+ * PKCS#11 structure: + *
+ * typedef struct CK_PBE_PARAMS {
+- * CK_CHAR_PTR pInitVector;
+- * CK_CHAR_PTR pPassword;
++ * CK_BYTE_PTR pInitVector;
++ * CK_UTF8CHAR_PTR pPassword;
+ * CK_ULONG ulPasswordLen;
+- * CK_CHAR_PTR pSalt;
++ * CK_BYTE_PTR pSalt;
+ * CK_ULONG ulSaltLen;
+ * CK_ULONG ulIteration;
+ * } CK_PBE_PARAMS;
+@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pInitVector;
++ * CK_BYTE_PTR pInitVector;
+ *
+ */
+- public char[] pInitVector;
++ public byte[] pInitVector;
+
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pPassword;
++ * CK_UTF8CHAR_PTR pPassword;
+ * CK_ULONG ulPasswordLen;
+ *
+ */
+@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pSalt
++ * CK_BYTE_PTR pSalt
+ * CK_ULONG ulSaltLen;
+ *
+ */
+- public char[] pSalt;
++ public byte[] pSalt;
+
+ /**
+ * PKCS#11:
+@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
+ */
+ public long ulIteration;
+
++ public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
++ this.pPassword = pPassword;
++ this.pSalt = pSalt;
++ this.ulIteration = ulIteration;
++ }
++
+ /**
+ * Returns the string representation of CK_PBE_PARAMS.
+ *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+index fb90bfced27..a01beb0753a 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+@@ -47,7 +47,7 @@
+
+ package sun.security.pkcs11.wrapper;
+
+-
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+
+ /**
+ * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
+@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
+ * PKCS#11 structure:
+ *
+ * typedef struct CK_PKCS5_PBKD2_PARAMS {
+- * CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+ * CK_VOID_PTR pSaltSourceData;
+ * CK_ULONG ulSaltSourceDataLen;
+ * CK_ULONG iterations;
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+ * CK_VOID_PTR pPrfData;
+ * CK_ULONG ulPrfDataLen;
++ * CK_UTF8CHAR_PTR pPassword;
++ * CK_ULONG_PTR ulPasswordLen;
+ * } CK_PKCS5_PBKD2_PARAMS;
+ *
+ *
+@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
+ */
+ public byte[] pPrfData;
+
++ /**
++ * PKCS#11:
++ *
++ * CK_UTF8CHAR_PTR pPassword
++ * CK_ULONG_PTR ulPasswordLen;
++ *
++ */
++ public char[] pPassword;
++
++ public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
++ long iterations, long prf) {
++ this.pPassword = pPassword;
++ this.pSaltSourceData = pSalt;
++ this.iterations = iterations;
++ this.prf = prf;
++ this.saltSource = CKZ_SALT_SPECIFIED;
++ }
++
+ /**
+ * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
+ *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+new file mode 100644
+index 00000000000..935db656639
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+@@ -0,0 +1,156 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11.wrapper;
++
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++
++/**
++ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
++ * mechanism.
++ * PKCS#11 structure:
++ *
++ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ * CK_VOID_PTR pSaltSourceData;
++ * CK_ULONG ulSaltSourceDataLen;
++ * CK_ULONG iterations;
++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ * CK_VOID_PTR pPrfData;
++ * CK_ULONG ulPrfDataLen;
++ * CK_UTF8CHAR_PTR pPassword;
++ * CK_ULONG ulPasswordLen;
++ * } CK_PKCS5_PBKD2_PARAMS2;
++ *
++ *
++ */
++public class CK_PKCS5_PBKD2_PARAMS2 {
++
++ /**
++ * PKCS#11:
++ *
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ *
++ */
++ public long saltSource;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_VOID_PTR pSaltSourceData;
++ * CK_ULONG ulSaltSourceDataLen;
++ *
++ */
++ public byte[] pSaltSourceData;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_ULONG iterations;
++ *
++ */
++ public long iterations;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ *
++ */
++ public long prf;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_VOID_PTR pPrfData;
++ * CK_ULONG ulPrfDataLen;
++ *
++ */
++ public byte[] pPrfData;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_UTF8CHAR_PTR pPassword
++ * CK_ULONG ulPasswordLen;
++ *
++ */
++ public char[] pPassword;
++
++ public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
++ long iterations, long prf) {
++ this.pPassword = pPassword;
++ this.pSaltSourceData = pSalt;
++ this.iterations = iterations;
++ this.prf = prf;
++ this.saltSource = CKZ_SALT_SPECIFIED;
++ }
++
++ /**
++ * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
++ *
++ * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
++ */
++ public String toString() {
++ StringBuilder sb = new StringBuilder();
++
++ sb.append(Constants.INDENT);
++ sb.append("saltSource: ");
++ sb.append(saltSource);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("pSaltSourceData: ");
++ sb.append(Functions.toHexString(pSaltSourceData));
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("ulSaltSourceDataLen: ");
++ sb.append(pSaltSourceData.length);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("iterations: ");
++ sb.append(iterations);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("prf: ");
++ sb.append(prf);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("pPrfData: ");
++ sb.append(Functions.toHexString(pPrfData));
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("ulPrfDataLen: ");
++ sb.append(pPrfData.length);
++
++ return sb.toString();
++ }
++
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+index 1f9c4d39f57..5e3c1b9d29f 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
+ public byte[] pPublicData;
+
+ /**
+- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
++ * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
+ *
+- * @return the string representation of CK_PKCS5_PBKD2_PARAMS
++ * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
+ */
+ public String toString() {
+ StringBuilder sb = new StringBuilder();
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 5c0aacd1a67..1e98ce2e280 100644
+index 5c0aacd1a67..5fbf8addcba 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
@@ -3143,10 +4920,26 @@ index 5c0aacd1a67..1e98ce2e280 100644
import java.util.*;
import java.security.AccessController;
-@@ -150,18 +153,43 @@ public class PKCS11 {
- this.pkcs11ModulePath = pkcs11ModulePath;
- }
+@@ -113,6 +116,8 @@ public class PKCS11 {
+ private long pNativeData;
+
++ private CK_INFO pInfo;
++
+ /**
+ * This method does the initialization of the native library. It is called
+ * exactly once for this class.
+@@ -145,23 +150,49 @@ public class PKCS11 {
+ * @postconditions
+ */
+ PKCS11(String pkcs11ModulePath, String functionListName)
+- throws IOException {
++ throws IOException, PKCS11Exception {
+ connect(pkcs11ModulePath, functionListName);
+ this.pkcs11ModulePath = pkcs11ModulePath;
++ pInfo = C_GetInfo();
++ }
++
+ /*
+ * Compatibility wrapper to allow this method to work as before
+ * when FIPS mode support is not active.
@@ -3156,8 +4949,8 @@ index 5c0aacd1a67..1e98ce2e280 100644
+ boolean omitInitialize) throws IOException, PKCS11Exception {
+ return getInstance(pkcs11ModulePath, functionList,
+ pInitArgs, omitInitialize, null, null);
-+ }
-+
+ }
+
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
@@ -3190,7 +4983,31 @@ index 5c0aacd1a67..1e98ce2e280 100644
}
if (omitInitialize == false) {
try {
-@@ -1911,4 +1939,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+@@ -179,6 +210,14 @@ public class PKCS11 {
+ return pkcs11;
+ }
+
++ /**
++ * Returns the CK_INFO structure fetched at initialization with
++ * C_GetInfo. This structure represent Cryptoki library information.
++ */
++ public CK_INFO getInfo() {
++ return pInfo;
++ }
++
+ /**
+ * Connects this object to the specified PKCS#11 library. This method is for
+ * internal use only.
+@@ -1625,7 +1664,7 @@ public class PKCS11 {
+ static class SynchronizedPKCS11 extends PKCS11 {
+
+ SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
+- throws IOException {
++ throws IOException, PKCS11Exception {
+ super(pkcs11ModulePath, functionListName);
+ }
+
+@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
@@ -3204,7 +5021,7 @@ index 5c0aacd1a67..1e98ce2e280 100644
+ private MethodHandle hC_GetAttributeValue;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+ throws IOException {
++ throws IOException, PKCS11Exception {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ this.fipsKeyExporter = fipsKeyExporter;
@@ -3256,7 +5073,7 @@ index 5c0aacd1a67..1e98ce2e280 100644
+ private MethodHandle hC_GetAttributeValue;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+ throws IOException {
++ throws IOException, PKCS11Exception {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ this.fipsKeyExporter = fipsKeyExporter;
@@ -3385,6 +5202,442 @@ index 5c0aacd1a67..1e98ce2e280 100644
+ }
+}
}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+index 0d65ee26805..38fd4aff1f3 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
+ public static final long CKD_BLAKE2B_384_KDF = 0x00000019L;
+ public static final long CKD_BLAKE2B_512_KDF = 0x0000001aL;
+
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008L;
+-
+- public static final long CKZ_SALT_SPECIFIED = 0x00000001L;
+-
+ public static final long CK_OTP_VALUE = 0x00000000L;
+ public static final long CK_OTP_PIN = 0x00000001L;
+ public static final long CK_OTP_CHALLENGE = 0x00000002L;
+@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
+ public static final long CKF_HKDF_SALT_KEY = 0x00000004L;
+ */
+
++ // PBKDF2 support, used in P11Util
++ public static final long CKZ_SALT_SPECIFIED = 0x00000001L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008L;
++
+ // private NSS attribute (for DSA and DH private keys)
+ public static final long CKA_NETSCAPE_DB = 0xD5A0DB00L;
+
+ // base number of NSS private attributes
+ public static final long CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
+- = 0xCE534350L;
++ /* now known as CKM_NSS ^ */ = 0xCE534350L;
+
+ // object type for NSS trust
+ public static final long CKO_NETSCAPE_TRUST = 0xCE534353L;
+@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
+ = 0xCE534355L;
+ public static final long CKT_NETSCAPE_VALID = 0xCE53435AL;
+ public static final long CKT_NETSCAPE_VALID_DELEGATOR = 0xCE53435BL;
++
++ // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
++ public static final long CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
++ /* (CKM_NSS + 29) */ = 0xCE53436DL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
++ /* (CKM_NSS + 30) */ = 0xCE53436EL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
++ /* (CKM_NSS + 31) */ = 0xCE53436FL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
++ /* (CKM_NSS + 32) */ = 0xCE534370L;
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+index d941b574cc7..e2de13648be 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+ ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
+ break;
+ case CKM_PKCS5_PBKD2:
+@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ // retrieve java values
+ jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
+ if (jPbeParamsClass == NULL) { return NULL; }
+- fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
++ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
+ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
+ if (fieldID == NULL) { return NULL; }
+ jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+- fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
++ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jSalt = (*env)->GetObjectField(env, jParam, fieldID);
+ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
+@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+
+ // populate using java values
+ ckParamPtr->ulIteration = jLongToCKULong(jIteration);
+- jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
++ jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
++ jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
++ jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
+ }
+ }
+
++#define PBKD2_PARAM_SET(member, value) \
++ do { \
++ if(ckParamPtr->version == PARAMS) { \
++ ckParamPtr->params.v1.member = value; \
++ } else { \
++ ckParamPtr->params.v2.member = value; \
++ } \
++ } while(0)
++
++#define PBKD2_PARAM_ADDR(member) \
++ ( \
++ (ckParamPtr->version == PARAMS) ? \
++ (void*) &ckParamPtr->params.v1.member : \
++ (void*) &ckParamPtr->params.v2.member \
++ )
++
+ /*
+- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
+ * pointer
+ *
+- * @param env - used to call JNI funktions to get the Java classes and objects
+- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
++ * @param env - used to call JNI functions to get the Java classes and objects
++ * @param jParam - the Java object to convert
+ * @param pLength - length of the allocated memory of the returned pointer
+- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
++ * @return pointer to the new structure
+ */
+-CK_PKCS5_PBKD2_PARAMS_PTR
++CK_VOID_PTR
+ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ {
+- CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
++ VersionedPbkd2ParamsPtr ckParamPtr;
++ ParamVersion paramVersion;
++ CK_ULONG_PTR pUlPasswordLen;
+ jclass jPkcs5Pbkd2ParamsClass;
+ jfieldID fieldID;
+ jlong jSaltSource, jIteration, jPrf;
+- jobject jSaltSourceData, jPrfData;
++ jobject jSaltSourceData, jPrfData, jPassword;
+
+ if (pLength != NULL) {
+ *pLength = 0L;
+ }
+
+ // retrieve java values
+- jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
+- if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
++ if ((jPkcs5Pbkd2ParamsClass =
++ (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
++ && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++ paramVersion = PARAMS;
++ } else if ((jPkcs5Pbkd2ParamsClass =
++ (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
++ && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++ paramVersion = PARAMS2;
++ } else {
++ return NULL;
++ }
+ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
+ if (fieldID == NULL) { return NULL; }
+ jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
+@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
+ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
++ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
++ if (fieldID == NULL) { return NULL; }
++ jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+
+- // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
+- ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
++ // allocate memory for VersionedPbkd2Params and store the structure version
++ ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
+ if (ckParamPtr == NULL) {
+ throwOutOfMemoryError(env, 0);
+ return NULL;
+ }
++ ckParamPtr->version = paramVersion;
+
+ // populate using java values
+- ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
+- jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
+- &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
++ PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
++ jByteArrayToCKByteArray(env, jSaltSourceData,
++ (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
++ PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- ckParamPtr->iterations = jLongToCKULong(jIteration);
+- ckParamPtr->prf = jLongToCKULong(jPrf);
+- jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
+- &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
++ PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
++ PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
++ jByteArrayToCKByteArray(env, jPrfData,
++ (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
++ PBKD2_PARAM_ADDR(ulPrfDataLen));
++ if ((*env)->ExceptionCheck(env)) {
++ goto cleanup;
++ }
++ if (ckParamPtr->version == PARAMS) {
++ pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
++ if (pUlPasswordLen == NULL) {
++ throwOutOfMemoryError(env, 0);
++ goto cleanup;
++ }
++ ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
++ } else {
++ pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
++ }
++ jCharArrayToCKUTF8CharArray(env, jPassword,
++ (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
++ pUlPasswordLen);
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+
+ if (pLength != NULL) {
+- *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
++ *pLength = (ckParamPtr->version == PARAMS ?
++ sizeof(ckParamPtr->params.v1) :
++ sizeof(ckParamPtr->params.v2));
+ }
++ // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
+ return ckParamPtr;
+ cleanup:
+- free(ckParamPtr->pSaltSourceData);
+- free(ckParamPtr->pPrfData);
++ FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
+ free(ckParamPtr);
+ return NULL;
+
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+index 520bd52a2cd..aa76945283d 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
+ case CKM_CAMELLIA_CTR:
+ // params do not contain pointers
+ break;
++ case CKM_PKCS5_PBKD2:
++ // get the versioned structure from behind memory
++ TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
++ "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
++ "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
++ FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
++ break;
++ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
++ free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
++ free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
++ free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
++ break;
+ default:
+ // currently unsupported mechs by SunPKCS11 provider
+ // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
+ // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
+- // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
++ // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
+ // PBE mechs, WTLS mechs, CMS mechs,
+ // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
+ // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
+@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
+ jboolean* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
+ jbyte* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
+ jlong* jTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
+ if (jTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
+ jchar* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
+ jchar* jTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+ if (jTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+index eb6d01b9e47..450e4d27d62 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+@@ -68,6 +68,7 @@
+ /* extra PKCS#11 constants not in the standard include files */
+
+ #define CKA_NETSCAPE_BASE (0x80000000 + 0x4E534350)
++/* ^ now known as CKM_NSS (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
+ #define CKA_NETSCAPE_TRUST_BASE (CKA_NETSCAPE_BASE + 0x2000)
+ #define CKA_NETSCAPE_TRUST_SERVER_AUTH (CKA_NETSCAPE_TRUST_BASE + 8)
+ #define CKA_NETSCAPE_TRUST_CLIENT_AUTH (CKA_NETSCAPE_TRUST_BASE + 9)
+@@ -76,6 +77,12 @@
+ #define CKA_NETSCAPE_DB 0xD5A0DB00
+ #define CKM_NSS_TLS_PRF_GENERAL 0x80000373
+
++/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 29)
++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 30)
++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 31)
++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 32)
++
+ /*
+
+ Define the PKCS#11 functions to include and exclude. Reduces the size
+@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
+ #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
+ #define PBE_INIT_VECTOR_SIZE 8
+ #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
++#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
+ #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
+
+ #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
+@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
+ CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
+ jobject jParam, CK_ULONG* pLength);
+ CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+-CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
++CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
+@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
+ CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+
++/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
++typedef enum {PARAMS=0, PARAMS2} ParamVersion;
++
++typedef struct {
++ union {
++ CK_PKCS5_PBKD2_PARAMS v1;
++ CK_PKCS5_PBKD2_PARAMS2 v2;
++ } params;
++ ParamVersion version;
++} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
++
++#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr) \
++ do { \
++ if ((verParamsPtr)->version == PARAMS) { \
++ free((verParamsPtr)->params.v1.pSaltSourceData); \
++ free((verParamsPtr)->params.v1.pPrfData); \
++ free((verParamsPtr)->params.v1.pPassword); \
++ free((verParamsPtr)->params.v1.ulPasswordLen); \
++ } else { \
++ free((verParamsPtr)->params.v2.pSaltSourceData); \
++ free((verParamsPtr)->params.v2.pPrfData); \
++ free((verParamsPtr)->params.v2.pPassword); \
++ } \
++ } while(0)
++
+ /* functions to copy the returned values inside CK-mechanism back to Java object */
+
+ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
index 8c9e4f9dbe6..883dc04758e 100644
--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
diff --git a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
deleted file mode 100644
index 51bd6d2..0000000
--- a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-index 70903206ea0..09956084cf9 100644
---- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
- ctx = getLdapCtxFromUrl(
- r.getDomainName(), url, new LdapURL(u), env);
- return ctx;
-+ } catch (AuthenticationException e) {
-+ // do not retry on a different endpoint to avoid blocking
-+ // the user if authentication credentials are wrong.
-+ throw e;
- } catch (NamingException e) {
- // try the next element
- lastException = e;
-@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
- for (String u : urls) {
- try {
- return getUsingURL(u, env);
-+ } catch (AuthenticationException e) {
-+ // do not retry on a different URL to avoid blocking
-+ // the user if authentication credentials are wrong.
-+ throw e;
- } catch (NamingException e) {
- ex = e;
- }
diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in
deleted file mode 100644
index 2d9ec35..0000000
--- a/SOURCES/nss.fips.cfg.in
+++ /dev/null
@@ -1,8 +0,0 @@
-name = NSS-FIPS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = sql:/etc/pki/nssdb
-nssDbMode = readOnly
-nssModule = fips
-
-attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
-
diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh
index e999c7e..25c2fc8 100644
--- a/SOURCES/remove-intree-libraries.sh
+++ b/SOURCES/remove-intree-libraries.sh
@@ -5,6 +5,7 @@ TREE=${1}
TYPE=${2}
ZIP_SRC=src/java.base/share/native/libzip/zlib/
+FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
@@ -31,15 +32,21 @@ cd ${TREE}
echo "Removing built-in libs (they will be linked)"
-# On full runs, allow for zlib having already been deleted by minimal
+# On full runs, allow for zlib & freetype having already been deleted by minimal
echo "Removing zlib"
if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
echo "${ZIP_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${ZIP_SRC}
+echo "Removing freetype"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
+ echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${FREETYPE_SRC}
-# Minimal is limited to just zlib so finish here
+# Minimal is limited to just zlib and freetype so finish here
if test "x${TYPE}" = "xminimal"; then
echo "Finished.";
exit 0;
diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec
index 7f2771d..30ce7ea 100644
--- a/SPECS/java-17-openjdk.spec
+++ b/SPECS/java-17-openjdk.spec
@@ -23,6 +23,8 @@
%bcond_without staticlibs
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@@ -39,6 +41,16 @@
%global build_hotspot_first 0
%endif
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@@ -190,11 +202,15 @@
%global staticlibs_loop %{nil}
%endif
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
+%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
@@ -305,12 +321,8 @@
# New Version-String scheme-style defines
%global featurever 17
%global interimver 0
-%global updatever 3
+%global updatever 6
%global patchver 0
-# If you bump featurever, you must also bump vendor_version_string
-# Used via new version scheme. JDK 17 was
-# GA'ed in September 2021 => 21.9
-%global vendor_version_string 21.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -325,18 +337,39 @@
%global lts_designator_zip ""
%endif
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%else
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
+
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
-%global fipsver f8142a23d0a
+%global fipsver 72d08e3226f
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 7
-%global rpmrelease 6
+%global buildver 9
+%global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -362,48 +395,27 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 1
+%global is_ga 0
%if %{is_ga}
%global build_type GA
-%global expected_ea_designator ""
+%global ea_designator ""
%global ea_designator_zip ""
%global extraver %{nil}
%global eaprefix %{nil}
%else
%global build_type EA
-%global expected_ea_designator ea
-%global ea_designator_zip -%{expected_ea_designator}
-%global extraver .%{expected_ea_designator}
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
%global eaprefix 0.
%endif
-# Define what url should JVM offer in case of a crash report
-# order may be important, epel may have rhel declared
-%if 0%{?epel}
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
-%else
-%if 0%{?fedora}
-# Does not work for rawhide, keeps the version field empty
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
-%else
-%if 0%{?rhel}
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
-%else
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi
-%endif
-%endif
-%endif
-
# parametrized macros are order-sensitive
%global compatiblename java-%{featurever}-%{origin}
%global fullversion %{compatiblename}-%{version}-%{release}
# images directories from upstream build
%global jdkimage jdk
%global static_libs_image static-libs
-# installation directory for static libraries
-%global static_libs_root lib/static
-%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall}
-%global static_libs_install_dir %{static_libs_arch_dir}/glibc
# output dir stub
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch
@@ -415,7 +427,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
-%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$
@@ -810,7 +822,6 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
@@ -820,6 +831,9 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%if ! %{system_libs}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
+%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@@ -869,7 +883,6 @@ exit 0
%dir %{etcjavadir -- %{?1}}/lib
%dir %{etcjavadir -- %{?1}}/lib/security
%{etcjavadir -- %{?1}}/lib/security/cacerts
-%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream
%dir %{etcjavadir -- %{?1}}/conf
%dir %{etcjavadir -- %{?1}}/conf/sdp
%dir %{etcjavadir -- %{?1}}/conf/management
@@ -939,7 +952,7 @@ exit 0
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
-%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
%endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
@@ -978,11 +991,11 @@ exit 0
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
%if %{with_systemtap}
%dir %{tapsetroot}
@@ -1040,10 +1053,10 @@ exit 0
}
%define files_static_libs() %{expand:
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
-%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
}
%define files_javadoc() %{expand:
@@ -1105,7 +1118,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-Requires: tzdata-java >= 2015d
+# 2022g required as of JDK-8297804
+Requires: tzdata-java >= 2022g
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1118,6 +1132,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1292,8 +1308,11 @@ Source14: TestECDSA.java
# Verify system crypto (policy) can be disabled via a property
Source15: TestSecurityProperties.java
-# nss fips configuration file
-Source17: nss.fips.cfg.in
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
############################################
#
@@ -1338,6 +1357,14 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
# RH2094027: SunEC runtime permission for FIPS
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
# RH2090378: Revert to disabling system security properties and FIPS mode support together
+# RH2104724: Avoid import/export of DH private keys
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+# Build the systemconf library on all platforms
+# RH2048582: Support PKCS#12 keystores
+# RH2020290: Support TLS 1.3 in FIPS mode
+# Add nss.fips.cfg support to OpenJDK tree
+# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+# Remove forgotten dead code from RH2020290 and RH2104724
Patch1001: fips-17u-%{fipsver}.patch
#############################################
@@ -1345,12 +1372,16 @@ Patch1001: fips-17u-%{fipsver}.patch
# OpenJDK patches in need of upstreaming
#
#############################################
-# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
-Patch2000: jdk8275535-rh2053256-ldap_auth.patch
#############################################
#
-# OpenJDK patches appearing in 17.0.3
+# OpenJDK patches appearing in 17.0.5
+#
+#############################################
+
+#############################################
+#
+# OpenJDK patches targetted for 17.0.6
#
#############################################
@@ -1363,14 +1394,8 @@ BuildRequires: desktop-file-utils
# elfutils only are OK for build without AOT
BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel
-BuildRequires: freetype-devel
-BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
-BuildRequires: harfbuzz-devel
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXi-devel
@@ -1381,6 +1406,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -1390,7 +1417,8 @@ BuildRequires: java-17-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-BuildRequires: tzdata-java >= 2015d
+# 2022g required as of JDK-8297804
+BuildRequires: tzdata-java >= 2022g
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1399,6 +1427,30 @@ BuildRequires: systemtap-sdt-devel
%endif
BuildRequires: make
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
+Provides: bundled(freetype) = 2.12.1
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 4.4.1
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.12.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}}
@@ -1708,6 +1760,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
+echo "Preparing %{oj_vendor_version}"
+
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@@ -1746,8 +1800,11 @@ if [ $prioritylength -ne 8 ] ; then
fi
# OpenJDK patches
+
+%if %{system_libs}
# Remove libraries that are linked by both static and dynamic builds
sh %{SOURCE12} %{top_level_dir_name}
+%endif
# Patch the JDK
pushd %{top_level_dir_name}
@@ -1763,7 +1820,25 @@ popd # openjdk
%patch600
-%patch2000
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+ UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+fi
+if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
+ echo "WARNING: Designator mismatch";
+ echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
+ echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
+ exit 17
+fi
# Extract systemtap tapsets
%if %{with_systemtap}
@@ -1814,11 +1889,7 @@ done
# Setup nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
-# Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
-
%build
-
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -1861,22 +1932,12 @@ function buildjdk() {
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
- # The OpenJDK version file includes the current
- # upstream version information. For some reason,
- # configure does not automatically use the
- # default pre-version supplied there (despite
- # what the file claims), so we pass it manually
- # to configure
- VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf
- if [ -f ${VERSION_FILE} ] ; then
- EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+ # This must be set using the global, so that the
+ # static libraries still use a dynamic stdc++lib
+ if [ "x%{link_type}" = "xbundled" ] ; then
+ libc_link_opt="static";
else
- echo "Could not find OpenJDK version file.";
- exit 16
- fi
- if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then
- echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}";
- exit 17
+ libc_link_opt="dynamic";
fi
echo "Using output directory: ${outputdir}";
@@ -1885,11 +1946,15 @@ function buildjdk() {
echo "Using make targets: ${maketargets}"
echo "Using debuglevel: ${debuglevel}"
echo "Using link_opt: ${link_opt}"
- echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}"
+ echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
mkdir -p ${outputdir}
pushd ${outputdir}
+ # Note: zlib and freetype use %{link_type}
+ # rather than ${link_opt} as the system versions
+ # are always used in a system_libs build, even
+ # for the static library build
bash ${top_dir_abs_src_path}/configure \
%ifarch %{zero_arches}
--with-jvm-variants=zero \
@@ -1898,25 +1963,26 @@ function buildjdk() {
--with-jobs=1 \
%endif
--with-version-build=%{buildver} \
- --with-version-pre="${EA_DESIGNATOR}" \
+ --with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
- --with-vendor-version-string="%{vendor_version_string}" \
- --with-vendor-name="Red Hat, Inc." \
- --with-vendor-url="https://www.redhat.com/" \
- --with-vendor-bug-url="%{bugs}" \
- --with-vendor-vm-bug-url="%{bugs}" \
+ --with-vendor-version-string="%{oj_vendor_version}" \
+ --with-vendor-name="%{oj_vendor}" \
+ --with-vendor-url="%{oj_vendor_url}" \
+ --with-vendor-bug-url="%{oj_vendor_bug_url}" \
+ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
--disable-sysconf-nss \
--enable-unlimited-crypto \
- --with-zlib=system \
+ --with-zlib=%{link_type} \
+ --with-freetype=%{link_type} \
--with-libjpeg=${link_opt} \
--with-giflib=${link_opt} \
--with-libpng=${link_opt} \
--with-lcms=${link_opt} \
--with-harfbuzz=${link_opt} \
- --with-stdc++lib=dynamic \
+ --with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-ldflags="%{ourldflags}" \
@@ -1943,117 +2009,33 @@ function installjdk() {
local imagepath=${1}
if [ -d ${imagepath} ] ; then
- # the build (erroneously) removes read permissions from some jars
- # this is a regression in OpenJDK 7 (our compiler):
- # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
- find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
- # Build screws up permissions on binaries
- # https://bugs.openjdk.java.net/browse/JDK-8173610
- find ${imagepath} -iname '*.so' -exec chmod +x {} \;
- find ${imagepath}/bin/ -exec chmod +x {} \;
+ # Build screws up permissions on binaries
+ # https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
- # Install nss.cfg right away as we will be using the JRE above
- install -m 644 nss.cfg ${imagepath}/conf/security/
+ # Install nss.cfg right away as we will be using the JRE above
+ install -m 644 nss.cfg ${imagepath}/conf/security/
- # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
- install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/conf/security/java.security
- # Turn on system security properties
- sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
- ${imagepath}/conf/security/java.security
-
- # Use system-wide tzdata
- mv ${imagepath}/lib/tzdb.dat{,.upstream}
- ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
-
- # Rename OpenJDK cacerts database
- mv ${imagepath}/lib/security/cacerts{,.upstream}
- # Install cacerts symlink needed by some apps which hard-code the path
- ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
-
- # Create fake alt-java as a placeholder for future alt-java
- pushd ${imagepath}
- # add alt-java man page
- echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
- cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
- popd
- fi
-}
-
-# Checks on debuginfo must be performed before the files are stripped
-# by the RPM installation stage
-function debugcheckjdk() {
- local imagepath=${1}
-
- if [ -d ${imagepath} ] ; then
-
- so_suffix="so"
- # Check debug symbols are present and can identify code
- find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
- do
- if [ -f "$lib" ] ; then
- echo "Testing $lib for debug symbols"
- # All these tests rely on RPM failing the build if the exit code of any set
- # of piped commands is non-zero.
-
- # Test for .debug_* sections in the shared object. This is the main test
- # Stripped objects will not contain these
- eu-readelf -S "$lib" | grep "] .debug_"
- test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
-
- # Test FILE symbols. These will most likely be removed by anything that
- # manipulates symbol tables because it's generally useless. So a nice test
- # that nothing has messed with symbols
- old_IFS="$IFS"
- IFS=$'\n'
- for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
- do
- # We expect to see .cpp files, except for architectures like aarch64 and
- # s390 where we expect .o and .oS files
- echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
- done
- IFS="$old_IFS"
-
- # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
- if [ "`basename $lib`" = "libjvm.so" ]; then
- eu-readelf -s "$lib" | \
- grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
- fi
-
- # Test that there are no .gnu_debuglink sections pointing to another
- # debuginfo file. There shouldn't be any debuginfo files, so the link makes
- # no sense either
- eu-readelf -S "$lib" | grep 'gnu'
- if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then
- echo "bad .gnu_debuglink section."
- eu-readelf -x .gnu_debuglink "$lib"
- false
- fi
- fi
- done
-
- # Make sure gdb can do a backtrace based on line numbers on libjvm.so
- # javaCalls.cpp:58 should map to:
- # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
- # Using line number 1 might cause build problems. See:
- # https://bugzilla.redhat.com/show_bug.cgi?id=1539664
- # https://bugzilla.redhat.com/show_bug.cgi?id=1538767
- gdb -q "${imagepath}/bin/java" < man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
fi
}
@@ -2083,12 +2065,13 @@ for suffix in %{build_loop} ; do
bootbuilddir=boot${builddir}
if test "x${loop}" = "x%{main_suffix}" ; then
+ link_opt="%{link_type}"
+%if %{system_libs}
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
- # Use system libraries
- link_opt="system"
+%endif
# Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these
# slower builds.
@@ -2106,9 +2089,11 @@ for suffix in %{build_loop} ; do
else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
fi
+%if %{system_libs}
# Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name}
+%endif
else
# Use bundled libraries for building statically
link_opt="bundled"
@@ -2123,12 +2108,154 @@ for suffix in %{build_loop} ; do
# Final setup on the main image
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
- # Check debug symbols were built into the dynamic libraries
- debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+ # Print release information
+ cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
# build cycles
done # end of release / debug cycle loop
+%check
+
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
+%endif
+
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+# Pre-test setup
+
+#check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
+%endif
+
+so_suffix="so"
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+do
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
+ done
+ IFS="$old_IFS"
+
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+done
+
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" < install -> test
-export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
-
-#check Shenandoah is enabled
-%if %{use_shenandoah_hotspot}
-$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
-%endif
-
-# Check unlimited policy has been used
-$JAVA_HOME/bin/javac -d . %{SOURCE13}
-$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
-
-# Check ECC is working
-$JAVA_HOME/bin/javac -d . %{SOURCE14}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-
-# Check system crypto (policy) is active and can be disabled
-# Test takes a single argument - true or false - to state whether system
-# security properties are enabled or not.
-$JAVA_HOME/bin/javac -d . %{SOURCE15}
-export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
-export SEC_DEBUG="-Djava.security.debug=properties"
-$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
-$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
-
-# Check java launcher has no SSB mitigation
-if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
-
-# Check alt-java launcher has SSB mitigation on supported architectures
-%ifarch %{ssbd_arches}
-nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
-%else
-if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
-%endif
-
-%if %{include_staticlibs}
-# Check debug symbols in static libraries (smoke test)
-export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
-readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
-readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
-%endif
-
-# Check src.zip has all sources. See RHBZ#1130490
-unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
-
-# Check class files include useful debugging information
-$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
-$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
-$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
-
-# Check generated class files include useful debugging information
-$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
-$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
-$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
-
-# build cycles check
-done
-
%if %{include_normal_build}
# intentionally only for non-debug
%pretrans headless -p
@@ -2552,6 +2621,135 @@ require "copy_jdk_configs.lua"
%endif
%changelog
+* Wed Jan 04 2023 Andrew Hughes - 1:17.0.6.0.9-0.3.ea
+- Update to jdk-17.0.6+9
+- Update release notes to 17.0.6+9
+- Drop local copy of JDK-8293834 now this is upstream
+- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
+- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
+- Resolves: rhbz#2150195
+
+* Sat Dec 03 2022 Andrew Hughes - 1:17.0.6.0.1-0.3.ea
+- Update to jdk-17.0.6+1
+- Update release notes to 17.0.6+1
+- Switch to EA mode for 17.0.6 pre-release builds.
+- Re-enable EA upstream status check now it is being actively maintained.
+- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
+- Drop JDK-8275535 local patch now this has been accepted and backported upstream
+- Bump tzdata requirement to 2022e now the package is available in RHEL
+- Related: rhbz#2150195
+
+* Wed Nov 23 2022 Andrew Hughes - 1:17.0.5.0.8-5
+- Update FIPS support to bring in latest changes
+- * Add nss.fips.cfg support to OpenJDK tree
+- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+- * Remove forgotten dead code from RH2020290 and RH2104724
+- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
+- Resolves: rhbz#2117972
+
+* Wed Oct 26 2022 Andrew Hughes - 1:17.0.5.0.8-2
+- Update to jdk-17.0.5+8 (GA)
+- Update release notes to 17.0.5+8 (GA)
+- Switch to GA mode for final release.
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Update CLDR data with Europe/Kyiv (JDK-8293834)
+- Drop JDK-8292223 patch which we found to be unnecessary
+- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
+- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
+- Remove freetype sources along with zlib sources
+- Resolves: rhbz#2133695
+
+* Tue Oct 04 2022 Andrew Hughes - 1:17.0.5.0.7-0.2.ea
+- Update to jdk-17.0.5+7
+- Update release notes to 17.0.5+7
+- Drop JDK-8288985 patch that is now upstream
+- Resolves: rhbz#2130617
+
+* Mon Oct 03 2022 Andrew Hughes - 1:17.0.5.0.1-0.2.ea
+- Update to jdk-17.0.5+1
+- Update release notes to 17.0.5+1
+- Switch to EA mode for 17.0.5 pre-release builds.
+- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
+- Bump FreeType bundled version to 2.12.1 following JDK-8290334
+- Related: rhbz#2130617
+
+* Tue Aug 30 2022 Andrew Hughes - 1:17.0.4.1.1-6
+- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider
+- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650
+- Resolves: rhbz#2006351
+
+* Tue Aug 30 2022 Andrew Hughes - 1:17.0.4.1.1-5
+- Switch to static builds, reducing system dependencies and making build more portable
+- Resolves: rhbz#2121263
+
+* Mon Aug 29 2022 Stephan Bergmann - 1:17.0.4.1.1-4
+- Fix flatpak builds (catering for their uncompressed manual pages)
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102734
+
+* Mon Aug 29 2022 Andrew Hughes - 1:17.0.4.1.1-3
+- Update FIPS support to bring in latest changes
+- * RH2104724: Avoid import/export of DH private keys
+- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+- * Build the systemconf library on all platforms
+- * RH2048582: Support PKCS#12 keystores
+- * RH2020290: Support TLS 1.3 in FIPS mode
+- Resolves: rhbz#2104724
+- Resolves: rhbz#2092507
+- Resolves: rhbz#2048582
+- Resolves: rhbz#2020290
+
+* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-2
+- Update to jdk-17.0.4.1+1
+- Update release notes to 17.0.4.1+1
+- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
+- Add test to ensure timezones can be translated
+- Resolves: rhbz#2119531
+
+* Fri Jul 22 2022 Andrew Hughes - 1:17.0.4.0.8-3
+- Update to jdk-17.0.4.0+8
+- Update release notes to 17.0.4.0+8
+- Switch to GA mode for release
+- Resolves: rhbz#2106522
+
+* Wed Jul 20 2022 Andrew Hughes - 1:17.0.4.0.7-0.2.ea
+- Revert the following changes until copy-java-configs has adapted to relative symlinks:
+- * Move cacerts replacement to install section and retain original of this and tzdb.dat
+- * Run tests on the installed image, rather than the build image
+- * Introduce variables to refer to the static library installation directories
+- * Use relative symlinks so they work within the image
+- * Run debug symbols check during build stage, before the install strips them
+- The move of turning on system security properties is retained so we don't ship with them off
+- Related: rhbz#2100674
+
+* Wed Jul 20 2022 Jiri Vanek - 1:17.0.4.0.7-0.2.ea
+- retutrned absolute symlinks
+- relative symlinks are breaking cjc, and deeper investigations are necessary
+-- why cjc intentionally skips relative symllinks
+- images have to be workarounded differently
+- Related: rhbz#2100674
+
+* Sat Jul 16 2022 Andrew Hughes - 1:17.0.4.0.7-0.1.ea
+- Update to jdk-17.0.4.0+7
+- Update release notes to 17.0.4.0+7
+- Switch to EA mode for 17.0.4 pre-release builds.
+- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Move EA designator check to prep so failures can be caught earlier
+- Make EA designator check non-fatal while upstream is not maintaining it
+- Explicitly require crypto-policies during build and runtime for system security properties
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+- Include a test in the RPM to check the build has the correct vendor information.
+- Resolves: rhbz#2083316
+
+* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+- Related: rhbz#2083316
+
* Fri Jul 08 2022 Andrew Hughes - 1:17.0.3.0.7-6
- Fix whitespace in spec file
- Related: rhbz#2100674