Merge branch 'c8' into a8-portable

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/openjdk-jdk17u-jdk-17.0.8+7.tar.xz
+SOURCES/openjdk-17.0.9+9.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

.java-17-openjdk.metadata

@@ -1,2 +1,2 @@
-e7d88f78da7625ba448daacff2d9995367eef250 SOURCES/openjdk-jdk17u-jdk-17.0.8+7.tar.xz
+a58b92201b1d3e26d8375f67708fe2e740cd39eb SOURCES/openjdk-17.0.9+9.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

SOURCES/fips-17u-51e1d00be4e.patch

@@ -116,7 +116,7 @@ index 00000000000..f48fc7f7e80
 +  AC_SUBST(NSS_LIBDIR)
 +])
 diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
-index a65d91ee974..a8f054c1397 100644
+index 366682cf044..1f8d782f419 100644
 --- a/make/autoconf/libraries.m4
 +++ b/make/autoconf/libraries.m4
 @@ -33,6 +33,7 @@ m4_include([lib-std.m4])
@@ -2508,7 +2508,7 @@ index 00000000000..dc8bc72fccb
 +    }
 +}
 diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index fab52688c04..29337576f37 100644
+index 9be02033877..4dd055a9ccf 100644
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
 @@ -82,6 +82,17 @@ security.provider.tbd=Apple
@@ -3496,7 +3496,7 @@ index 00000000000..f8d505ca815
 +}
 \ No newline at end of file
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
-index 9b69072280e..5696b904979 100644
+index 0736ce997e4..0a937fef377 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
 @@ -37,6 +37,8 @@ import javax.crypto.*;
@@ -3518,18 +3518,18 @@ index 9b69072280e..5696b904979 100644
      private static final long serialVersionUID = -2575874101938349339L;
  
      private static final String PUBLIC = "public";
-@@ -136,9 +141,7 @@ abstract class P11Key implements Key, Length {
+@@ -139,9 +144,7 @@ abstract class P11Key implements Key, Length {
          this.tokenObject = tokenObject;
          this.sensitive = sensitive;
          this.extractable = extractable;
 -        char[] tokenLabel = this.token.tokenInfo.label;
--        boolean isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S'
+-        isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S'
 -                && tokenLabel[2] == 'S');
-+        boolean isNSS = P11Util.isNSS(this.token);
++        isNSS = P11Util.isNSS(this.token);
          boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS &&
                  extractable && !tokenObject);
          this.keyIDHolder = new NativeKeyHolder(this, keyID, session,
-@@ -379,7 +382,9 @@ abstract class P11Key implements Key, Length {
+@@ -383,7 +386,9 @@ abstract class P11Key implements Key, Length {
              new CK_ATTRIBUTE(CKA_SENSITIVE),
              new CK_ATTRIBUTE(CKA_EXTRACTABLE),
          });
@@ -3540,13 +3540,13 @@ index 9b69072280e..5696b904979 100644
              return new P11PrivateKey
                  (session, keyID, algorithm, keyLength, attributes);
          } else {
-@@ -461,7 +466,8 @@ abstract class P11Key implements Key, Length {
+@@ -465,7 +470,8 @@ abstract class P11Key implements Key, Length {
          }
          public String getFormat() {
              token.ensureValid();
--            if (sensitive || (extractable == false)) {
+-            if (sensitive || !extractable || (isNSS && tokenObject)) {
 +            if (!plainKeySupportEnabled &&
-+                    (sensitive || (extractable == false))) {
++                    (sensitive || !extractable || (isNSS && tokenObject))) {
                  return null;
              } else {
                  return "RAW";

SOURCES/java-17-openjdk-portable.specfile

@@ -27,7 +27,7 @@
 # Enable static library builds by default.
 %bcond_without staticlibs
 # Build a fresh libjvm.so for use in a copy of the bootstrap JDK
-%bcond_without fresh_libjvm
+%bcond_with fresh_libjvm
 # Build with system libraries
 %bcond_with system_libs
 
@@ -326,7 +326,7 @@
 # New Version-String scheme-style defines
 %global featurever 17
 %global interimver 0
-%global updatever 8
+%global updatever 9
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@@ -355,7 +355,7 @@
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
 %else
 %if 0%{?rhel}
-%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%global oj_vendor_bug_url https://access.redhat.com/support/cases/
 %else
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi
 %endif
@@ -366,14 +366,22 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver bf363eecce3
+%global fipsver 51e1d00be4e
+%global javaver         %{featurever}
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
 
 # Standard JPackage naming and versioning defines
 %global origin          openjdk
 %global origin_nice     OpenJDK
-%global top_level_dir_name   %{origin}
+%global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        7
+%global buildver        9
 %global rpmrelease      1
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@@ -388,14 +396,6 @@
 # for techpreview, using 1, so slowdebugs can have 0
 %global priority %( printf '%08d' 1 )
 %endif
-%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-%global javaver         %{featurever}
-
-# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
-%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
-
-# The tag used to create the OpenJDK tarball
-%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
 
 # Define milestone (EA for pre-releases, GA for releases)
 # Release will be (where N is usually a number starting at 1):
@@ -405,7 +405,7 @@
 %if %{is_ga}
 %global build_type GA
 %global ea_designator ""
-%global ea_designator_zip ""
+%global ea_designator_zip %{nil}
 %global extraver %{nil}
 %global eaprefix %{nil}
 %else
@@ -560,7 +560,7 @@ URL:      http://openjdk.java.net/
 
 
 # The source tarball, generated using generate_source_tarball.sh
-Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
+Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz
 
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
@@ -659,9 +659,11 @@ Patch1001: fips-17u-%{fipsver}.patch
 
 #############################################
 #
-# OpenJDK patches appearing in 17.0.8
+# OpenJDK patches appearing in 17.0.10
 #
 #############################################
+# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+Patch2000: jdk8312489-max_sig_default_increase.patch
 
 #############################################
 #
@@ -737,17 +739,17 @@ BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
 %else
 # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.12.1
+Provides: bundled(freetype) = 2.13.0
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
 Provides: bundled(giflib) = 5.2.1
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 7.0.1
+Provides: bundled(harfbuzz) = 7.2.0
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
 Provides: bundled(lcms2) = 2.15.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.37
+Provides: bundled(libpng) = 1.6.39
 # We link statically against libstdc++ to increase portability
 BuildRequires: libstdc++-static
 %endif
@@ -947,9 +949,12 @@ pushd %{top_level_dir_name}
 %patch1001 -p1
 # nss.cfg PKCS11 support; must come last as it also alters java.security
 %patch1000 -p1
+# JDK-8312489 backport, coming in 17.0.10
+%patch2000 -p1
+# alt-java support
+%patch600 -p1
 popd # openjdk
 
-%patch600
 
 # The OpenJDK version file includes the current
 # upstream version information. For some reason,
@@ -1692,6 +1697,29 @@ done
 %{_jvmdir}/%{miscportablearchive}.sha256sum
 
 %changelog
+* Thu Oct 12 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.9.0.9-1
+- Update to jdk-17.0.9+9 (GA)
+- Update release notes to 17.0.9+9
+- Re-generate FIPS patch against 17.0.9+1 following backport of JDK-8209398
+- Bump libpng version to 1.6.39 following JDK-8305815
+- Bump HarfBuzz version to 7.2.0 following JDK-8307301
+- Bump freetype version to 2.13.0 following JDK-8306881
+- Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal
+- Sync generate_tarball.sh with 11u version
+- Update bug URL for RHEL to point to the Red Hat customer portal
+- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
+- Use upstream release URL for OpenJDK source
+- Apply all patches using -p1
+- Temporarily turn off 'fresh_libjvm' due to removal of JVM_IsThreadAlive (JDK-8305425)
+- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. **
+
+* Sat Sep 02 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.8.1.1-1
+- Update to jdk-17.0.8.1+1 (GA)
+- Update release notes to 17.0.8.1+1
+- Add backport of JDK-8312489 already upstream in 17.0.10 (see OPENJDK-2095)
+- Update openjdk_news script to specify subdirectory last
+- Add missing discover_trees script required by openjdk_news
+
 * Fri Jul 14 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.8.0.7-1
 - Update to jdk-17.0.8+7 (GA)
 - Update release notes to 17.0.8+7

SOURCES/jdk8312489-max_sig_default_increase.patch

@@ -0,0 +1,50 @@
+commit 5b613e3ebed6c141146e743e64c894fe4f39421e
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Fri Sep 1 15:53:41 2023 +0000
+
+    8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+    
+    Backport-of: e47a84f23dd2608c6f5748093eefe301fb5bf750
+
+diff --git a/src/java.base/share/classes/java/util/jar/JarFile.java b/src/java.base/share/classes/java/util/jar/JarFile.java
+index bd538649a4f..70cf99504e4 100644
+--- a/src/java.base/share/classes/java/util/jar/JarFile.java
++++ b/src/java.base/share/classes/java/util/jar/JarFile.java
+@@ -803,7 +803,9 @@ private byte[] getBytes(ZipEntry ze) throws IOException {
+                 throw new IOException("Unsupported size: " + uncompressedSize +
+                         " for JarEntry " + ze.getName() +
+                         ". Allowed max size: " +
+-                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes");
++                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " +
++                        "You can use the jdk.jar.maxSignatureFileSize " +
++                        "system property to increase the default value.");
+             }
+             int len = (int)uncompressedSize;
+             int bytesRead;
+diff --git a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
+index 4ea9255ba0a..05acdcb9474 100644
+--- a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
++++ b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
+@@ -856,16 +856,16 @@ private static int initializeMaxSigFileSize() {
+          * the maximum allowed number of bytes for the signature-related files
+          * in a JAR file.
+          */
+-        Integer tmp = GetIntegerAction.privilegedGetProperty(
+-                "jdk.jar.maxSignatureFileSize", 8000000);
++        int tmp = GetIntegerAction.privilegedGetProperty(
++                "jdk.jar.maxSignatureFileSize", 16000000);
+         if (tmp < 0 || tmp > MAX_ARRAY_SIZE) {
+             if (debug != null) {
+-                debug.println("Default signature file size 8000000 bytes " +
+-                        "is used as the specified size for the " +
+-                        "jdk.jar.maxSignatureFileSize system property " +
++                debug.println("The default signature file size of 16000000 bytes " +
++                        "will be used for the jdk.jar.maxSignatureFileSize " +
++                        "system property since the specified value " +
+                         "is out of range: " + tmp);
+             }
+-            tmp = 8000000;
++            tmp = 16000000;
+         }
+         return tmp;
+     }