms for transport
- JDK-8272272: Enhance jcmd communication
- JDK-8272462: Enhance image handling
- JDK-8273290: Enhance sound handling
- JDK-8273756, CVE-2022-21360: Enhance BMP image support
- JDK-8273838, CVE-2022-21365: Enhanced BMP processing
- JDK-8274096, CVE-2022-21366: Improve decoding of image files
* Other changes
- JDK-4819544: SwingSet2 JTable Demo throws NullPointerException
- JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
- JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap
- JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently
- JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
- JDK-8214761: Bug in parallel Kahan summation implementation
- JDK-8223923: C2: Missing interference with mismatched unsafe accesses
- JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir().
- JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name
- JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines()))
- JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled
- JDK-8261579: AArch64: Support for weaker memory ordering in Atomic
- JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol
- JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null
- JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
- JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
- JDK-8263375: Support stack watermarks in Zero VM
- JDK-8263773: Reenable German localization for builds at Oracle
- JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer
- JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer
- JDK-8264291: Create implementation for NSAccessibilityCell protocol peer
- JDK-8264292: Create implementation for NSAccessibilityList protocol peer
- JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer
- JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer
- JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer
- JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer
- JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer
- JDK-8264298: Create implementation for NSAccessibilityRow protocol peer
- JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer
- JDK-8266239: Some duplicated javac command-line options have repeated effect
- JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color
- JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true
- JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl
- JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility
- JDK-8267387: Create implementation for NSAccessibilityOutline protocol
- JDK-8267388: Create implementation for NSAccessibilityTable protocol
- JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button"
- JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs.
- JDK-8268361: Fix the infinite loop in next_line
- JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML
- JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests
- JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler
- JDK-8268860: Windows-Aarch64 build is failing in GitHub actions
- JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
- JDK-8268885: duplicate checkcast when destination type is not first type of intersection type
- JDK-8268893: jcmd to trim the glibc heap
- JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition
- JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)"
- JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783
- JDK-8269113: Javac throws when compiling switch (null)
- JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java
- JDK-8269269: [macos11] SystemIconTest fails with ClassCastException
- JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString()
- JDK-8269481: SctpMultiChannel never releases own file descriptor
- JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows
- JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles
- JDK-8269687: pauth_aarch64.hpp include name is incorrect
- JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
- JDK-8269924: Shenandoah: Introduce weak/strong marking asserts
- JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
- JDK-8270110: Shenandoah: Add test for JDK-8269661
- JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS
- JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests
- JDK-8270290: NTLM authentication fails if HEAD request is used
- JDK-8270317: Large Allocation in CipherSuite
- JDK-8270320: JDK-8270110 committed invalid copyright headers
- JDK-8270517: Add Zero support for LoongArch
- JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
- JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling
- JDK-8270893: IndexOutOfBoundsException while reading large TIFF file
- JDK-8270901: Typo PHASE_CPP in CompilerPhaseType
- JDK-8270946: X509CertImpl.getFingerprint should not return the empty String
- JDK-8271071: accessibility of a table on macOS lacks cell navigation
- JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug
- JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h
- JDK-8271170: Add unit test for what jpackage app launcher puts in the environment
- JDK-8271215: Fix data races in G1PeriodicGCTask
- JDK-8271254: javac generates unreachable code when using empty semicolon statement
- JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected"
- JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call
- JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes
- JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1
- JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
- JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
- JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
- JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
- JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling
- JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine"
- JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
- JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop
- JDK-8271605: Update JMH devkit to 1.32
- JDK-8271718: Crash when during color transformation the color profile is replaced
- JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers
- JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest
- JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used
- JDK-8271868: Warn user when using mac-sign option with unsigned app-image.
- JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18
- JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late
- JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112
- JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64
- JDK-8272114: Unused _last_state in osThread_windows
- JDK-8272170: Missing memory barrier when checking active state for regions
- JDK-8272305: several hotspot runtime/modules don't check exit codes
- JDK-8272318: Improve performance of HeapDumpAllTest
- JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher
- JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes
- JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
- JDK-8272345: macos doesn't check `os::set_boot_path()` result
- JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0"
- JDK-8272391: Undeleted debug information
- JDK-8272413: Incorrect num of element count calculation for vector cast
- JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
- JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late
- JDK-8272570: C2: crash in PhaseCFG::global_code_motion
- JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late
- JDK-8272639: jpackaged applications using microphone on mac
- JDK-8272703: StressSeed should be set via FLAG_SET_ERGO
- JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
- JDK-8272783: Epsilon: Refactor tests to improve performance
- JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests
- JDK-8272838: Move CriticalJNI tests out of tier1
- JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1
- JDK-8272850: Drop zapping values in the Zap* option descriptions
- JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test
- JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag
- JDK-8272859: Javadoc external links should only have feature version number in URL
- JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups
- JDK-8272970: Parallelize runtime/InvocationTests/
- JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop
- JDK-8273021: C2: Improve Add and Xor ideal optimizations
- JDK-8273026: Slow LoginContext.login() on multi threading application
- JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7
- JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert
- JDK-8273176: handle latest VS2019 in abstract_vm_version
- JDK-8273229: Update OS detection code to recognize Windows Server 2022
- JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash
- JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit
- JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT
- JDK-8273308: PatternMatchTest.java fails on CI
- JDK-8273314: Add tier4 test groups
- JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test
- JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory
- JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods
- JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs
- JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
- JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size
- JDK-8273361: InfoOptsTest is failing in tier1
- JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero
- JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop
- JDK-8273376: Zero: Disable vtable/itableStub gtests
- JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP
- JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record
- JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1}
- JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java
- JDK-8273450: Fix the copyright header of SVML files
- JDK-8273451: Remove unreachable return in mutexLocker::wait
- JDK-8273483: Zero: Clear pending JNI exception check in native method handler
- JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option
- JDK-8273487: Zero: Handle "zero" variant in runtime tests
- JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths
- JDK-8273498: compiler/c2/Test7179138_1.java timed out
- JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes
- JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure
- JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
- JDK-8273592: Backout JDK-8271868
- JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image.
- JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian
- JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch
- JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests
- JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
- JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
- JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease
- JDK-8273695: Safepoint deadlock on VMOperation_lock
- JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem
- JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly
- JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java
- JDK-8273808: Cleanup AddFontsToX11FontPath
- JDK-8273826: Correct Manifest file name and NPE checks
- JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out
- JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral
- JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release()
- JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
- JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported
- JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds
- JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character
- JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled
- JDK-8273968: JCK javax_xml tests fail in CI
- JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
- JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM
- JDK-8274083: Update testing docs to mention tiered testing
- JDK-8274087: Windows DLL path not set correctly.
- JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition
- JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
- JDK-8274215: Remove globalsignr2ca root from 17.0.2
- JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86
- JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp
- JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated
- JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160
- JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
- JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern
- JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
- JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile
- JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU
- JDK-8274381: missing CAccessibility definitions in JNI code
- JDK-8274383: JNI call of getAccessibleSelection on a wrong thread
- JDK-8274401: C2: GraphKit::load_array_element bypasses Access API
- JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough"
- JDK-8274407: (tz) Update Timezone Data to 2021c
- JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl
- JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
- JDK-8274468: TimeZoneTest.java fails with tzdata2021b
- JDK-8274501: c2i entry barriers read int as long on AArch64
- JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected
- JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah
- JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah
- JDK-8274550: c2i entry barriers read int as long on PPC
- JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah
- JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test
- JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287
- JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume.
- JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
- JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers
- JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform
- JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
- JDK-8274840: Update OS detection code to recognize Windows 11
- JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior
- JDK-8274851: [ppc64] Port zgc to linux on ppc64le
- JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155)
- JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11
- JDK-8275049: [ZGC] missing null check in ZNMethod::log_register
- JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag
- JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed
- JDK-8275104: IR framework does not handle client VM builds correctly
- JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
- JDK-8275131: Exceptions after a touchpad gesture on macOS
- JDK-8275141: recover corrupted line endings for the version-numbers.conf
- JDK-8275145: file.encoding system property has an incorrect value on Windows
- JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges
- JDK-8275302: unexpected compiler error: cast, intersection types and sealed
- JDK-8275426: PretouchTask num_chunks calculation can overflow
- JDK-8275604: Zero: Reformat opclabels_data
- JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless
- JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem
- JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak
- JDK-8275766: (tz) Update Timezone Data to 2021e
- JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:]
- JDK-8275811: Incorrect instance to dispose
- JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective
- JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
- JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings
- JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml
- JDK-8276025: Hotspot's libsvml.so may conflict with user dependency
- JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance
- JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3
- JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
- JDK-8276112: Inconsistent scalar replacement debug info at safepoints
- JDK-8276122: Change openjdk project in jcheck to jdk-updates
- JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme
- JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
- JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32
- JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point
- JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration
- JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition
- JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
- JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
- JDK-8276572: Fake libsyslookup.so library causes tooling issues
- JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
- JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah
- JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager
- JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32
- JDK-8276846: JDK-8273416 is incomplete for UseSSE=1
- JDK-8276854: Windows GHA builds fail due to broken Cygwin
- JDK-8276864: Update boot JDKs to 17.0.1 in GHA
- JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders
- JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le
- JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes
- JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
- JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points
- JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest]
- JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches
- JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
- JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint
- JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup
Notes on individual issues:
===========================
core-libs/java.io:serialization:
JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
=========================================================================================
`java.util.Vector` is updated to correctly report
`ClassNotFoundException that occurs during deserialization using
`java.io.ObjectInputStream.GetField.get(name, object)` when the class
of an element of the Vector is not found. Without this fix, a
`StreamCorruptedException` is thrown that does not provide information
about the missing class.
security-libs/java.security:
JDK-8272535: Removed Google's GlobalSign Root Certificate
=========================================================
The following root certificate from Google has been removed from the
`cacerts` keystore:
Alias Name: globalsignr2ca [jdk]
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
core-libs/java.io:
JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows
============================================================================
The initialization of the `file.encoding` system property on non macOS
platforms has been reverted to align with the behavior on or before
JDK 11. This has been an issue especially on Windows where the system
and user's locales are not the same.
hotspot/gc:
JDK-8277533: ZGC: Fixed long Process Non-Strong References times
================================================================
A bug has been fixed that could cause long "Concurrent Process
Non-Strong References" times with ZGC. The bug blocked the GC from
making significant progress, and caused both latency and throughput
issues for the Java application.
The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g.
[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms
core-libs/java.time:
JDK-8274857: Update Timezone Data to 2021c
===========================================
IANA Time Zone Database, on which JDK's Date/Time libraries are based,
has been updated to version 2021c
(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
that with this update, some of the time zone rules prior to the year
1970 have been modified according to the changes which were introduced
with 2021b. For more detail, refer to the announcement of 2021b
(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)
New in release OpenJDK 17.0.1 (2021-10-19):
===========================================
Live versions of these release notes can be found at:
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt
* Security fixes
- JDK-8263314: Enhance XML Dsig modes
- JDK-8265167, CVE-2021-35556: Richer Text Editors
- JDK-8265574: Improve handling of sheets
- JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
- JDK-8265776: Improve Stream handling for SSL
- JDK-8266097, CVE-2021-35561: Better hashing support
- JDK-8266103: Better specified spec values
- JDK-8266109: More Resilient Classloading
- JDK-8266115: More Manifest Jar Loading
- JDK-8266137, CVE-2021-35564: Improve Keystore integrity
- JDK-8266689, CVE-2021-35567: More Constrained Delegation
- JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
- JDK-8267712: Better LDAP reference processing
- JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
- JDK-8267735, CVE-2021-35586: Better BMP support
- JDK-8268193: Improve requests of certificates
- JDK-8268199: Correct certificate requests
- JDK-8268205: Enhance DTLS client handshake
- JDK-8268500: Better specified ParameterSpecs
- JDK-8268506: More Manifest Digests
- JDK-8269618, CVE-2021-35603: Better session identification
- JDK-8269624: Enhance method selection support
- JDK-8270398: Enhance canonicalization
- JDK-8270404: Better canonicalization
* Other changes
- JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
- JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
- JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
- JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations
- JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
- JDK-8263531: Remove unused buffer int
- JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java
- JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
- JDK-8267666: Add option to jcmd GC.heap_dump to use existing file
- JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected
- JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info.
- JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance
- JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms
- JDK-8269297: Bump version numbers for JDK 17.0.1
- JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient
- JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
- JDK-8269763: The JEditorPane is blank after JDK-8265167
- JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
- JDK-8269882: stack-use-after-scope in NewObjectA
- JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible
- JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
- JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags
- JDK-8270094: Shenandoah: Provide human-readable labels for test configurations
- JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode
- JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert
- JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
- JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
- JDK-8270344: Session resumption errors
- JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added
- JDK-8271276: C2: Wrong JVM state used for receiver null check
- JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4
- JDK-8271589: fatal error with variable shift count integer rotate operation.
- JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java
- JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests
- JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier
- JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
- JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
- JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails
- JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
- JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
- JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182
- JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
- JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848
- JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
- JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed
- JDK-8273358: macOS Monterey does not have the font Times needed by Serif
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8271434: Removed IdenTrust Root Certificate
===============================================
The following root certificate from IdenTrust has been removed from
the `cacerts` keystore:
Alias Name: identrustdstx3 [jdk]
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
New in release OpenJDK 17.0.0 (2021-09-14): New in release OpenJDK 17.0.0 (2021-09-14):
=========================================== ===========================================
The full list of changes in the interim releases from 11u to 17u can be found at: The full list of changes in the interim releases from 11u to 17u can be found at:

8
SOURCES/jconsole.desktop.in
View File

@ -1,8 +1,8 @@
[Desktop Entry] [Desktop Entry]
Name=OpenJDK @JAVA_MAJOR_VERSION@ Monitoring & Management Console @ARCH@ Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
Comment=Monitor and manage OpenJDK @JAVA_MAJOR_VERSION@ applications for @ARCH@ Comment=Monitor and manage OpenJDK applications
Exec=@JAVA_HOME@/jconsole Exec=_SDKBINDIR_/jconsole
Icon=java-@JAVA_MAJOR_VERSION@-@JAVA_VENDOR@ Icon=java-@JAVA_VER@-@JAVA_VENDOR@
Terminal=false Terminal=false
Type=Application Type=Application
StartupWMClass=sun-tools-jconsole-JConsole StartupWMClass=sun-tools-jconsole-JConsole

21
SOURCES/jdk8272332-rh2004078-broken_harfbuzz_linking.patch
View File

@ -1,21 +0,0 @@
commit e506cb23cfce35d1bc997d1e280f4dc40c9b3397
Author: Severin Gehwolf <sgehwolf@openjdk.org>
Date: Mon Aug 16 09:57:28 2021 +0000
8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
Backport-of: d38b31438dd4730ee2149c02277d60c35b9d7d81
diff --git openjdk.orig/make/modules/java.desktop/lib/Awt2dLibraries.gmk openjdk/make/modules/java.desktop/lib/Awt2dLibraries.gmk
index 4d0c0c00dbf..ef7eadae206 100644
--- openjdk.orig/make/modules/java.desktop/lib/Awt2dLibraries.gmk
+++ openjdk/make/modules/java.desktop/lib/Awt2dLibraries.gmk
@@ -435,7 +435,7 @@ endif
ifeq ($(USE_EXTERNAL_HARFBUZZ), true)
LIBFONTMANAGER_EXTRA_SRC =
- BUILD_LIBFONTMANAGER_FONTLIB += $(LIBHARFBUZZ_LIBS)
+ BUILD_LIBFONTMANAGER_FONTLIB += $(HARFBUZZ_LIBS)
else
LIBFONTMANAGER_EXTRA_SRC = libharfbuzz

2
SOURCES/nss.fips.cfg.in
View File

@ -1,6 +1,6 @@
name = NSS-FIPS name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@ nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = @NSS_SECMOD@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly nssDbMode = readOnly
nssModule = fips nssModule = fips

579
SOURCES/rh1991003-enable_fips_keys_import.patch Normal file
View File

@ -0,0 +1,579 @@
commit abcd0954643eddbf826d96291d44a143038ab750
Author: Martin Balao <mbalao@redhat.com>
Date: Sun Oct 10 18:14:01 2021 +0100
RH1991003: Enable the import of plain keys into the NSS software token.
This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index ce32c939253..dc7020ce668 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -82,6 +82,10 @@ public final class Security {
public boolean isSystemFipsEnabled() {
return SystemConfigurator.isSystemFipsEnabled();
}
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
});
// doPrivileged here because there are multiple
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 6aa1419dfd0..ecab722848e 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -55,6 +55,7 @@ final class SystemConfigurator {
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
@@ -150,6 +151,16 @@ final class SystemConfigurator {
}
loadedProps = true;
systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
}
} catch (Exception e) {
if (sdebug != null) {
@@ -177,6 +188,19 @@ final class SystemConfigurator {
return systemFipsEnabled;
}
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
/*
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
* system property is true (default) and the system is in FIPS mode.
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
index a31e93ec02e..3f3caac64dc 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
@@ -27,4 +27,5 @@ package jdk.internal.access;
public interface JavaSecuritySystemConfiguratorAccess {
boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
index 00000000000..bee3a1e1537
--- /dev/null
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,291 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 5d3963ea893..42c72b393fd 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider {
private static final boolean systemFipsEnabled = SharedSecrets
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider {
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
index 5c0aacd1a67..4d80145cb91 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -152,16 +153,28 @@ public class PKCS11 {
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
} else {
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
index e2d6d371bec..dc5e7eefdd3 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception {
return "0x" + Functions.toFullHexString((int)errorCode);
}
+ /**
+ * Constructor taking the error code (the CKR_* constants in PKCS#11) with
+ * no extra info for the error message.
+ */
+ public PKCS11Exception(long errorCode) {
+ this(errorCode, null);
+ }
+
/**
* Constructor taking the error code (the CKR_* constants in PKCS#11) and
* extra info for error message.

315
SOURCES/rh1995150-disable_non-fips_crypto.patch
View File

@ -1,18 +1,18 @@
diff --git openjdk/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 9d4a794de1a..39e69362458 100644 index 63bb580eb3a..238735c0c8c 100644
--- openjdk/src/java.base/share/classes/module-info.java --- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java +++ openjdk/src/java.base/share/classes/module-info.java
@@ -151,6 +151,7 @@ module java.base { @@ -152,6 +152,7 @@ module java.base {
java.management,
java.naming, java.naming,
java.rmi, java.rmi,
jdk.charsets,
+ jdk.crypto.ec, + jdk.crypto.ec,
jdk.jartool, jdk.jartool,
jdk.jlink, jdk.jlink,
jdk.net, jdk.net,
diff --git openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
index 912cad59714..c5e13c98bd9 100644 index 912cad59714..7cb5ebcde51 100644
--- openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java --- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java
+++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
@@ -30,6 +30,7 @@ import java.net.*; @@ -30,6 +30,7 @@ import java.net.*;
import java.util.*; import java.util.*;
@ -52,149 +52,7 @@ index 912cad59714..c5e13c98bd9 100644
- if (NativePRNG.NonBlocking.isAvailable()) { - if (NativePRNG.NonBlocking.isAvailable()) {
- add(p, "SecureRandom", "NativePRNGNonBlocking", - add(p, "SecureRandom", "NativePRNGNonBlocking",
- "sun.security.provider.NativePRNG$NonBlocking", attrs); - "sun.security.provider.NativePRNG$NonBlocking", attrs);
+ if (!systemFipsEnabled) { - }
+ /*
+ * SecureRandom engines
+ */
+ attrs.put("ThreadSafe", "true");
+ if (NativePRNG.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNG",
+ "sun.security.provider.NativePRNG", attrs);
+ }
+ if (NativePRNG.Blocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGBlocking",
+ "sun.security.provider.NativePRNG$Blocking", attrs);
+ }
+ if (NativePRNG.NonBlocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGNonBlocking",
+ "sun.security.provider.NativePRNG$NonBlocking", attrs);
+ }
+ attrs.put("ImplementedIn", "Software");
+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
+ add(p, "SecureRandom", "SHA1PRNG",
+ "sun.security.provider.SecureRandom", attrs);
+
+ /*
+ * Signature engines
+ */
+ attrs.clear();
+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+ "|java.security.interfaces.DSAPrivateKey";
+ attrs.put("SupportedKeyClasses", dsaKeyClasses);
+ attrs.put("ImplementedIn", "Software");
+
+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+
+ addWithAlias(p, "Signature", "SHA1withDSA",
+ "sun.security.provider.DSA$SHA1withDSA", attrs);
+ addWithAlias(p, "Signature", "NONEwithDSA",
+ "sun.security.provider.DSA$RawDSA", attrs);
+
+ // for DSA signatures with 224/256-bit digests
+ attrs.put("KeySize", "2048");
+
+ addWithAlias(p, "Signature", "SHA224withDSA",
+ "sun.security.provider.DSA$SHA224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA256withDSA",
+ "sun.security.provider.DSA$SHA256withDSA", attrs);
+
+ addWithAlias(p, "Signature", "SHA3-224withDSA",
+ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-256withDSA",
+ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
+
+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
+
+ addWithAlias(p, "Signature", "SHA384withDSA",
+ "sun.security.provider.DSA$SHA384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA512withDSA",
+ "sun.security.provider.DSA$SHA512withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-384withDSA",
+ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-512withDSA",
+ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
+
+ attrs.remove("KeySize");
+
+ add(p, "Signature", "SHA1withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+ add(p, "Signature", "NONEwithDSAinP1363Format",
+ "sun.security.provider.DSA$RawDSAinP1363Format");
+ add(p, "Signature", "SHA224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+ add(p, "Signature", "SHA256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+ add(p, "Signature", "SHA384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+ add(p, "Signature", "SHA512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+ add(p, "Signature", "SHA3-224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+ add(p, "Signature", "SHA3-256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+ add(p, "Signature", "SHA3-384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+ add(p, "Signature", "SHA3-512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+ /*
+ * Key Pair Generator engines
+ */
+ attrs.clear();
+ attrs.put("ImplementedIn", "Software");
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
+
+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
+
+ /*
+ * Algorithm Parameter Generator engines
+ */
+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
+ "sun.security.provider.DSAParameterGenerator", attrs);
+ attrs.remove("KeySize");
+
+ /*
+ * Algorithm Parameter engines
+ */
+ addWithAlias(p, "AlgorithmParameters", "DSA",
+ "sun.security.provider.DSAParameters", attrs);
+
+ /*
+ * Key factories
+ */
+ addWithAlias(p, "KeyFactory", "DSA",
+ "sun.security.provider.DSAKeyFactory", attrs);
+
+ /*
+ * Digest engines
+ */
+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
+ attrs);
+
+ addWithAlias(p, "MessageDigest", "SHA-224",
+ "sun.security.provider.SHA2$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-256",
+ "sun.security.provider.SHA2$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-384",
+ "sun.security.provider.SHA5$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512",
+ "sun.security.provider.SHA5$SHA512", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/224",
+ "sun.security.provider.SHA5$SHA512_224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/256",
+ "sun.security.provider.SHA5$SHA512_256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-224",
+ "sun.security.provider.SHA3$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-256",
+ "sun.security.provider.SHA3$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-384",
+ "sun.security.provider.SHA3$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-512",
+ "sun.security.provider.SHA3$SHA512", attrs);
}
- attrs.put("ImplementedIn", "Software"); - attrs.put("ImplementedIn", "Software");
- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); - add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
- add(p, "SecureRandom", "SHA1PRNG", - add(p, "SecureRandom", "SHA1PRNG",
@ -268,30 +126,133 @@ index 912cad59714..c5e13c98bd9 100644
- attrs.clear(); - attrs.clear();
- attrs.put("ImplementedIn", "Software"); - attrs.put("ImplementedIn", "Software");
- attrs.put("KeySize", "2048"); // for DSA KPG and APG only - attrs.put("KeySize", "2048"); // for DSA KPG and APG only
- + if (!systemFipsEnabled) {
+ /*
+ * SecureRandom engines
+ */
+ attrs.put("ThreadSafe", "true");
+ if (NativePRNG.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNG",
+ "sun.security.provider.NativePRNG", attrs);
+ }
+ if (NativePRNG.Blocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGBlocking",
+ "sun.security.provider.NativePRNG$Blocking", attrs);
+ }
+ if (NativePRNG.NonBlocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGNonBlocking",
+ "sun.security.provider.NativePRNG$NonBlocking", attrs);
+ }
+ attrs.put("ImplementedIn", "Software");
+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
+ add(p, "SecureRandom", "SHA1PRNG",
+ "sun.security.provider.SecureRandom", attrs);
- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); - addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
- + /*
+ * Signature engines
+ */
+ attrs.clear();
+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+ "|java.security.interfaces.DSAPrivateKey";
+ attrs.put("SupportedKeyClasses", dsaKeyClasses);
+ attrs.put("ImplementedIn", "Software");
+
+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+
+ addWithAlias(p, "Signature", "SHA1withDSA",
+ "sun.security.provider.DSA$SHA1withDSA", attrs);
+ addWithAlias(p, "Signature", "NONEwithDSA",
+ "sun.security.provider.DSA$RawDSA", attrs);
+
+ // for DSA signatures with 224/256-bit digests
+ attrs.put("KeySize", "2048");
+
+ addWithAlias(p, "Signature", "SHA224withDSA",
+ "sun.security.provider.DSA$SHA224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA256withDSA",
+ "sun.security.provider.DSA$SHA256withDSA", attrs);
+
+ addWithAlias(p, "Signature", "SHA3-224withDSA",
+ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-256withDSA",
+ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
+
+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
+
+ addWithAlias(p, "Signature", "SHA384withDSA",
+ "sun.security.provider.DSA$SHA384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA512withDSA",
+ "sun.security.provider.DSA$SHA512withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-384withDSA",
+ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-512withDSA",
+ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
+
+ attrs.remove("KeySize");
+
+ add(p, "Signature", "SHA1withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+ add(p, "Signature", "NONEwithDSAinP1363Format",
+ "sun.security.provider.DSA$RawDSAinP1363Format");
+ add(p, "Signature", "SHA224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+ add(p, "Signature", "SHA256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+ add(p, "Signature", "SHA384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+ add(p, "Signature", "SHA512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+ add(p, "Signature", "SHA3-224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+ add(p, "Signature", "SHA3-256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+ add(p, "Signature", "SHA3-384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+ add(p, "Signature", "SHA3-512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+ /*
+ * Key Pair Generator engines
+ */
+ attrs.clear();
+ attrs.put("ImplementedIn", "Software");
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
- /* - /*
- * Algorithm Parameter Generator engines - * Algorithm Parameter Generator engines
- */ - */
- addWithAlias(p, "AlgorithmParameterGenerator", "DSA", - addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
- "sun.security.provider.DSAParameterGenerator", attrs); - "sun.security.provider.DSAParameterGenerator", attrs);
- attrs.remove("KeySize"); - attrs.remove("KeySize");
- + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
- /* - /*
- * Algorithm Parameter engines - * Algorithm Parameter engines
- */ - */
- addWithAlias(p, "AlgorithmParameters", "DSA", - addWithAlias(p, "AlgorithmParameters", "DSA",
- "sun.security.provider.DSAParameters", attrs); - "sun.security.provider.DSAParameters", attrs);
- + /*
+ * Algorithm Parameter Generator engines
+ */
+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
+ "sun.security.provider.DSAParameterGenerator", attrs);
+ attrs.remove("KeySize");
- /* - /*
- * Key factories - * Key factories
- */ - */
- addWithAlias(p, "KeyFactory", "DSA", - addWithAlias(p, "KeyFactory", "DSA",
- "sun.security.provider.DSAKeyFactory", attrs); - "sun.security.provider.DSAKeyFactory", attrs);
- + /*
+ * Algorithm Parameter engines
+ */
+ addWithAlias(p, "AlgorithmParameters", "DSA",
+ "sun.security.provider.DSAParameters", attrs);
- /* - /*
- * Digest engines - * Digest engines
- */ - */
@ -299,7 +260,12 @@ index 912cad59714..c5e13c98bd9 100644
- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); - add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", - addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
- attrs); - attrs);
- + /*
+ * Key factories
+ */
+ addWithAlias(p, "KeyFactory", "DSA",
+ "sun.security.provider.DSAKeyFactory", attrs);
- addWithAlias(p, "MessageDigest", "SHA-224", - addWithAlias(p, "MessageDigest", "SHA-224",
- "sun.security.provider.SHA2$SHA224", attrs); - "sun.security.provider.SHA2$SHA224", attrs);
- addWithAlias(p, "MessageDigest", "SHA-256", - addWithAlias(p, "MessageDigest", "SHA-256",
@ -320,12 +286,41 @@ index 912cad59714..c5e13c98bd9 100644
- "sun.security.provider.SHA3$SHA384", attrs); - "sun.security.provider.SHA3$SHA384", attrs);
- addWithAlias(p, "MessageDigest", "SHA3-512", - addWithAlias(p, "MessageDigest", "SHA3-512",
- "sun.security.provider.SHA3$SHA512", attrs); - "sun.security.provider.SHA3$SHA512", attrs);
+ /*
+ * Digest engines
+ */
+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
+ attrs);
+
+ addWithAlias(p, "MessageDigest", "SHA-224",
+ "sun.security.provider.SHA2$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-256",
+ "sun.security.provider.SHA2$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-384",
+ "sun.security.provider.SHA5$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512",
+ "sun.security.provider.SHA5$SHA512", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/224",
+ "sun.security.provider.SHA5$SHA512_224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/256",
+ "sun.security.provider.SHA5$SHA512_256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-224",
+ "sun.security.provider.SHA3$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-256",
+ "sun.security.provider.SHA3$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-384",
+ "sun.security.provider.SHA3$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-512",
+ "sun.security.provider.SHA3$SHA512", attrs);
+ }
/* /*
* Certificates * Certificates
diff --git openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java diff --git openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
index 8c9e4f9dbe6..9eeb3013e0d 100644 index 8c9e4f9dbe6..883dc04758e 100644
--- openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java --- openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
@@ -38,6 +38,7 @@ import java.util.HashMap; @@ -38,6 +38,7 @@ import java.util.HashMap;
import java.util.Iterator; import java.util.Iterator;

6
SOURCES/rh1996182-login_to_nss_software_token.patch
View File

@ -5,13 +5,13 @@ Date: Sat Aug 28 00:35:44 2021 +0100
RH1996182: Login to the NSS Software Token in FIPS Mode RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 39e69362458..aeb5fc2eb46 100644 index 238735c0c8c..dbbf11bbb22 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java --- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java +++ openjdk/src/java.base/share/classes/module-info.java
@@ -151,6 +151,7 @@ module java.base { @@ -152,6 +152,7 @@ module java.base {
java.management,
java.naming, java.naming,
java.rmi, java.rmi,
jdk.charsets,
+ jdk.crypto.cryptoki, + jdk.crypto.cryptoki,
jdk.crypto.ec, jdk.crypto.ec,
jdk.jartool, jdk.jartool,

172
SPECS/java-17-openjdk.spec
View File

@ -81,7 +81,7 @@
# in alternatives those are slaves and master, very often triplicated by man pages # in alternatives those are slaves and master, very often triplicated by man pages
# in files all masters and slaves are ghosted # in files all masters and slaves are ghosted
# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` # the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ # you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
# TODO - fix those hardcoded lists via single list # TODO - fix those hardcoded lists via single list
# Those files must *NOT* be ghosted for *slowdebug* packages # Those files must *NOT* be ghosted for *slowdebug* packages
# FIXME - if you are moving jshell or jlink or similar, always modify all three sections # FIXME - if you are moving jshell or jlink or similar, always modify all three sections
@ -125,7 +125,7 @@
%global zgc_arches x86_64 %global zgc_arches x86_64
# Set of architectures for which alt-java has SSB mitigation # Set of architectures for which alt-java has SSB mitigation
%global ssbd_arches x86_64 %global ssbd_arches x86_64
# Set of architectures for which java has short vector math library (libsvml.so) # Set of architectures for which java has short vector math library (libjsvml.so)
%global svml_arches x86_64 %global svml_arches x86_64
# By default, we build a debug build during main build on JIT architectures # By default, we build a debug build during main build on JIT architectures
@ -274,7 +274,7 @@
# New Version-String scheme-style defines # New Version-String scheme-style defines
%global featurever 17 %global featurever 17
%global interimver 0 %global interimver 0
%global updatever 0 %global updatever 2
%global patchver 0 %global patchver 0
# If you bump featurever, you must also bump vendor_version_string # If you bump featurever, you must also bump vendor_version_string
# Used via new version scheme. JDK 17 was # Used via new version scheme. JDK 17 was
@ -284,21 +284,26 @@
# but in time of bootstrap of next jdk, it is featurever-1, # but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place # and this it is better to change it here, on single place
%global buildjdkver 17 %global buildjdkver 17
# We don't add any LTS designator for STS packages (this package). # We don't add any LTS designator for STS packages (Fedora and EPEL).
# Neither for Fedora nor EPEL which would have %%{rhel} macro defined. # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
%if 0%{?rhel} && !0%{?epel}
%global lts_designator "LTS"
%global lts_designator_zip -%{lts_designator}
%else
%global lts_designator "" %global lts_designator ""
%global lts_designator_zip "" %global lts_designator_zip ""
%endif
# Define IcedTea version used for SystemTap tapsets and desktop file # Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 3.15.0 %global icedteaver 6.0.0pre00-c848b93a8598
# Standard JPackage naming and versioning defines # Standard JPackage naming and versioning defines
%global origin openjdk %global origin openjdk
%global origin_nice OpenJDK %global origin_nice OpenJDK
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 35 %global buildver 8
%global rpmrelease 3 %global rpmrelease 2
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -432,12 +437,7 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
exit 0 exit 0
} }
%define alternatives_java_install() %{expand:
%define post_headless() %{expand:
%ifarch %{share_arches}
%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
%endif
PRIORITY=%{priority} PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1 let PRIORITY=PRIORITY-1
@ -463,8 +463,13 @@ for X in %{origin} %{javaver} ; do
alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
done done
update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch}
}
%define post_headless() %{expand:
%ifarch %{share_arches}
%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
%endif
update-desktop-database %{_datadir}/applications &> /dev/null || : update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -501,8 +506,8 @@ exit 0
%{update_desktop_icons} %{update_desktop_icons}
} }
%define post_devel() %{expand:
%define alternatives_javac_install() %{expand:
PRIORITY=%{priority} PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1 let PRIORITY=PRIORITY-1
@ -581,7 +586,9 @@ for X in %{origin} %{javaver} ; do
done done
update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
}
%define post_devel() %{expand:
update-desktop-database %{_datadir}/applications &> /dev/null || : update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -604,11 +611,11 @@ exit 0
} }
%define posttrans_devel() %{expand: %define posttrans_devel() %{expand:
%{alternatives_javac_install -- %{?1}}
%{update_desktop_icons} %{update_desktop_icons}
} }
%define post_javadoc() %{expand: %define alternatives_javadoc_install() %{expand:
PRIORITY=%{priority} PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1 let PRIORITY=PRIORITY-1
@ -625,8 +632,7 @@ exit 0
exit 0 exit 0
} }
%define post_javadoc_zip() %{expand: %define alternatives_javadoczip_install() %{expand:
PRIORITY=%{priority} PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1 let PRIORITY=PRIORITY-1
@ -710,7 +716,7 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
%ifarch %{svml_arches} %ifarch %{svml_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsvml.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsvml.so
%endif %endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
@ -1108,11 +1114,10 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh # to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
Source0: openjdk-jdk%{featurever}-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
#Source0: openjdk-jdk%{featurever}-jdk-%{filever}+%{buildver}.tar.xz
# Use 'icedtea_sync.sh' to update the following # Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (3.x). # They are based on code contained in the IcedTea project (6.x).
# Systemtap tapsets. Zipped up to keep it small. # Systemtap tapsets. Zipped up to keep it small.
Source8: tapsets-icedtea-%{icedteaver}.tar.xz Source8: tapsets-icedtea-%{icedteaver}.tar.xz
@ -1181,6 +1186,8 @@ Patch1009: rh1995150-disable_non-fips_crypto.patch
# RH1996182: Login to the NSS software token in FIPS mode # RH1996182: Login to the NSS software token in FIPS mode
Patch1010: rh1996182-login_to_nss_software_token.patch Patch1010: rh1996182-login_to_nss_software_token.patch
Patch1012: rh1996182-extend_security_policy.patch Patch1012: rh1996182-extend_security_policy.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
Patch1013: rh1991003-enable_fips_keys_import.patch
############################################# #############################################
# #
@ -1193,8 +1200,6 @@ Patch1012: rh1996182-extend_security_policy.patch
# OpenJDK patches appearing in 17.0.1 # OpenJDK patches appearing in 17.0.1
# #
############################################# #############################################
# JDK-8272332, RH2004078: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
Patch100: jdk8272332-rh2004078-broken_harfbuzz_linking.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -1541,7 +1546,6 @@ pushd %{top_level_dir_name}
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch100 -p1
popd # openjdk popd # openjdk
%patch1000 %patch1000
@ -1555,6 +1559,7 @@ popd # openjdk
%patch1010 %patch1010
%patch1011 %patch1011
%patch1012 %patch1012
%patch1013
# Extract systemtap tapsets # Extract systemtap tapsets
%if %{with_systemtap} %if %{with_systemtap}
@ -1569,13 +1574,14 @@ cp -r tapset tapset%{fastdebug_suffix}
for suffix in %{build_loop} ; do for suffix in %{build_loop} ; do
for file in "tapset"$suffix/*.in; do for file in "tapset"$suffix/*.in; do
OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:%{version}-%{release}.%{_arch}.stp:g"` OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2
# TODO find out which architectures other than i686 have a client vm # TODO find out which architectures other than i686 have a client vm
%ifarch %{ix86} %ifarch %{ix86}
sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.1 > $OUTPUT_FILE sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE
%else %else
sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE
%endif %endif
sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
@ -1586,16 +1592,18 @@ done
%endif %endif
# Prepare desktop files # Prepare desktop files
# The _X_ syntax indicates variables that are replaced by make upstream
# The @X@ syntax indicates variables that are replaced by configure upstream
for suffix in %{build_loop} ; do for suffix in %{build_loop} ; do
for file in %{SOURCE9}; do for file in %{SOURCE9}; do
FILE=`basename $file | sed -e s:\.in$::g` FILE=`basename $file | sed -e s:\.in$::g`
EXT="${FILE##*.}" EXT="${FILE##*.}"
NAME="${FILE%.*}" NAME="${FILE%.*}"
OUTPUT_FILE=$NAME$suffix.$EXT OUTPUT_FILE=$NAME$suffix.$EXT
sed -e "s:@JAVA_HOME@:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE
sed -i -e "s:@JRE_HOME@:%{jrebindir -- $suffix}:g" $OUTPUT_FILE sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE
sed -i -e "s:@ARCH@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE
sed -i -e "s:@JAVA_MAJOR_VERSION@:%{featurever}:g" $OUTPUT_FILE sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE
sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE
done done
done done
@ -1605,7 +1613,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg # Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
%build %build
# How many CPU's do we have? # How many CPU's do we have?
@ -1831,14 +1838,6 @@ do
# All these tests rely on RPM failing the build if the exit code of any set # All these tests rely on RPM failing the build if the exit code of any set
# of piped commands is non-zero. # of piped commands is non-zero.
# If this is the empty library, libsyslookup.so, of the foreign function and memory
# API incubation module (JEP 412), skip the debuginfo check as this seems unreliable
# on s390x. It's not very useful for other arches either, so skip unconditionally.
if [ "`basename $lib`" = "libsyslookup.so" ]; then
echo "Skipping debuginfo check for empty library 'libsyslookup.so'"
continue
fi
# Test for .debug_* sections in the shared object. This is the main test # Test for .debug_* sections in the shared object. This is the main test
# Stripped objects will not contain these # Stripped objects will not contain these
eu-readelf -S "$lib" | grep "] .debug_" eu-readelf -S "$lib" | grep "] .debug_"
@ -2102,6 +2101,9 @@ cjc.mainProgram(args)
%posttrans %posttrans
%{posttrans_script %{nil}} %{posttrans_script %{nil}}
%posttrans headless
%{alternatives_java_install %{nil}}
%post devel %post devel
%{post_devel %{nil}} %{post_devel %{nil}}
@ -2111,14 +2113,14 @@ cjc.mainProgram(args)
%posttrans devel %posttrans devel
%{posttrans_devel %{nil}} %{posttrans_devel %{nil}}
%post javadoc %posttrans javadoc
%{post_javadoc %{nil}} %{alternatives_javadoc_install %{nil}}
%postun javadoc %postun javadoc
%{postun_javadoc %{nil}} %{postun_javadoc %{nil}}
%post javadoc-zip %posttrans javadoc-zip
%{post_javadoc_zip %{nil}} %{alternatives_javadoczip_install %{nil}}
%postun javadoc-zip %postun javadoc-zip
%{postun_javadoc_zip %{nil}} %{postun_javadoc_zip %{nil}}
@ -2131,6 +2133,9 @@ cjc.mainProgram(args)
%post headless-slowdebug %post headless-slowdebug
%{post_headless -- %{debug_suffix_unquoted}} %{post_headless -- %{debug_suffix_unquoted}}
%posttrans headless-slowdebug
%{alternatives_java_install -- %{debug_suffix_unquoted}}
%postun slowdebug %postun slowdebug
%{postun_script -- %{debug_suffix_unquoted}} %{postun_script -- %{debug_suffix_unquoted}}
@ -2166,6 +2171,9 @@ cjc.mainProgram(args)
%posttrans fastdebug %posttrans fastdebug
%{posttrans_script -- %{fastdebug_suffix_unquoted}} %{posttrans_script -- %{fastdebug_suffix_unquoted}}
%posttrans headless-fastdebug
%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
%post devel-fastdebug %post devel-fastdebug
%{post_devel -- %{fastdebug_suffix_unquoted}} %{post_devel -- %{fastdebug_suffix_unquoted}}
@ -2272,18 +2280,72 @@ cjc.mainProgram(args)
%endif %endif
%changelog %changelog
* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3 * Wed Feb 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2
- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
- Related: rhbz#2022826
* Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1
- January 2022 security update to jdk 17.0.2+8
- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
- Rename libsvml.so to libjsvml.so following JDK-8276025
- Drop JDK-8276572 patch which is now upstream
- Resolves: rhbz#2039392
* Thu Feb 10 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-3
- Sync desktop files with upstream IcedTea release 3.15.0 using new script
- Related: rhbz#2022826
* Mon Nov 29 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.1.0.12-2
- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
secmod.db file as part of nss
- Resolves: rhbz#2023537
* Tue Nov 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-1
- Drop JDK-8272332 patch now included upstream.
- Resolves: rhbz#2013846
* Tue Nov 16 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.1.0.12-1
- October CPU update to jdk 17.0.1+12
- Dropped commented-out source line
- Resolves: rhbz#2013846
* Tue Nov 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-8
- Extend LTS check to exclude EPEL.
- Related: rhbz#2013846
* Tue Nov 09 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.35-8
- Set LTS designator.
- Related: rhbz#2013846
* Mon Nov 08 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.35-7
- alternatives creation moved to posttrans
- Thus fixing the old reisntall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
- Resolves: rhbz#2008206
* Fri Nov 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-6
- Patch syslookup.c so it actually has some code to be compiled into libsyslookup
- Related: rhbz#2013846
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-5
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
- Resolves: rhbz#1994682
* Sun Oct 10 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-5
- Add patch to allow plain key import.
- Resolves: rhbz#1994682
* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-4
- Update release notes to document the major changes between OpenJDK 11 & 17. - Update release notes to document the major changes between OpenJDK 11 & 17.
- Resolves: rhbz#1994059 - Resolves: rhbz#2000925
* Thu Sep 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-2 * Thu Sep 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3
- Add JDK-8272332 fix so we actually link against HarfBuzz.
- Resolves: rhbz#1994059
* Tue Sep 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-1
- Update to jdk-17+35, also known as jdk-17-ga. - Update to jdk-17+35, also known as jdk-17-ga.
- Switch to GA mode. - Switch to GA mode.
- Resolves: rhbz#1994059 - Add JDK-8272332 fix so we actually link against HarfBuzz.
- Resolves: rhbz#2000925
* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.5.ea * Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.5.ea
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.