Compare commits

..

No commits in common. "imports/c9/java-17-openjdk-17.0.4.1.1-2.el9_0" and "c8-beta" have entirely different histories.

10 changed files with 1537 additions and 454 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -1,2 +1,2 @@
f57ddb82318be77e9304b68bdf671043fa83662a SOURCES/openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz 95213324016613e314e5c97dc87f31a0576df00c SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -3,6 +3,653 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 17.0.6 (2023-01-17):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1706
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html
* Other changes
- JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows
- JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
- JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails
- JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails
- JDK-8029633: Raw inner class constructor ref should not perform diamond inference
- JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails
- JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled
- JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails
- JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java
- JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java
- JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout
- JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails
- JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...'
- JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
- JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs
- JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos
- JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos
- JDK-8244670: convert clhsdb "whatis" command from javascript to java
- JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives.
- JDK-8255439: System Tray icons get corrupted when Windows scaling changes
- JDK-8256811: Delayed/missed jdwp class unloading events
- JDK-8257722: Improve "keytool -printcert -jarfile" output
- JDK-8262721: Add Tests to verify single iteration loops are properly optimized
- JDK-8265489: Stress test times out because of long ObjectSynchronizer::monitors_iterate(...) operation
- JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint
- JDK-8266519: Cleanup resolve() leftovers from BarrierSet et al
- JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java
- JDK-8268033: compiler/intrinsics/bmi/verifycode/BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow"
- JDK-8268276: Base64 Decoding optimization for x86 using AVX-512
- JDK-8268297: jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out
- JDK-8268779: ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space"
- JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs
- JDK-8269404: Base64 Encoding optimization enhancements for x86 using AVX-512
- JDK-8269571: NMT should print total malloc bytes and invocation count
- JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m)
- JDK-8270086: ARM32-softfp: Do not load CONSTANT_double using the condy helper methods in the interpreter
- JDK-8270155: ARM32: Improve register dump in hs_err
- JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction
- JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns.
- JDK-8270947: AArch64: C1: use zero_words to initialize all objects
- JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts
- JDK-8271834: TestStringDeduplicationAgeThreshold intermittent failures on Shenandoah
- JDK-8271956: AArch64: C1 build failed after JDK-8270947
- JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline"
- JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64
- JDK-8272608: java_lang_System::allow_security_manager() doesn't set its initialization flag
- JDK-8272776: NullPointerException not reported
- JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947
- JDK-8272809: JFR thread sampler SI_KERNEL SEGV in metaspace::VirtualSpaceList::contains
- JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java
- JDK-8273108: RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276
- JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints
- JDK-8273380: ARM32: Default to {ldrexd,strexd} in StubRoutines::atomic_{load|store}_long
- JDK-8273459: Update code segment alignment to 64 bytes
- JDK-8273497: building.md should link to both md and html
- JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368
- JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12
- JDK-8273685: Remove jtreg tag manual=yesno for java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction
- JDK-8273880: Zero: Print warnings when unsupported intrinsics are enabled
- JDK-8273881: Metaspace: test repeated deallocations
- JDK-8274029: Remove jtreg tag manual=yesno for java/awt/print/Dialog/DialogOrient.java
- JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI
- JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/Common.java delay is too high
- JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS
- JDK-8274456: Remove jtreg tag manual=yesno java/awt/print/PrinterJob/PageDialogTest.java
- JDK-8274527: Minimal VM build fails after JDK-8273459
- JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening
- JDK-8274903: Zero: Support AsyncGetCallTrace
- JDK-8275170: Some jtreg sound tests should be marked with sound keyword
- JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList
- JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
- JDK-8275569: Add linux-aarch64 to test-make profiles
- JDK-8276108: Wrong instruction generation in aarch64 backend
- JDK-8276904: Optional.toString() is unnecessarily expensive
- JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM"
- JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64
- JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64
- JDK-8277358: Accelerate CRC32-C
- JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check
- JDK-8277576: ProblemList runtime/ErrorHandling/CreateCoredumpOnCrash.java on macosx-X64
- JDK-8277577: ProblemList compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64
- JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64
- JDK-8277866: gc/epsilon/TestMemoryMXBeans.java failed with wrong initial heap size
- JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
- JDK-8277928: Fix compilation on macosx-aarch64 after 8276108
- JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch"
- JDK-8278826: Print error if Shenandoah flags are empty (instead of crashing)
- JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore
- JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop"
- JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out
- JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC
- JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails
- JDK-8280016: gc/g1/TestShrinkAuxiliaryData30 test fails on large machines
- JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes
- JDK-8280234: AArch64 "core" variant does not build after JDK-8270947
- JDK-8280391: NMT: Correct NMT tag on CollectedHeap
- JDK-8280511: AArch64: Combine shift and negate to a single instruction
- JDK-8280554: resourcehogs/serviceability/sa/ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered
- JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object
- JDK-8280872: Reorder code cache segments to improve code density
- JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
- JDK-8280948: Write a regression test for JDK-4659800
- JDK-8281296: Create a regression test for JDK-4515999
- JDK-8281744: x86: Use short jumps in TIG::set_vtos_entry_points
- JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores
- JDK-8282276: Problem list failing two Robot Screen Capture tests
- JDK-8282347: AARCH64: Untaken branch in has_negatives stub
- JDK-8282398: EndingDotHostname.java test fails because SSL cert expired
- JDK-8282402: Create a regression test for JDK-4666101
- JDK-8282511: Use fixed certificate validation date in SSLExampleCert template
- JDK-8282528: AArch64: Incorrect replicate2L_zero rule
- JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
- JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1
- JDK-8282730: LdapLoginModule throw NPE from logout method after login failure
- JDK-8282777: Create a Regression test for JDK-4515031
- JDK-8282857: Create a regression test for JDK-4702690
- JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2
- JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup
- JDK-8283298: Make CodeCacheSegmentSize a product flag
- JDK-8283337: Posix signal handler modification warning triggering incorrectly
- JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32
- JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
- JDK-8283999: Update JMH devkit to 1.35
- JDK-8284533: Improve InterpreterCodelet data footprint
- JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction"
- JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
- JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X
- JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation
- JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
- JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently
- JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp -XX:+DeoptimizeALot
- JDK-8285093: Introduce UTIL_ARG_WITH
- JDK-8285305: Create an automated test for JDK-4495286
- JDK-8285373: Create an automated test for JDK-4702233
- JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)"
- JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java
- JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java
- JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox
- JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment
- JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server"
- JDK-8286172: Create an automated test for JDK-4516019
- JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3"
- JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable
- JDK-8286452: The array length of testSmallConstArray should be small and const
- JDK-8286460: Remove dependence on JAR filename in CDS tests
- JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2
- JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3
- JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray
- JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows
- JDK-8286872: Refactor add/modify notification icon (TrayIcon)
- JDK-8287011: Improve container information
- JDK-8287076: Document.normalizeDocument() produces different results
- JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance
- JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path
- JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative
- JDK-8287740: NSAccessibilityShowMenuAction not working for text editors
- JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile
- JDK-8288132: Update test artifacts in QuoVadis CA interop tests
- JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces
- JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable
- JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
- JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name
- JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support
- JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output
- JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented
- JDK-8289301: P11Cipher should not throw out of bounds exception during padding
- JDK-8289524: Add JFR JIT restart event
- JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException
- JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https
- JDK-8290207: Missing notice in dom.md
- JDK-8290209: jcup.md missing additional text
- JDK-8290374: Shenandoah: Remove inaccurate comment on SBS::load_reference_barrier()
- JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1
- JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure
- JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes
- JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS
- JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
- JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize
- JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses
- JDK-8290839: jdk/jfr/event/compiler/TestJitRestart.java failed with "RuntimeException: No JIT restart event found: expected true, was false"
- JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM
- JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is false
- JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4
- JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
- JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127
- JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath
- JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region
- JDK-8292083: Detected container memory limit may exceed physical machine memory
- JDK-8292158: AES-CTR cipher state corruption with AVX-512
- JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out
- JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory
- JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle
- JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update
- JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library
- JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free
- JDK-8292816: GPL Classpath exception missing from assemblyprefix.h
- JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures
- JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading
- JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java
- JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6
- JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform
- JDK-8292903: enhance round_up_power_of_2 assertion output
- JDK-8293010: JDI ObjectReference/referringObjects/referringObjects001 fails: assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) failed: checking
- JDK-8293044: C1: Missing access check on non-accessible class
- JDK-8293232: Fix race condition in pkcs11 SessionManager
- JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if
- JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present
- JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint
- JDK-8293535: jdk/javadoc/doclet/testJavaFX/TestJavaFxMode.java fail with jfx
- JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
- JDK-8293550: Optionally add get-task-allow entitlement to macos binaries
- JDK-8293578: Duplicate ldc generated by javac
- JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake"
- JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details
- JDK-8293672: Update freetype md file
- JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present
- JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception
- JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
- JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent
- JDK-8293826: Closed test fails after JDK-8276108 on aarch64
- JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening
- JDK-8293834: Update CLDR data following tzdata 2022c update
- JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum
- JDK-8293965: Code signing warnings after JDK-8293550
- JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
- JDK-8294307: ISO 4217 Amendment 173 Update
- JDK-8294310: compare.sh fails on macos after JDK-8293550
- JDK-8294357: (tz) Update Timezone Data to 2022d
- JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode
- JDK-8294740: Add cgroups keyword to TestDockerBasic.java
- JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md
- JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator
- JDK-8295173: (tz) Update Timezone Data to 2022e
- JDK-8295288: Some vm_flags tests associate with a wrong BugID
- JDK-8295405: Add cause in a couple of IllegalArgumentException and InvalidParameterException shown by sun/security/pkcs11 tests
- JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp
- JDK-8295419: JFR: Change name of jdk.JitRestart
- JDK-8295429: Update harfbuzz md file
- JDK-8295469: S390X: Optimized builds are broken
- JDK-8295554: Move the "sizecalc.h" to the correct location
- JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev
- JDK-8295714: GHA ::set-output is deprecated and will be removed
- JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor
- JDK-8295952: Problemlist existing compiler/rtm tests also on x86
- JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM
- JDK-8296108: (tz) Update Timezone Data to 2022f
- JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing
- JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException
- JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation
- JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent
- JDK-8296715: CLDR v42 update for tzdata 2022f
- JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect
- JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds
- JDK-8296956: [JVMCI] HotSpotResolvedJavaFieldImpl.getIndex returns wrong value
- JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2
- JDK-8296958: [JVMCI] add API for retrieving ConstantValue attributes
- JDK-8296960: [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool
- JDK-8296961: [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField
- JDK-8296967: [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod
- JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used
- JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again
- JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java
- JDK-8297309: Memory leak in ShenandoahFullGC
- JDK-8297481: Create a regression test for JDK-4424517
- JDK-8297530: java.lang.IllegalArgumentException: Negative length on strings concatenation
- JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run
- JDK-8297656: AArch64: Enable AES/GCM Intrinsics
- JDK-8297804: (tz) Update Timezone Data to 2022g
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set
==========================================================================================================
Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to
hold principals and credentials so that it rejected null
values. Attempts to call add(null), contains(null) or remove(null)
were changed to throw a NullPointerException.
However, the logout() methods in the LoginModule implementations
within the JDK were not updated to check for null values, which may
occur in the event of a failed login. As a result, a logout() call may
throw a NullPointerException.
The LoginModule implementations have now been updated with such checks
and an implementation note added to the specification to suggest that
the same change is made in third party modules. Developers of third
party modules are advised to verify that their logout() method does not
throw a NullPointerException.
New in release OpenJDK 17.0.5 (2022-10-18):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1705
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html
* Security fixes
- JDK-8282252: Improve BigInteger/Decimal validation
- JDK-8285662: Better permission resolution
- JDK-8286077, CVE-2022-21618: Wider MultiByte conversions
- JDK-8286511: Improve macro allocation
- JDK-8286519: Better memory handling
- JDK-8286526, CVE-2022-21619: Improve NTLM support
- JDK-8286910, CVE-2022-21624: Improve JNDI lookups
- JDK-8286918, CVE-2022-21628: Better HttpServer service
- JDK-8287446: Enhance icon presentations
- JDK-8288508: Enhance ECDSA usage
- JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage
- JDK-8289853: Update HarfBuzz to 4.4.1
- JDK-8290334: Update FreeType to 2.12.1
* Other changes
- JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider
- JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7
- JDK-7131823: bug in GIFImageReader
- JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac
- JDK-8028265: Add legacy tz tests to OpenJDK
- JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed
- JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails
- JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java
- JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes!
- JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad"
- JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test.
- JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values
- JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch
- JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues
- JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled.
- JDK-8227651: Tests fail with SSLProtocolException: Input record too big
- JDK-8240903: Add test to check that jmod hashes are reproducible
- JDK-8254318: Remove .hgtags
- JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline
- JDK-8256844: Make NMT late-initializable
- JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom"
- JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class
- JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly.
- JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled"
- JDK-8269039: Disable SHA-1 Signed JARs
- JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr
- JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections
- JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java
- JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest
- JDK-8271344: Windows product version issue
- JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8
- JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData
- JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals
- JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null]
- JDK-8273040: Turning off JpAllowDowngrades (or Upgrades)
- JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts
- JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12
- JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms
- JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false]
- JDK-8274597: Some of the dnd tests time out and fail intermittently
- JDK-8274856: Failing jpackage tests with fastdebug/release build
- JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test
- JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
- JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold
- JDK-8276837: [macos]: Error when signing the additional launcher
- JDK-8277429: Conflicting jpackage static library name
- JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged"
- JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
- JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript
- JDK-8278311: Debian packaging doesn't work
- JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS
- JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS
- JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4
- JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0
- JDK-8279622: C2: miscompilation of map pattern as a vector reduction
- JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl
- JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound
- JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed
- JDK-8280863: Update build README to reflect that MSYS2 is supported
- JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method
- JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism
- JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
- JDK-8281181: Do not use CPU Shares to compute active processor count
- JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
- JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted)
- JDK-8281535: Create a regression test for JDK-4670051
- JDK-8281569: Create tests for Frame.setMinimumSize() method
- JDK-8281628: KeyAgreement : generateSecret intermittently not resetting
- JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button
- JDK-8281745: Create a regression test for JDK-4514331
- JDK-8281988: Create a regression test for JDK-4618767
- JDK-8282007: Assorted enhancements to jpackage testing framework
- JDK-8282046: Create a regression test for JDK-8000326
- JDK-8282214: Upgrade JQuery to version 3.6.0
- JDK-8282234: Create a regression test for JDK-4532513
- JDK-8282280: Update Xerces to Version 2.12.2
- JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access
- JDK-8282343: Create a regression test for JDK-4518432
- JDK-8282351: jpackage does not work if class file has `$$` in the name on windows
- JDK-8282407: Missing ')' in MacResources.properties
- JDK-8282467: add extra diagnostics for JDK-8268184
- JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler
- JDK-8282538: PKCS11 tests fail on CentOS Stream 9
- JDK-8282548: Create a regression test for JDK-4330998
- JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc
- JDK-8282640: Create a test for JDK-4740761
- JDK-8282778: Create a regression test for JDK-4699544
- JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767
- JDK-8282860: Write a regression test for JDK-4164779
- JDK-8282933: Create a test for JDK-4529616
- JDK-8282936: Write a regression test for JDK-4615365
- JDK-8282937: Write a regression test for JDK-4820080
- JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
- JDK-8283015: Create a test for JDK-4715496
- JDK-8283087: Create a test or JDK-4715503
- JDK-8283245: Create a test for JDK-4670319
- JDK-8283277: ISO 4217 Amendment 171 Update
- JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
- JDK-8283457: [macos] libpng build failures with Xcode13.3
- JDK-8283493: Create an automated regression test for RFE 4231298
- JDK-8283507: Create a regression test for RFE 4287690
- JDK-8283562: JDK-8282306 breaks gtests on zero
- JDK-8283597: [REDO] Invalid generic signature for redefined classes
- JDK-8283621: Write a regression test for CCC4400728
- JDK-8283623: Create an automated regression test for JDK-4525475
- JDK-8283624: Create an automated regression test for RFE-4390885
- JDK-8283712: Create a manual test framework class
- JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows
- JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test
- JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
- JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
- JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
- JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS
- JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt
- JDK-8284077: Create an automated test for JDK-4170173
- JDK-8284294: Create an automated regression test for RFE 4138746
- JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph
- JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1
- JDK-8284521: Write an automated regression test for RFE 4371575
- JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception
- JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest
- JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset
- JDK-8284686: Interval of < 1 ms disables ExecutionSample events
- JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice
- JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512
- JDK-8284898: Enhance PassFailJFrame
- JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization
- JDK-8284950: CgroupV1 detection code should consider memory.swappiness
- JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment
- JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist
- JDK-8285081: Improve XPath operators count accuracy
- JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java
- JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity
- JDK-8285380: Fix typos in security
- JDK-8285398: Cache the results of constraint checks
- JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test
- JDK-8285693: Create an automated test for JDK-4702199
- JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null
- JDK-8285730: unify _WIN32_WINNT settings
- JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
- JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities
- JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java
- JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe
- JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure
- JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5
- JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes
- JDK-8286277: CDS VerifyError when calling clone() on object array
- JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache
- JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45]
- JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage
- JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
- JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect
- JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis
- JDK-8286869: unify os::dir_is_empty across posix platforms
- JDK-8286870: Memory leak with RepeatCompilation
- JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5
- JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
- JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
- JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
- JDK-8287113: JFR: Periodic task thread uses period for method sampling events
- JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host
- JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event
- JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver
- JDK-8287366: Improve test failure reporting in GHA
- JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number
- JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node
- JDK-8287463: JFR: Disable TestDevNull.java on Windows
- JDK-8287663: Add a regression test for JDK-8287073
- JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run
- JDK-8287724: Fix various issues with msys2
- JDK-8287735: Provide separate event category for dll operations
- JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
- JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag
- JDK-8287895: Some langtools tests fail on msys2
- JDK-8287896: PropertiesTest.sh fail on msys2
- JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows
- JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests
- JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
- JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs
- JDK-8288003: log events for os::dll_unload
- JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic
- JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes
- JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds
- JDK-8288467: remove memory_operand assert for spilled instructions
- JDK-8288499: Restore cancel-in-progress in GHA
- JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ...
- JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp
- JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small
- JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305
- JDK-8288992: AArch64: CMN should be handled the same way as CMP
- JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible
- JDK-8289147: unify os::infinite_sleep on posix platforms
- JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion
- JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java
- JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc
- JDK-8289486: Improve XSLT XPath operators count efficiency
- JDK-8289549: ISO 4217 Amendment 172 Update
- JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl
- JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun
- JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad
- JDK-8289799: Build warning in methodData.cpp memset zero-length parameter
- JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060
- JDK-8289910: unify os::message_box across posix platforms
- JDK-8290000: Bump macOS GitHub actions to macOS 11
- JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
- JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown
- JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers
- JDK-8290246: test fails "assert(init != __null) failed: initialization not found"
- JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle
- JDK-8290456: remove os::print_statistics()
- JDK-8291595: [17u] Delete files missed in backport of 8269039
- JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr
- JDK-8292579: (tz) Update Timezone Data to 2022c
- JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5
Notes on individual issues:
===========================
core-libs/java.net:
JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
===========================================================================
Two system properties have been added which control the keep alive
behavior of HttpURLConnection in the case where the server does not
specify a keep alive time. Two properties are defined for controlling
connections to servers and proxies separately. They are:
* `http.keepAlive.time.server`
* `http.keepAlive.time.proxy`
respectively. More information about them can be found on the
Networking Properties page:
https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html.
security-libs/javax.crypto:
JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location
=====================================================================================
The Windows KeyStore support in the SunMSCAPI provider has been
expanded to include access to the local machine location. The new
keystore types are:
* "Windows-MY-LOCALMACHINE"
* "Windows-ROOT-LOCALMACHINE"
The following keystore types were also added, allowing developers to
make it clear they map to the current user:
* "Windows-MY-CURRENTUSER" (same as "Windows-MY")
* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT")
JDK-8286918: Better HttpServer service
======================================
The HttpServer can be optionally configured with a maximum connection
limit by setting the jdk.httpserver.maxConnections system property. A
value of 0 or a negative integer is ignored and considered to
represent no connection limit. In the case of a positive integer
value, any newly accepted connections will be first checked against
the current count of established connections and, if the configured
limit has been reached, then the newly accepted connection will be
closed immediately.
hotspot/runtime:
JDK-8281181: CPU Shares Ignored When Computing Active Processor Count
=====================================================================
Previous JDK releases used an incorrect interpretation of the Linux
cgroups parameter "cpu.shares". This might cause the JVM to use fewer
CPUs than available, leading to an under utilization of CPU resources
when the JVM is used inside a container.
Starting from this JDK release, by default, the JVM no longer
considers "cpu.shares" when deciding the number of threads to be used
by the various thread pools. The `-XX:+UseContainerCpuShares`
command-line option can be used to revert to the previous
behavior. This option is deprecated and may be removed in a future JDK
release.
security-libs/java.security:
JDK-8269039: Disabled SHA-1 Signed JARs
=======================================
JARs signed with SHA-1 algorithms are now restricted by default and
treated as if they were unsigned. This applies to the algorithms used
to digest, sign, and optionally timestamp the JAR. It also applies to
the signature and digest algorithms of the certificates in the
certificate chain of the code signer and the Timestamp Authority, and
any CRLs or OCSP responses that are used to verify if those
certificates have been revoked. These restrictions also apply to
signed JCE providers.
To reduce the compatibility risk for JARs that have been previously
timestamped, there is one exception to this policy:
- Any JAR signed with SHA-1 algorithms and timestamped prior to
January 01, 2019 will not be restricted.
This exception may be removed in a future JDK release. To determine if
your signed JARs are affected by this change, run:
$ jarsigner -verify -verbose -certs`
on the signed JAR, and look for instances of "SHA1" or "SHA-1" and
"disabled" and a warning that the JAR will be treated as unsigned in
the output.
For example:
Signed by "CN="Signer""
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
JARs affected by these new restrictions should be replaced or
re-signed with stronger algorithms.
Users can, *at their own risk*, remove these restrictions by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) and removing "SHA1 usage
SignedJAR & denyAfter 2019-01-01" from the
`jdk.certpath.disabledAlgorithms` security property and "SHA1
denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security
property.
New in release OpenJDK 17.0.4.1 (2022-08-16): New in release OpenJDK 17.0.4.1 (2022-08-16):
=========================================== ===========================================
Live versions of these release notes can be found at: Live versions of these release notes can be found at:
@ -32,6 +679,7 @@ Live versions of these release notes can be found at:
* Security fixes * Security fixes
- JDK-8272243: Improve DER parsing - JDK-8272243: Improve DER parsing
- JDK-8272249: Better properties of loaded Properties - JDK-8272249: Better properties of loaded Properties
- JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions
- JDK-8277608: Address IP Addressing - JDK-8277608: Address IP Addressing
- JDK-8281859, CVE-2022-21540: Improve class compilation - JDK-8281859, CVE-2022-21540: Improve class compilation
- JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
@ -86,7 +734,6 @@ Live versions of these release notes can be found at:
- JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
- JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
- JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
- JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions
- JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME"
- JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
- JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests

View File

@ -15,20 +15,145 @@ You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>. along with this program. If not, see <http://www.gnu.org/licenses/>.
*/ */
import java.util.Arrays; import java.text.DateFormatSymbols;
import java.util.Locale;
import java.util.ResourceBundle;
import sun.util.resources.LocaleData; import java.time.ZoneId;
import sun.util.locale.provider.LocaleProviderAdapter; import java.time.format.TextStyle;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Locale;
import java.util.Objects;
import java.util.TimeZone;
public class TestTranslations { public class TestTranslations {
private static Map<Locale,String[]> KYIV, CIUDAD_JUAREZ;
static {
Map<Locale,String[]> map = new HashMap<Locale,String[]>();
map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET",
"Eastern European Summer Time", "GMT+03:00", "EEST",
"Eastern European Time", "GMT+02:00", "EET"});
map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET",
"heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST",
"heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"});
map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ",
"Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
"Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
KYIV = Collections.unmodifiableMap(map);
map = new HashMap<Locale,String[]>();
map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
"Mountain Daylight Time", "MDT", "MDT",
"Mountain Time", "MT", "MT"});
map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST",
"heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT",
"heure des Rocheuses", "UTC\u221207:00", "MT"});
map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST",
"Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT",
"Rocky-Mountain-Zeit", "GMT-07:00", "MT"});
CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
}
public static void main(String[] args) { public static void main(String[] args) {
for (String zone : args) { if (args.length < 1) {
System.out.printf("Translations for %s\n", zone); System.err.println("Test must be started with the name of the locale provider.");
for (Locale l : Locale.getAvailableLocales()) { System.exit(1);
ResourceBundle bundle = new LocaleData(LocaleProviderAdapter.Type.JRE).getTimeZoneNames(l); }
System.out.printf("Locale: %s, language: %s, translations: %s\n", l, l.getDisplayLanguage(), Arrays.toString(bundle.getStringArray(zone)));
System.out.println("Checking sanity of full zone string set...");
boolean invalid = Arrays.stream(Locale.getAvailableLocales())
.peek(l -> System.out.println("Locale: " + l))
.map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
.flatMap(zs -> Arrays.stream(zs))
.flatMap(names -> Arrays.stream(names))
.filter(name -> Objects.isNull(name) || name.isEmpty())
.findAny()
.isPresent();
if (invalid) {
System.err.println("Zone string for a locale returned null or empty string");
System.exit(2);
}
String localeProvider = args[0];
testZone(localeProvider, KYIV,
new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
testZone(localeProvider, CIUDAD_JUAREZ,
new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
}
private static void testZone(String localeProvider, Map<Locale,String[]> exp, String[] ids) {
for (Locale l : exp.keySet()) {
String[] expected = exp.get(l);
System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
for (String id : ids) {
String expectedShortStd = null;
String expectedShortDST = null;
String expectedShortGen = null;
System.out.printf("Checking locale %s for %s...\n", l, id);
if ("JRE".equals(localeProvider)) {
expectedShortStd = expected[2];
expectedShortDST = expected[5];
expectedShortGen = expected[8];
} else if ("CLDR".equals(localeProvider)) {
expectedShortStd = expected[1];
expectedShortDST = expected[4];
expectedShortGen = expected[7];
} else {
System.err.printf("Invalid locale provider %s\n", localeProvider);
System.exit(3);
}
System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
if (!expected[0].equals(longStd)) {
System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
id, l, longStd, expected[0]);
System.exit(4);
}
if (!expectedShortStd.equals(shortStd)) {
System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
id, l, shortStd, expectedShortStd);
System.exit(5);
}
if (!expected[3].equals(longDST)) {
System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
id, l, longDST, expected[3]);
System.exit(6);
}
if (!expectedShortDST.equals(shortDST)) {
System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
id, l, shortDST, expectedShortDST);
System.exit(7);
}
if (!expected[6].equals(longGen)) {
System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
id, l, longGen, expected[6]);
System.exit(8);
}
if (!expectedShortGen.equals(shortGen)) {
System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
id, l, shortGen, expectedShortGen);
System.exit(9);
}
} }
} }
} }

View File

@ -1,9 +1,33 @@
diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4
index 5f4b22bb27f..1ca9f5b8ffe 100644
--- a/make/autoconf/build-aux/pkg.m4
+++ b/make/autoconf/build-aux/pkg.m4
@@ -179,3 +179,19 @@ else
ifelse([$3], , :, [$3])
fi[]dnl
])# PKG_CHECK_MODULES
+
+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+dnl -------------------------------------------
+dnl Since: 0.28
+dnl
+dnl Retrieves the value of the pkg-config variable for the given module.
+AC_DEFUN([PKG_CHECK_VAR],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
+
+_PKG_CONFIG([$1], [variable="][$3]["], [$2])
+AS_VAR_COPY([$1], [pkg_cv_][$1])
+
+AS_VAR_IF([$1], [""], [$5], [$4])dnl
+])dnl PKG_CHECK_VAR
diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4
new file mode 100644 new file mode 100644
index 00000000000..b2b1c1787da index 00000000000..f48fc7f7e80
--- /dev/null --- /dev/null
+++ b/make/autoconf/lib-sysconf.m4 +++ b/make/autoconf/lib-sysconf.m4
@@ -0,0 +1,84 @@ @@ -0,0 +1,87 @@
+# +#
+# Copyright (c) 2021, Red Hat, Inc. +# Copyright (c) 2021, Red Hat, Inc.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
@ -38,8 +62,10 @@ index 00000000000..b2b1c1787da
+ # + #
+ # Check for the NSS library + # Check for the NSS library
+ # + #
+ AC_MSG_CHECKING([for NSS library directory])
+ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])])
+ +
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) + AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)])
+ +
+ # default is not available + # default is not available
+ DEFAULT_SYSCONF_NSS=no + DEFAULT_SYSCONF_NSS=no
@ -87,6 +113,7 @@ index 00000000000..b2b1c1787da
+ fi + fi
+ fi + fi
+ AC_SUBST(USE_SYSCONF_NSS) + AC_SUBST(USE_SYSCONF_NSS)
+ AC_SUBST(NSS_LIBDIR)
+]) +])
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
index a65d91ee974..a8f054c1397 100644 index a65d91ee974..a8f054c1397 100644
@ -109,20 +136,43 @@ index a65d91ee974..a8f054c1397 100644
BASIC_JDKLIB_LIBS="" BASIC_JDKLIB_LIBS=""
if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
index c2c9c4adf3a..9d105b37acf 100644 index d557549adb3..1cb44bd2595 100644
--- a/make/autoconf/spec.gmk.in --- a/make/autoconf/spec.gmk.in
+++ b/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in
@@ -836,6 +836,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ @@ -840,6 +840,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
# Libraries # Libraries
# #
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
+NSS_LIBS:=@NSS_LIBS@ +NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@ +NSS_CFLAGS:=@NSS_CFLAGS@
+NSS_LIBDIR:=@NSS_LIBDIR@
+ +
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_CFLAGS:=@LCMS_CFLAGS@
LCMS_LIBS:=@LCMS_LIBS@ LCMS_LIBS:=@LCMS_LIBS@
diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk
index 4b894eeae4a..51567071aa8 100644
--- a/make/modules/java.base/Gendata.gmk
+++ b/make/modules/java.base/Gendata.gmk
@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST
TARGETS += $(GENDATA_JAVA_SECURITY)
################################################################################
+
+GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in
+GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg
+
+$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC)
+ $(call LogInfo, Generating nss.fips.cfg)
+ $(call MakeTargetDir)
+ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \
+ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \
+ )
+
+TARGETS += $(GENDATA_NSS_FIPS_CFG)
+
+################################################################################
diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk
index 5658ff342e5..c8bc5bde1e1 100644 index 5658ff342e5..c8bc5bde1e1 100644
--- a/make/modules/java.base/Lib.gmk --- a/make/modules/java.base/Lib.gmk
@ -1771,7 +1821,7 @@ index f6d3638c3dd..a1ee182d913 100644
+ } + }
} }
diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
index 63bb580eb3a..dbbf11bbb22 100644 index 9faee9cae36..27f43550aa4 100644
--- a/src/java.base/share/classes/module-info.java --- a/src/java.base/share/classes/module-info.java
+++ b/src/java.base/share/classes/module-info.java +++ b/src/java.base/share/classes/module-info.java
@@ -152,6 +152,8 @@ module java.base { @@ -152,6 +152,8 @@ module java.base {
@ -2193,18 +2243,6 @@ index ca79f25cc44..225517ac69b 100644
addA(p, "AlgorithmParameters", "RSASSA-PSS", addA(p, "AlgorithmParameters", "RSASSA-PSS",
"sun.security.rsa.PSSParameters", null); "sun.security.rsa.PSSParameters", null);
} }
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
index 6ffdfeda18d..82e896170f0 100644
--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -32,6 +32,7 @@ import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import javax.net.ssl.*;
+import jdk.internal.access.SharedSecrets;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java
new file mode 100644 new file mode 100644
index 00000000000..dc8bc72fccb index 00000000000..dc8bc72fccb
@ -2509,7 +2547,7 @@ index 00000000000..dc8bc72fccb
+ } + }
+} +}
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 6d91e3f8e4e..f357b630460 100644 index 63be286686d..b0a589c3fb4 100644
--- a/src/java.base/share/conf/security/java.security --- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security
@@ -79,6 +79,16 @@ security.provider.tbd=Apple @@ -79,6 +79,16 @@ security.provider.tbd=Apple
@ -2529,7 +2567,7 @@ index 6d91e3f8e4e..f357b630460 100644
# #
# A list of preferred providers for specific algorithms. These providers will # A list of preferred providers for specific algorithms. These providers will
# be searched for matching algorithms before the list of registered providers. # be searched for matching algorithms before the list of registered providers.
@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false @@ -289,6 +299,47 @@ policy.ignoreIdentityScope=false
# #
keystore.type=pkcs12 keystore.type=pkcs12
@ -2537,11 +2575,47 @@ index 6d91e3f8e4e..f357b630460 100644
+# Default keystore type used when global crypto-policies are set to FIPS. +# Default keystore type used when global crypto-policies are set to FIPS.
+# +#
+fips.keystore.type=pkcs12 +fips.keystore.type=pkcs12
+
+#
+# Location of the NSS DB keystore (PKCS11) in FIPS mode.
+#
+# The syntax for this property is identical to the 'nssSecmodDirectory'
+# attribute available in the SunPKCS11 NSS configuration file. Use the
+# 'sql:' prefix to refer to an SQLite DB.
+#
+# If the system property fips.nssdb.path is also specified, it supersedes
+# the security property value defined here.
+#
+# Note: the default value for this property points to an NSS DB that might be
+# readable by multiple operating system users and unsuitable to store keys.
+#
+fips.nssdb.path=sql:/etc/pki/nssdb
+
+#
+# PIN for the NSS DB keystore (PKCS11) in FIPS mode.
+#
+# Values must take any of the following forms:
+# 1) pin:<value>
+# Value: clear text PIN value.
+# 2) env:<value>
+# Value: environment variable containing the PIN value.
+# 3) file:<value>
+# Value: path to a file containing the PIN value in its first
+# line.
+#
+# If the system property fips.nssdb.pin is also specified, it supersedes
+# the security property value defined here.
+#
+# When used as a system property, UTF-8 encoded values are valid. When
+# used as a security property (such as in this file), encode non-Basic
+# Latin Unicode characters with \uXXXX.
+#
+fips.nssdb.pin=pin:
+ +
# #
# Controls compatibility mode for JKS and PKCS12 keystore types. # Controls compatibility mode for JKS and PKCS12 keystore types.
# #
@@ -326,6 +341,13 @@ package.definition=sun.misc.,\ @@ -326,6 +377,13 @@ package.definition=sun.misc.,\
# #
security.overridePropertiesFile=true security.overridePropertiesFile=true
@ -2555,6 +2629,20 @@ index 6d91e3f8e4e..f357b630460 100644
# #
# Determines the default key and trust manager factory algorithms for # Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package. # the javax.net.ssl package.
diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in
new file mode 100644
index 00000000000..55bbba98b7a
--- /dev/null
+++ b/src/java.base/share/conf/security/nss.fips.cfg.in
@@ -0,0 +1,8 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = ${fips.nssdb.path}
+nssDbMode = readWrite
+nssModule = fips
+
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
index b22f26947af..3ee2ce6ea88 100644 index b22f26947af..3ee2ce6ea88 100644
--- a/src/java.base/share/lib/security/default.policy --- a/src/java.base/share/lib/security/default.policy
@ -2819,10 +2907,10 @@ index 00000000000..ddf9befe5bc
+#endif +#endif
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644 new file mode 100644
index 00000000000..8cfa2734d4e index 00000000000..d3f0bffb821
--- /dev/null --- /dev/null
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,461 @@ @@ -0,0 +1,457 @@
+/* +/*
+ * Copyright (c) 2021, Red Hat, Inc. + * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
@ -2897,9 +2985,6 @@ index 00000000000..8cfa2734d4e
+ private static volatile Provider sunECProvider = null; + private static volatile Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); + private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+ +
+ private static volatile KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) + static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception { + throws PKCS11Exception {
+ long keyID = -1; + long keyID = -1;
@ -3144,8 +3229,7 @@ index 00000000000..8cfa2734d4e
+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, + CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); + CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( + RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey + RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey);
+ );
+ CK_ATTRIBUTE attr; + CK_ATTRIBUTE attr;
+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { + if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); + attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
@ -3284,6 +3368,162 @@ index 00000000000..8cfa2734d4e
+ } + }
+ } + }
+} +}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
new file mode 100644
index 00000000000..f8d505ca815
--- /dev/null
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2022, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardOpenOption;
+import java.security.ProviderException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import sun.security.util.Debug;
+import sun.security.util.SecurityProperties;
+
+final class FIPSTokenLoginHandler implements CallbackHandler {
+
+ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
+
+ private static final Debug debug = Debug.getInstance("sunpkcs11");
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ if (!(callbacks[0] instanceof PasswordCallback)) {
+ throw new UnsupportedCallbackException(callbacks[0]);
+ }
+ PasswordCallback pc = (PasswordCallback)callbacks[0];
+ pc.setPassword(getFipsNssdbPin());
+ }
+
+ private static char[] getFipsNssdbPin() throws ProviderException {
+ if (debug != null) {
+ debug.println("FIPS: Reading NSS DB PIN for token...");
+ }
+ String pinProp = SecurityProperties
+ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP);
+ if (pinProp != null && !pinProp.isEmpty()) {
+ String[] pinPropParts = pinProp.split(":", 2);
+ if (pinPropParts.length < 2) {
+ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP +
+ " property value.");
+ }
+ String prefix = pinPropParts[0].toLowerCase();
+ String value = pinPropParts[1];
+ String pin = null;
+ if (prefix.equals("env")) {
+ if (debug != null) {
+ debug.println("FIPS: PIN value from the '" + value +
+ "' environment variable.");
+ }
+ pin = System.getenv(value);
+ } else if (prefix.equals("file")) {
+ if (debug != null) {
+ debug.println("FIPS: PIN value from the '" + value +
+ "' file.");
+ }
+ pin = getPinFromFile(Paths.get(value));
+ } else if (prefix.equals("pin")) {
+ if (debug != null) {
+ debug.println("FIPS: PIN value from the " +
+ FIPS_NSSDB_PIN_PROP + " property.");
+ }
+ pin = value;
+ } else {
+ throw new ProviderException("Unsupported prefix for " +
+ FIPS_NSSDB_PIN_PROP + ".");
+ }
+ if (pin != null && !pin.isEmpty()) {
+ if (debug != null) {
+ debug.println("FIPS: non-empty PIN.");
+ }
+ /*
+ * C_Login in libj2pkcs11 receives the PIN in a char[] and
+ * discards the upper byte of each char, before passing
+ * the value to the NSS Software Token. However, the
+ * NSS Software Token accepts any UTF-8 PIN value. Thus,
+ * expand the PIN here to account for later truncation.
+ */
+ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8);
+ char[] pinChar = new char[pinUtf8.length];
+ for (int i = 0; i < pinChar.length; i++) {
+ pinChar[i] = (char)(pinUtf8[i] & 0xFF);
+ }
+ return pinChar;
+ }
+ }
+ if (debug != null) {
+ debug.println("FIPS: empty PIN.");
+ }
+ return null;
+ }
+
+ /*
+ * This method extracts the token PIN from the first line of a password
+ * file in the same way as NSS modutil. See for example the -newpwfile
+ * argument used to change the password for an NSS DB.
+ */
+ private static String getPinFromFile(Path f) throws ProviderException {
+ try (InputStream is =
+ Files.newInputStream(f, StandardOpenOption.READ)) {
+ /*
+ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil,
+ * reads up to 4096 bytes. In addition, the NSS Software Token
+ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN
+ * in nss/lib/softoken/pkcs11i.h).
+ */
+ BufferedReader in =
+ new BufferedReader(new InputStreamReader(
+ new ByteArrayInputStream(is.readNBytes(4096)),
+ StandardCharsets.UTF_8));
+ return in.readLine();
+ } catch (IOException ioe) {
+ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP +
+ " from the '" + f + "' file.", ioe);
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
index 9b69072280e..5696b904979 100644 index 9b69072280e..5696b904979 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
@ -3597,7 +3837,7 @@ index 00000000000..ae4262703e6
+ +
+} +}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
index c98960f7fcc..c14319a5356 100644 index 8d1b8ccb0ae..950ed20cf62 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
@@ -31,6 +31,7 @@ import java.security.*; @@ -31,6 +31,7 @@ import java.security.*;
@ -3608,7 +3848,7 @@ index c98960f7fcc..c14319a5356 100644
import javax.crypto.spec.*; import javax.crypto.spec.*;
import static sun.security.pkcs11.TemplateManager.*; import static sun.security.pkcs11.TemplateManager.*;
@@ -193,6 +194,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { @@ -194,6 +195,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
return p11Key; return p11Key;
} }
@ -3737,7 +3977,7 @@ index c98960f7fcc..c14319a5356 100644
static void fixDESParity(byte[] key, int offset) { static void fixDESParity(byte[] key, int offset) {
for (int i = 0; i < 8; i++) { for (int i = 0; i < 8; i++) {
int b = key[offset] & 0xfe; int b = key[offset] & 0xfe;
@@ -319,6 +442,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { @@ -320,6 +443,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
keySpec = new SecretKeySpec(keyBytes, "DESede"); keySpec = new SecretKeySpec(keyBytes, "DESede");
return engineGenerateSecret(keySpec); return engineGenerateSecret(keySpec);
} }
@ -3747,7 +3987,7 @@ index c98960f7fcc..c14319a5356 100644
} }
throw new InvalidKeySpecException throw new InvalidKeySpecException
("Unsupported spec: " + keySpec.getClass().getName()); ("Unsupported spec: " + keySpec.getClass().getName());
@@ -372,6 +498,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { @@ -373,6 +499,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
// see JCE spec // see JCE spec
protected SecretKey engineTranslateKey(SecretKey key) protected SecretKey engineTranslateKey(SecretKey key)
throws InvalidKeyException { throws InvalidKeyException {
@ -3880,7 +4120,7 @@ index 262cfc062ad..72b64f72c0a 100644
Provider p = sun; Provider p = sun;
if (p == null) { if (p == null) {
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 112b639aa96..3e170b4c115 100644 index aa35e8fa668..f4d7c9cc201 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@ @@ -26,6 +26,9 @@
@ -3893,7 +4133,7 @@ index 112b639aa96..3e170b4c115 100644
import java.util.*; import java.util.*;
import java.security.*; import java.security.*;
@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback; @@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback;
import com.sun.crypto.provider.ChaCha20Poly1305Parameters; import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
@ -3901,7 +4141,12 @@ index 112b639aa96..3e170b4c115 100644
import jdk.internal.misc.InnocuousThread; import jdk.internal.misc.InnocuousThread;
import sun.security.util.Debug; import sun.security.util.Debug;
import sun.security.util.ResourcesMgr; import sun.security.util.ResourcesMgr;
@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; import static sun.security.util.SecurityConstants.PROVIDER_VER;
+import sun.security.util.SecurityProperties;
import static sun.security.util.SecurityProviderConstants.getAliases;
import sun.security.pkcs11.Secmod.*;
@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
*/ */
public final class SunPKCS11 extends AuthProvider { public final class SunPKCS11 extends AuthProvider {
@ -3935,11 +4180,32 @@ index 112b639aa96..3e170b4c115 100644
+ fipsImportKey = fipsImportKeyTmp; + fipsImportKey = fipsImportKeyTmp;
+ fipsExportKey = fipsExportKeyTmp; + fipsExportKey = fipsExportKeyTmp;
+ } + }
+
+ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
+ +
private static final long serialVersionUID = -1354835039035306505L; private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11"); static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -320,10 +355,19 @@ public final class SunPKCS11 extends AuthProvider { @@ -115,6 +153,18 @@ public final class SunPKCS11 extends AuthProvider {
return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
@Override
public SunPKCS11 run() throws Exception {
+ if (systemFipsEnabled) {
+ /*
+ * The nssSecmodDirectory attribute in the SunPKCS11
+ * NSS configuration file takes the value of the
+ * fips.nssdb.path System property after expansion.
+ * Security properties expansion is unsupported.
+ */
+ System.setProperty(
+ FIPS_NSSDB_PATH_PROP,
+ SecurityProperties.privilegedGetOverridable(
+ FIPS_NSSDB_PATH_PROP));
+ }
return new SunPKCS11(new Config(newConfigName));
}
});
@@ -320,10 +370,19 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first // request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK; initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11; PKCS11 tmpPKCS11;
@ -3960,7 +4226,7 @@ index 112b639aa96..3e170b4c115 100644
} catch (PKCS11Exception e) { } catch (PKCS11Exception e) {
if (debug != null) { if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e); debug.println("Multi-threaded initialization failed: " + e);
@@ -339,11 +383,12 @@ public final class SunPKCS11 extends AuthProvider { @@ -339,11 +398,12 @@ public final class SunPKCS11 extends AuthProvider {
initArgs.flags = 0; initArgs.flags = 0;
} }
tmpPKCS11 = PKCS11.getInstance(library, tmpPKCS11 = PKCS11.getInstance(library,
@ -3975,32 +4241,7 @@ index 112b639aa96..3e170b4c115 100644
if (p11Info.cryptokiVersion.major < 2) { if (p11Info.cryptokiVersion.major < 2) {
throw new ProviderException("Only PKCS#11 v2.0 and later " throw new ProviderException("Only PKCS#11 v2.0 and later "
+ "supported, library version is v" + p11Info.cryptokiVersion); + "supported, library version is v" + p11Info.cryptokiVersion);
@@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider { @@ -417,14 +477,19 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException
@@ -417,14 +480,19 @@ public final class SunPKCS11 extends AuthProvider {
final String className; final String className;
final List<String> aliases; final List<String> aliases;
final int[] mechanisms; final int[] mechanisms;
@ -4021,7 +4262,7 @@ index 112b639aa96..3e170b4c115 100644
} }
private P11Service service(Token token, int mechanism) { private P11Service service(Token token, int mechanism) {
return new P11Service return new P11Service
@@ -458,18 +526,29 @@ public final class SunPKCS11 extends AuthProvider { @@ -458,18 +523,29 @@ public final class SunPKCS11 extends AuthProvider {
private static void d(String type, String algorithm, String className, private static void d(String type, String algorithm, String className,
int[] m) { int[] m) {
@ -4054,7 +4295,7 @@ index 112b639aa96..3e170b4c115 100644
} }
private static void register(Descriptor d) { private static void register(Descriptor d) {
@@ -525,6 +604,7 @@ public final class SunPKCS11 extends AuthProvider { @@ -525,6 +601,7 @@ public final class SunPKCS11 extends AuthProvider {
String P11Cipher = "sun.security.pkcs11.P11Cipher"; String P11Cipher = "sun.security.pkcs11.P11Cipher";
String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher";
@ -4062,7 +4303,7 @@ index 112b639aa96..3e170b4c115 100644
String P11Signature = "sun.security.pkcs11.P11Signature"; String P11Signature = "sun.security.pkcs11.P11Signature";
String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature";
@@ -587,6 +667,30 @@ public final class SunPKCS11 extends AuthProvider { @@ -587,6 +664,30 @@ public final class SunPKCS11 extends AuthProvider {
d(MAC, "SslMacSHA1", P11Mac, d(MAC, "SslMacSHA1", P11Mac,
m(CKM_SSL3_SHA1_MAC)); m(CKM_SSL3_SHA1_MAC));
@ -4093,7 +4334,7 @@ index 112b639aa96..3e170b4c115 100644
d(KPG, "RSA", P11KeyPairGenerator, d(KPG, "RSA", P11KeyPairGenerator,
getAliases("PKCS1"), getAliases("PKCS1"),
m(CKM_RSA_PKCS_KEY_PAIR_GEN)); m(CKM_RSA_PKCS_KEY_PAIR_GEN));
@@ -685,6 +789,66 @@ public final class SunPKCS11 extends AuthProvider { @@ -685,6 +786,66 @@ public final class SunPKCS11 extends AuthProvider {
d(SKF, "ChaCha20", P11SecretKeyFactory, d(SKF, "ChaCha20", P11SecretKeyFactory,
m(CKM_CHACHA20_POLY1305)); m(CKM_CHACHA20_POLY1305));
@ -4160,7 +4401,7 @@ index 112b639aa96..3e170b4c115 100644
// XXX attributes for Ciphers (supported modes, padding) // XXX attributes for Ciphers (supported modes, padding)
dA(CIP, "ARCFOUR", P11Cipher, dA(CIP, "ARCFOUR", P11Cipher,
m(CKM_RC4)); m(CKM_RC4));
@@ -754,6 +918,46 @@ public final class SunPKCS11 extends AuthProvider { @@ -754,6 +915,46 @@ public final class SunPKCS11 extends AuthProvider {
d(CIP, "RSA/ECB/NoPadding", P11RSACipher, d(CIP, "RSA/ECB/NoPadding", P11RSACipher,
m(CKM_RSA_X_509)); m(CKM_RSA_X_509));
@ -4207,7 +4448,7 @@ index 112b639aa96..3e170b4c115 100644
d(SIG, "RawDSA", P11Signature, d(SIG, "RawDSA", P11Signature,
List.of("NONEwithDSA"), List.of("NONEwithDSA"),
m(CKM_DSA)); m(CKM_DSA));
@@ -1144,9 +1348,21 @@ public final class SunPKCS11 extends AuthProvider { @@ -1144,9 +1345,21 @@ public final class SunPKCS11 extends AuthProvider {
if (ds == null) { if (ds == null) {
continue; continue;
} }
@ -4229,7 +4470,35 @@ index 112b639aa96..3e170b4c115 100644
supportedAlgs.put(d, integerMech); supportedAlgs.put(d, integerMech);
continue; continue;
} }
@@ -1244,6 +1460,8 @@ public final class SunPKCS11 extends AuthProvider { @@ -1225,6 +1438,27 @@ public final class SunPKCS11 extends AuthProvider {
if (token.isValid() == false) {
throw new NoSuchAlgorithmException("Token has been removed");
}
+ if (systemFipsEnabled && !token.fipsLoggedIn &&
+ !getType().equals("KeyStore")) {
+ /*
+ * The NSS Software Token in FIPS 140-2 mode requires a
+ * user login for most operations. See sftk_fipsCheck
+ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore
+ * service, let the caller perform the login with
+ * KeyStore::load. Keytool, for example, does this to pass a
+ * PIN from either the -srcstorepass or -deststorepass
+ * argument. In case of a non-KeyStore service, perform the
+ * login now with the PIN available in the fips.nssdb.pin
+ * property.
+ */
+ try {
+ token.ensureLoggedIn(null);
+ } catch (PKCS11Exception | LoginException e) {
+ throw new ProviderException("FIPS: error during the Token" +
+ " login required for the " + getType() +
+ " service.", e);
+ }
+ }
try {
return newInstance0(param);
} catch (PKCS11Exception e) {
@@ -1244,6 +1478,8 @@ public final class SunPKCS11 extends AuthProvider {
} else if (algorithm.endsWith("GCM/NoPadding") || } else if (algorithm.endsWith("GCM/NoPadding") ||
algorithm.startsWith("ChaCha20-Poly1305")) { algorithm.startsWith("ChaCha20-Poly1305")) {
return new P11AEADCipher(token, algorithm, mechanism); return new P11AEADCipher(token, algorithm, mechanism);
@ -4238,6 +4507,63 @@ index 112b639aa96..3e170b4c115 100644
} else { } else {
return new P11Cipher(token, algorithm, mechanism); return new P11Cipher(token, algorithm, mechanism);
} }
@@ -1579,6 +1815,9 @@ public final class SunPKCS11 extends AuthProvider {
try {
session = token.getOpSession();
p11.C_Logout(session.id());
+ if (systemFipsEnabled) {
+ token.fipsLoggedIn = false;
+ }
if (debug != null) {
debug.println("logout succeeded");
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
index 9858a5faedf..e63585486d9 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
@@ -33,6 +33,7 @@ import java.lang.ref.*;
import java.security.*;
import javax.security.auth.login.LoginException;
+import jdk.internal.access.SharedSecrets;
import sun.security.jca.JCAUtil;
import sun.security.pkcs11.wrapper.*;
@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
*/
class Token implements Serializable {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
// need to be serializable to allow SecureRandom to be serialized
private static final long serialVersionUID = 2541527649100571747L;
@@ -114,6 +118,10 @@ class Token implements Serializable {
// flag indicating whether we are logged in
private volatile boolean loggedIn;
+ // Flag indicating the login status for the NSS Software Token in FIPS mode.
+ // This Token is never asynchronously removed. Used from SunPKCS11.
+ volatile boolean fipsLoggedIn;
+
// time we last checked login status
private long lastLoginCheck;
@@ -232,7 +240,12 @@ class Token implements Serializable {
// call provider.login() if not
void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException {
if (isLoggedIn(session) == false) {
- provider.login(null, null);
+ if (systemFipsEnabled) {
+ provider.login(null, new FIPSTokenLoginHandler());
+ fipsLoggedIn = true;
+ } else {
+ provider.login(null, null);
+ }
}
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
index 88ff8a71fc3..47a2f97eddf 100644 index 88ff8a71fc3..47a2f97eddf 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
@ -4877,7 +5203,7 @@ index 5c0aacd1a67..5fbf8addcba 100644
+} +}
} }
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
index d22844cfba8..9e02958b4b0 100644 index 0d65ee26805..38fd4aff1f3 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
@@ -1104,17 +1104,6 @@ public interface PKCS11Constants { @@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
@ -4939,7 +5265,7 @@ index d22844cfba8..9e02958b4b0 100644
+ /* (CKM_NSS + 32) */ = 0xCE534370L; + /* (CKM_NSS + 32) */ = 0xCE534370L;
} }
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
index 666c5eb9b3b..5523dafcdb4 100644 index d941b574cc7..e2de13648be 100644
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam, @@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,

View File

@ -1,26 +0,0 @@
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
index 70903206ea0..09956084cf9 100644
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
ctx = getLdapCtxFromUrl(
r.getDomainName(), url, new LdapURL(u), env);
return ctx;
+ } catch (AuthenticationException e) {
+ // do not retry on a different endpoint to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
// try the next element
lastException = e;
@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
for (String u : urls) {
try {
return getUsingURL(u, env);
+ } catch (AuthenticationException e) {
+ // do not retry on a different URL to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
ex = e;
}

View File

@ -1,132 +0,0 @@
diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
index 8759aab3995..11ccbf73839 100644
--- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
+++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
@@ -847,6 +847,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
{"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00",
"Kirov Daylight Time", "GMT+03:00",
"Kirov Time", "GMT+03:00"}},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
index f007c1a8d3b..617268e4cf3 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
index 386414e16e6..14c5d89b9c5 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
index d23f5fd49e6..44117125619 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
index b4f57d4568c..efa818f3865 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
index 1a10a9f96dc..7c0565461ad 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
index 9a2d9e5c57c..8a2c805997f 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
index de5e5c82daa..e3c06417f09 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
index b53de4d8c89..3e46b6a063e 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
index 7797cda19d5..590908409a8 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
@@ -825,6 +825,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
index 2cd10554853..23c5f180b6d 100644
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
@@ -827,6 +827,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
{"Europe/Jersey", GMTBST},
{"Europe/Kaliningrad", EET},
{"Europe/Kiev", EET},
+ {"Europe/Kyiv", EET},
{"Europe/Lisbon", WET},
{"Europe/Ljubljana", CET},
{"Europe/London", GMTBST},

View File

@ -1,8 +0,0 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }

View File

@ -5,6 +5,7 @@ TREE=${1}
TYPE=${2} TYPE=${2}
ZIP_SRC=src/java.base/share/native/libzip/zlib/ ZIP_SRC=src/java.base/share/native/libzip/zlib/
FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
@ -31,15 +32,21 @@ cd ${TREE}
echo "Removing built-in libs (they will be linked)" echo "Removing built-in libs (they will be linked)"
# On full runs, allow for zlib having already been deleted by minimal # On full runs, allow for zlib & freetype having already been deleted by minimal
echo "Removing zlib" echo "Removing zlib"
if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
echo "${ZIP_SRC} does not exist. Refusing to proceed." echo "${ZIP_SRC} does not exist. Refusing to proceed."
exit 1 exit 1
fi fi
rm -rvf ${ZIP_SRC} rm -rvf ${ZIP_SRC}
echo "Removing freetype"
if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${FREETYPE_SRC}
# Minimal is limited to just zlib so finish here # Minimal is limited to just zlib and freetype so finish here
if test "x${TYPE}" = "xminimal"; then if test "x${TYPE}" = "xminimal"; then
echo "Finished."; echo "Finished.";
exit 0; exit 0;

View File

@ -23,6 +23,8 @@
%bcond_without staticlibs %bcond_without staticlibs
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK # Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm %bcond_without fresh_libjvm
# Build with system libraries
%bcond_with system_libs
# Workaround for stripping of debug symbols from static libraries # Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs} %if %{with staticlibs}
@ -39,6 +41,16 @@
%global build_hotspot_first 0 %global build_hotspot_first 0
%endif %endif
%if %{with system_libs}
%global system_libs 1
%global link_type system
%global freetype_lib %{nil}
%else
%global system_libs 0
%global link_type bundled
%global freetype_lib |libfreetype[.]so.*
%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info. # This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -190,11 +202,15 @@
%global staticlibs_loop %{nil} %global staticlibs_loop %{nil}
%endif %endif
%if 0%{?flatpak}
%global bootstrap_build false
%else
%ifarch %{bootstrap_arches} %ifarch %{bootstrap_arches}
%global bootstrap_build true %global bootstrap_build true
%else %else
%global bootstrap_build false %global bootstrap_build false
%endif %endif
%endif
%if %{include_staticlibs} %if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from # Extra target for producing the static-libraries. Separate from
@ -305,8 +321,8 @@
# New Version-String scheme-style defines # New Version-String scheme-style defines
%global featurever 17 %global featurever 17
%global interimver 0 %global interimver 0
%global updatever 4 %global updatever 6
%global patchver 1 %global patchver 0
# buildjdkver is usually same as %%{featurever}, # buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1, # but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place # and this it is better to change it here, on single place
@ -345,15 +361,15 @@
# Define IcedTea version used for SystemTap tapsets and desktop file # Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598 %global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches # Define current Git revision for the FIPS support patches
%global fipsver 0bd5ca9ccc5 %global fipsver 72d08e3226f
# Standard JPackage naming and versioning defines # Standard JPackage naming and versioning defines
%global origin openjdk %global origin openjdk
%global origin_nice OpenJDK %global origin_nice OpenJDK
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 1 %global buildver 9
%global rpmrelease 2 %global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -379,7 +395,7 @@
# Release will be (where N is usually a number starting at 1): # Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases, # - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases # - N%%{?extraver}{?dist} for GA releases
%global is_ga 1 %global is_ga 0
%if %{is_ga} %if %{is_ga}
%global build_type GA %global build_type GA
%global ea_designator "" %global ea_designator ""
@ -411,7 +427,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.* %global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk %if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$ %global __provides_exclude ^(%{_privatelibs})$
@ -815,6 +831,9 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
%if ! %{system_libs}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@ -933,7 +952,7 @@ exit 0
%ifarch %{sa_arches} %ifarch %{sa_arches}
%ifnarch %{zero_arches} %ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz %{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
%endif %endif
%endif %endif
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
@ -972,11 +991,11 @@ exit 0
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz %{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz %{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz %{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz %{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz %{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
%if %{with_systemtap} %if %{with_systemtap}
%dir %{tapsetroot} %dir %{tapsetroot}
@ -1099,8 +1118,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package # Require zone-info data provided by tzdata-java sub-package
# 2022a required as of JDK-8283350 in 17.0.4 # 2022g required as of JDK-8297804
Requires: tzdata-java >= 2022a Requires: tzdata-java >= 2022g
# for support of kernel stream control # for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand # libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa} Requires: lksctp-tools%{?_isa}
@ -1108,7 +1127,7 @@ Requires: lksctp-tools%{?_isa}
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
# considered as regression # considered as regression
Requires: copy-jdk-configs >= 4.0 Requires: copy-jdk-configs >= 3.3
OrderWithRequires: copy-jdk-configs OrderWithRequires: copy-jdk-configs
%endif %endif
# for printing support # for printing support
@ -1292,9 +1311,6 @@ Source15: TestSecurityProperties.java
# Ensure vendor settings are correct # Ensure vendor settings are correct
Source16: CheckVendor.java Source16: CheckVendor.java
# nss fips configuration file
Source17: nss.fips.cfg.in
# Ensure translations are available for new timezones # Ensure translations are available for new timezones
Source18: TestTranslations.java Source18: TestTranslations.java
@ -1317,11 +1333,9 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo # Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
# Add translations for Europe/Kyiv locally until upstream is fully updated for tzdata2022b
Patch7: jdk8292223-tzdata2022b-kyiv.patch
# Crypto policy and FIPS support patches # Crypto policy and FIPS support patches
# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u-cpu-2022-07 # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch # as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
# Diff is limited to src and make subdirectories to exclude .github changes # Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included: # Fixes currently included:
@ -1348,6 +1362,9 @@ Patch7: jdk8292223-tzdata2022b-kyiv.patch
# Build the systemconf library on all platforms # Build the systemconf library on all platforms
# RH2048582: Support PKCS#12 keystores # RH2048582: Support PKCS#12 keystores
# RH2020290: Support TLS 1.3 in FIPS mode # RH2020290: Support TLS 1.3 in FIPS mode
# Add nss.fips.cfg support to OpenJDK tree
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
# Remove forgotten dead code from RH2020290 and RH2104724
Patch1001: fips-17u-%{fipsver}.patch Patch1001: fips-17u-%{fipsver}.patch
############################################# #############################################
@ -1355,12 +1372,16 @@ Patch1001: fips-17u-%{fipsver}.patch
# OpenJDK patches in need of upstreaming # OpenJDK patches in need of upstreaming
# #
############################################# #############################################
# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
Patch2000: jdk8275535-rh2053256-ldap_auth.patch
############################################# #############################################
# #
# OpenJDK patches appearing in 17.0.3 # OpenJDK patches appearing in 17.0.5
#
#############################################
#############################################
#
# OpenJDK patches targetted for 17.0.6
# #
############################################# #############################################
@ -1373,14 +1394,8 @@ BuildRequires: desktop-file-utils
# elfutils only are OK for build without AOT # elfutils only are OK for build without AOT
BuildRequires: elfutils-devel BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gdb BuildRequires: gdb
BuildRequires: harfbuzz-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: libX11-devel BuildRequires: libX11-devel
BuildRequires: libXi-devel BuildRequires: libXi-devel
@ -1402,8 +1417,8 @@ BuildRequires: java-17-openjdk-devel
%ifarch %{zero_arches} %ifarch %{zero_arches}
BuildRequires: libffi-devel BuildRequires: libffi-devel
%endif %endif
# 2022a required as of JDK-8283350 in 17.0.4 # 2022g required as of JDK-8297804
BuildRequires: tzdata-java >= 2022a BuildRequires: tzdata-java >= 2022g
# Earlier versions have a bug in tree vectorization on PPC # Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8 BuildRequires: gcc >= 4.8.3-8
@ -1412,6 +1427,30 @@ BuildRequires: systemtap-sdt-devel
%endif %endif
BuildRequires: make BuildRequires: make
%if %{system_libs}
BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: harfbuzz-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
%else
# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
Provides: bundled(freetype) = 2.12.1
# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
Provides: bundled(giflib) = 5.2.1
# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
Provides: bundled(harfbuzz) = 4.4.1
# Version in src/java.desktop/share/native/liblcms/lcms2.h
Provides: bundled(lcms2) = 2.12.0
# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
Provides: bundled(libjpeg) = 6b
# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
Provides: bundled(libpng) = 1.6.37
# We link statically against libstdc++ to increase portability
BuildRequires: libstdc++-static
%endif
# this is always built, also during debug-only build # this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder # when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}} %{java_rpo %{nil}}
@ -1761,8 +1800,11 @@ if [ $prioritylength -ne 8 ] ; then
fi fi
# OpenJDK patches # OpenJDK patches
%if %{system_libs}
# Remove libraries that are linked by both static and dynamic builds # Remove libraries that are linked by both static and dynamic builds
sh %{SOURCE12} %{top_level_dir_name} sh %{SOURCE12} %{top_level_dir_name}
%endif
# Patch the JDK # Patch the JDK
pushd %{top_level_dir_name} pushd %{top_level_dir_name}
@ -1770,7 +1812,6 @@ pushd %{top_level_dir_name}
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
# Add crypto policy and FIPS support # Add crypto policy and FIPS support
%patch1001 -p1 %patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security # nss.cfg PKCS11 support; must come last as it also alters java.security
@ -1779,8 +1820,6 @@ popd # openjdk
%patch600 %patch600
%patch2000
# The OpenJDK version file includes the current # The OpenJDK version file includes the current
# upstream version information. For some reason, # upstream version information. For some reason,
# configure does not automatically use the # configure does not automatically use the
@ -1798,8 +1837,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
echo "WARNING: Designator mismatch"; echo "WARNING: Designator mismatch";
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
# Don't fail at present as upstream are not maintaining the value correctly exit 17
#exit 17
fi fi
# Extract systemtap tapsets # Extract systemtap tapsets
@ -1851,9 +1889,6 @@ done
# Setup nss.cfg # Setup nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build %build
# How many CPU's do we have? # How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
@ -1897,6 +1932,14 @@ function buildjdk() {
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir} local top_dir_abs_build_path=$(pwd)/${outputdir}
# This must be set using the global, so that the
# static libraries still use a dynamic stdc++lib
if [ "x%{link_type}" = "xbundled" ] ; then
libc_link_opt="static";
else
libc_link_opt="dynamic";
fi
echo "Using output directory: ${outputdir}"; echo "Using output directory: ${outputdir}";
echo "Checking build JDK ${buildjdk} is operational..." echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version ${buildjdk}/bin/java -version
@ -1908,6 +1951,10 @@ function buildjdk() {
mkdir -p ${outputdir} mkdir -p ${outputdir}
pushd ${outputdir} pushd ${outputdir}
# Note: zlib and freetype use %{link_type}
# rather than ${link_opt} as the system versions
# are always used in a system_libs build, even
# for the static library build
bash ${top_dir_abs_src_path}/configure \ bash ${top_dir_abs_src_path}/configure \
%ifarch %{zero_arches} %ifarch %{zero_arches}
--with-jvm-variants=zero \ --with-jvm-variants=zero \
@ -1928,13 +1975,14 @@ function buildjdk() {
--with-native-debug-symbols="%{debug_symbols}" \ --with-native-debug-symbols="%{debug_symbols}" \
--disable-sysconf-nss \ --disable-sysconf-nss \
--enable-unlimited-crypto \ --enable-unlimited-crypto \
--with-zlib=system \ --with-zlib=%{link_type} \
--with-freetype=%{link_type} \
--with-libjpeg=${link_opt} \ --with-libjpeg=${link_opt} \
--with-giflib=${link_opt} \ --with-giflib=${link_opt} \
--with-libpng=${link_opt} \ --with-libpng=${link_opt} \
--with-lcms=${link_opt} \ --with-lcms=${link_opt} \
--with-harfbuzz=${link_opt} \ --with-harfbuzz=${link_opt} \
--with-stdc++lib=dynamic \ --with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-ldflags="%{ourldflags}" \ --with-extra-ldflags="%{ourldflags}" \
@ -1974,9 +2022,6 @@ function installjdk() {
# Install nss.cfg right away as we will be using the JRE above # Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/ install -m 644 nss.cfg ${imagepath}/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Turn on system security properties # Turn on system security properties
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
${imagepath}/conf/security/java.security ${imagepath}/conf/security/java.security
@ -2020,12 +2065,13 @@ for suffix in %{build_loop} ; do
bootbuilddir=boot${builddir} bootbuilddir=boot${builddir}
if test "x${loop}" = "x%{main_suffix}" ; then if test "x${loop}" = "x%{main_suffix}" ; then
link_opt="%{link_type}"
%if %{system_libs}
# Copy the source tree so we can remove all in-tree libraries # Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup} cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked # Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full sh %{SOURCE12} %{top_level_dir_name} full
# Use system libraries %endif
link_opt="system"
# Debug builds don't need same targets as release for # Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these # build speed-up. We also avoid bootstrapping these
# slower builds. # slower builds.
@ -2043,9 +2089,11 @@ for suffix in %{build_loop} ; do
else else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
fi fi
%if %{system_libs}
# Restore original source tree we modified by removing full in-tree sources # Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name} rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name} mv %{top_level_dir_name_backup} %{top_level_dir_name}
%endif
else else
# Use bundled libraries for building statically # Use bundled libraries for building statically
link_opt="bundled" link_opt="bundled"
@ -2079,6 +2127,8 @@ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticli
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Pre-test setup
#check Shenandoah is enabled #check Shenandoah is enabled
%if %{use_shenandoah_hotspot} %if %{use_shenandoah_hotspot}
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version $JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
@ -2112,12 +2162,9 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els
%endif %endif
# Check translations are available for new timezones # Check translations are available for new timezones
$JAVA_HOME/bin/javac --add-exports java.base/sun.util.resources=ALL-UNNAMED \ $JAVA_HOME/bin/javac -d . %{SOURCE18}
--add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
-d . %{SOURCE18} $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
$JAVA_HOME/bin/java --add-exports java.base/sun.util.resources=ALL-UNNAMED \
--add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
$(echo $(basename %{SOURCE18})|sed "s|\.java||") "Europe/Kiev" "Europe/Kyiv"
%if %{include_staticlibs} %if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test) # Check debug symbols in static libraries (smoke test)
@ -2376,10 +2423,9 @@ else
return return
end end
end end
arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" -- run content of included file with fake args
cjc = require "copy_jdk_configs.lua" arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} require "copy_jdk_configs.lua"
cjc.mainProgram(args)
%post %post
%{post_script %{nil}} %{post_script %{nil}}
@ -2575,28 +2621,98 @@ cjc.mainProgram(args)
%endif %endif
%changelog %changelog
* Fri Sep 02 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2 * Wed Jan 04 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.3.ea
- Update to jdk-17.0.6+9
- Update release notes to 17.0.6+9
- Drop local copy of JDK-8293834 now this is upstream
- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
- Resolves: rhbz#2150195
* Sat Dec 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.1-0.3.ea
- Update to jdk-17.0.6+1
- Update release notes to 17.0.6+1
- Switch to EA mode for 17.0.6 pre-release builds.
- Re-enable EA upstream status check now it is being actively maintained.
- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
- Drop JDK-8275535 local patch now this has been accepted and backported upstream
- Bump tzdata requirement to 2022e now the package is available in RHEL
- Related: rhbz#2150195
* Wed Nov 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-5
- Update FIPS support to bring in latest changes
- * Add nss.fips.cfg support to OpenJDK tree
- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
- * Remove forgotten dead code from RH2020290 and RH2104724
- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
- Resolves: rhbz#2117972
* Wed Oct 26 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-2
- Update to jdk-17.0.5+8 (GA)
- Update release notes to 17.0.5+8 (GA)
- Switch to GA mode for final release.
- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
- Update CLDR data with Europe/Kyiv (JDK-8293834)
- Drop JDK-8292223 patch which we found to be unnecessary
- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
- Remove freetype sources along with zlib sources
- Resolves: rhbz#2133695
* Tue Oct 04 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.7-0.2.ea
- Update to jdk-17.0.5+7
- Update release notes to 17.0.5+7
- Drop JDK-8288985 patch that is now upstream
- Resolves: rhbz#2130617
* Mon Oct 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.1-0.2.ea
- Update to jdk-17.0.5+1
- Update release notes to 17.0.5+1
- Switch to EA mode for 17.0.5 pre-release builds.
- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
- Bump FreeType bundled version to 2.12.1 following JDK-8290334
- Related: rhbz#2130617
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-6
- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider
- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650
- Resolves: rhbz#2006351
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-5
- Switch to static builds, reducing system dependencies and making build more portable
- Resolves: rhbz#2121263
* Mon Aug 29 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.4.1.1-4
- Fix flatpak builds (catering for their uncompressed manual pages)
- Fix flatpak builds by exempting them from bootstrap
- Resolves: rhbz#2102734
* Mon Aug 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-3
- Update FIPS support to bring in latest changes - Update FIPS support to bring in latest changes
- * RH2023467: Enable FIPS keys export
- * RH2104724: Avoid import/export of DH private keys - * RH2104724: Avoid import/export of DH private keys
- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode - * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
- * Build the systemconf library on all platforms - * Build the systemconf library on all platforms
- * RH2048582: Support PKCS#12 keystores - * RH2048582: Support PKCS#12 keystores
- * RH2020290: Support TLS 1.3 in FIPS mode - * RH2020290: Support TLS 1.3 in FIPS mode
- Resolves: rhbz#2123579 - Resolves: rhbz#2104724
- Resolves: rhbz#2123580 - Resolves: rhbz#2092507
- Resolves: rhbz#2123581 - Resolves: rhbz#2048582
- Resolves: rhbz#2123583 - Resolves: rhbz#2020290
- Resolves: rhbz#2123584
* Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-1 * Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2
- Update to jdk-17.0.4.1+1 - Update to jdk-17.0.4.1+1
- Update release notes to 17.0.4.1+1 - Update release notes to 17.0.4.1+1
- Add patch to provide translations for Europe/Kyiv added in tzdata2022b - Add patch to provide translations for Europe/Kyiv added in tzdata2022b
- Add test to ensure timezones can be translated - Add test to ensure timezones can be translated
- Resolves: rhbz#2120058 - Resolves: rhbz#2119531
* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-0.2.ea * Fri Jul 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-3
- Update to jdk-17.0.4.0+8
- Update release notes to 17.0.4.0+8
- Switch to GA mode for release
- Resolves: rhbz#2106522
* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.2.ea
- Revert the following changes until copy-java-configs has adapted to relative symlinks: - Revert the following changes until copy-java-configs has adapted to relative symlinks:
- * Move cacerts replacement to install section and retain original of this and tzdb.dat - * Move cacerts replacement to install section and retain original of this and tzdb.dat
- * Run tests on the installed image, rather than the build image - * Run tests on the installed image, rather than the build image
@ -2604,11 +2720,19 @@ cjc.mainProgram(args)
- * Use relative symlinks so they work within the image - * Use relative symlinks so they work within the image
- * Run debug symbols check during build stage, before the install strips them - * Run debug symbols check during build stage, before the install strips them
- The move of turning on system security properties is retained so we don't ship with them off - The move of turning on system security properties is retained so we don't ship with them off
- Related: rhbz#2084779 - Related: rhbz#2100674
* Mon Jul 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-1 * Wed Jul 20 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.4.0.7-0.2.ea
- Update to jdk-17.0.4.0+8 - retutrned absolute symlinks
- Update release notes to 17.0.4.0+8 - relative symlinks are breaking cjc, and deeper investigations are necessary
-- why cjc intentionally skips relative symllinks
- images have to be workarounded differently
- Related: rhbz#2100674
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.1.ea
- Update to jdk-17.0.4.0+7
- Update release notes to 17.0.4.0+7
- Switch to EA mode for 17.0.4 pre-release builds.
- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 - Need to include the '.S' suffix in debuginfo checks after JDK-8284661
- Print release file during build, which should now include a correct SOURCE value from .src-rev - Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation - Update tarball script with IcedTea GitHub URL and .src-rev generation
@ -2619,54 +2743,100 @@ cjc.mainProgram(args)
- Explicitly require crypto-policies during build and runtime for system security properties - Explicitly require crypto-policies during build and runtime for system security properties
- Make use of the vendor version string to store our version & release rather than an upstream release date - Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information. - Include a test in the RPM to check the build has the correct vendor information.
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository - Resolves: rhbz#2083316
- * RH2094027: SunEC runtime permission for FIPS
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea
- * RH2090378: Revert to disabling system security properties and FIPS mode support together - Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Add proper quoting so '&' is not treated as a special character by the shell.
- Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Related: rhbz#2083316
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on * Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
- Fix whitespace in spec file
- Related: rhbz#2100674
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
- Sequence spec file sections as they are run by rpmbuild (build, install then test)
- Related: rhbz#2100674
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
- Turn on system security properties as part of the build's install section - Turn on system security properties as part of the build's install section
- Move cacerts replacement to install section and retain original of this and tzdb.dat - Move cacerts replacement to install section and retain original of this and tzdb.dat
- Run tests on the installed image, rather than the build image - Run tests on the installed image, rather than the build image
- Introduce variables to refer to the static library installation directories - Introduce variables to refer to the static library installation directories
- Use relative symlinks so they work within the image - Use relative symlinks so they work within the image
- Run debug symbols check during build stage, before the install strips them - Run debug symbols check during build stage, before the install strips them
- Resolves: rhbz#2084779 - Related: rhbz#2100674
- Resolves: rhbz#2099919
- Resolves: rhbz#2107943
- Resolves: rhbz#2107941
- Resolves: rhbz#2106523
* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea * Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-5
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.
- Related: rhbz#2084779
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-2
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
- Resolves: rhbz#2105395 - Resolves: rhbz#2007331
* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-4
- Update FIPS support to bring in latest changes
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
- Resolves: rhbz#2099840
- Resolves: rhbz#2100674
* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-3
- Add rpminspect.yaml to turn off Java bytecode inspections
- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
- Resolves: rhbz#2101524
* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- RH2023467: Enable FIPS keys export
- RH2094027: SunEC runtime permission for FIPS
- Resolves: rhbz#2023467
- Resolves: rhbz#2094027
* Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1 * Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
- April 2022 security update to jdk 17.0.3+7 - April 2022 security update to jdk 17.0.3+7
- Update to jdk-17.0.3.0+7 tarball - Update to jdk-17.0.3.0+7 release tarball
- Update release notes to 17.0.3.0+7 - Update release notes to 17.0.3.0+6
- Add missing README.md and generate_source_tarball.sh - Add missing README.md and generate_source_tarball.sh
- Resolves: rhbz#2073578 - Switch to GA mode for release
- JDK-8283911 patch no longer needed now we're GA...
- Resolves: rhbz#2073577
* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-13 * Wed Apr 06 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea
- Update to jdk-17.0.3.0+5
- Update release notes to 17.0.3.0+5
- Resolves: rhbz#2050456
* Tue Mar 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.1-0.1.ea
- Update to jdk-17.0.3.0+1
- Update release notes to 17.0.3.0+1
- Switch to EA mode for 17.0.3 pre-release builds.
- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
- Related: rhbz#2050456
* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-15
- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
- Resolves: rhbz#2055383 - Resolves: rhbz#2052070
* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-12 * Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-14
- Add rpminspect.yaml to turn off Java bytecode inspections
- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
- Resolves: rhbz#2023540
* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-11
- Introduce tests/tests.yml, based on the one in java-11-openjdk - Introduce tests/tests.yml, based on the one in java-11-openjdk
- Resolves: rhbz#2058490 - Resolves: rhbz#2058493
* Sun Feb 27 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-13
- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
secmod.db file as part of nss
- Resolves: rhbz#2023536
* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-12
- Detect NSS at runtime for FIPS detection
- Turn off build-time NSS linking and go back to an explicit Requires on NSS
- Resolves: rhbz#2051605
* Fri Feb 25 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-11
- Add JDK-8275535 patch to fix LDAP authentication issue.
- Resolves: rhbz#2053256
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-10 * Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-10
- Storing and restoring alterntives during update manually - Storing and restoring alterntives during update manually
@ -2678,30 +2848,28 @@ cjc.mainProgram(args)
-- the selection in family -- the selection in family
-- Thus this fix, is storing the family of manually selected master, and if -- Thus this fix, is storing the family of manually selected master, and if
-- stored, then it is restoring the family of the master -- stored, then it is restoring the family of the master
- Resolves: rhbz#2008206 - Resolves: rhbz#2008200
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-9 * Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-9
- Family extracted to globals - Family extracted to globals
- Related: rhbz#2008206 - Resolves: rhbz#2008200
* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-8 * Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-8
- Detect NSS at runtime for FIPS detection - alternatives creation moved to posttrans
- Turn off build-time NSS linking and go back to an explicit Requires on NSS - Thus fixing the old reisntall issue:
- Resolves: rhbz#2052829 - https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
- Resolves: rhbz#2008200
* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7 * Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7
- Add JDK-8275535 patch to fix LDAP authentication issue.
- Resolves: rhbz#2053521
* Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent - Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
- Resolves: rhbz#2052819 - Resolves: rhbz#2051590
* Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5 * Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
- Fix FIPS issues in native code and with initialisation of java.security.Security - Fix FIPS issues in native code and with initialisation of java.security.Security
- Resolves: rhbz#2023531 - Resolves: rhbz#2023378
* Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-4 * Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
- Restructure the build so a minimal initial build is then used for the final build (with docs) - Restructure the build so a minimal initial build is then used for the final build (with docs)
- This reduces pressure on the system JDK and ensures the JDK being built can do a full build - This reduces pressure on the system JDK and ensures the JDK being built can do a full build
- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. - Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
@ -2714,108 +2882,92 @@ cjc.mainProgram(args)
- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. - Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
- Explicitly list JIT architectures rather than relying on those with slowdebug builds - Explicitly list JIT architectures rather than relying on those with slowdebug builds
- Disable the serviceability agent on Zero architectures even when the architecture itself is supported - Disable the serviceability agent on Zero architectures even when the architecture itself is supported
- Resolves: rhbz#2022826 - Resolves: rhbz#2022822
* Thu Feb 17 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-4 * Thu Feb 17 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-5
- Replaced tabs by sets of spaces to make rpmlint happy - Replaced tabs by sets of spaces to make rpmlint happy
- javadoc-zip gets its own provides next to plain javadoc ones - javadoc-zip gets its own provides next to plain javadoc ones
- Resolves: rhbz#2022826 - Resolves: rhbz#2022822
* Wed Feb 16 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-3 * Tue Feb 08 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-4
- Minor cosmetic improvements to make spec more comparable between variants - Minor cosmetic improvements to make spec more comparable between variants
- Related: rhbz#2022826 - Related: rhbz#2022822
* Wed Feb 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2 * Thu Feb 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-3
- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@ - Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository - Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
- Related: rhbz#2022826 - Related: rhbz#2022822
* Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1 * Thu Feb 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2
- Extend LTS check to exclude EPEL.
- Related: rhbz#2022822
* Thu Feb 03 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-2
- Set LTS designator.
- Related: rhbz#2022822
* Wed Jan 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1
- January 2022 security update to jdk 17.0.2+8 - January 2022 security update to jdk 17.0.2+8
- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java - Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
- Rename libsvml.so to libjsvml.so following JDK-8276025 - Rename libsvml.so to libjsvml.so following JDK-8276025
- Drop JDK-8276572 patch which is now upstream - Resolves: rhbz#2039366
- Resolves: rhbz#2039392
* Thu Feb 10 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-3 * Thu Oct 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-3
- Sync desktop files with upstream IcedTea release 3.15.0 using new script - Sync desktop files with upstream IcedTea release 3.15.0 using new script
- Related: rhbz#2022826 - Related: rhbz#2013842
* Mon Nov 29 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.1.0.12-2 * Tue Oct 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-2
- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy - Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1
secmod.db file as part of nss - Resolves: rhbz#2013842
- Resolves: rhbz#2023537
* Tue Nov 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-1 * Wed Oct 20 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.1.0.12-2
- Drop JDK-8272332 patch now included upstream.
- Resolves: rhbz#2013846
* Tue Nov 16 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.1.0.12-1
- October CPU update to jdk 17.0.1+12 - October CPU update to jdk 17.0.1+12
- Dropped commented-out source line - Dropped commented-out source line
- Resolves: rhbz#2013846 - Resolves: rhbz#2013842
* Tue Nov 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-8 * Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-6
- Extend LTS check to exclude EPEL.
- Related: rhbz#2013846
* Tue Nov 09 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.35-8
- Set LTS designator.
- Related: rhbz#2013846
* Mon Nov 08 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.35-7
- alternatives creation moved to posttrans
- Thus fixing the old reinstall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
- Resolves: rhbz#2008206
* Fri Nov 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-6
- Patch syslookup.c so it actually has some code to be compiled into libsyslookup
- Related: rhbz#2013846
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-5
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
- Resolves: rhbz#1994682 - Resolves: rhbz#1994661
* Sun Oct 10 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-5 * Sun Oct 10 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-6
- Add patch to allow plain key import. - Add patch to allow plain key import.
- Resolves: rhbz#1994682 - Resolves: rhbz#1994661
* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-4 * Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-5
- Update release notes to document the major changes between OpenJDK 11 & 17. - Update release notes to document the major changes between OpenJDK 11 & 17.
- Resolves: rhbz#2000925 - Resolves: rhbz#2003072
* Thu Sep 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3 * Thu Sep 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3
- Update to jdk-17+35, also known as jdk-17-ga. - Update to jdk-17+35, also known as jdk-17-ga.
- Switch to GA mode. - Switch to GA mode.
- Add JDK-8272332 fix so we actually link against HarfBuzz. - Add JDK-8272332 fix so we actually link against HarfBuzz.
- Resolves: rhbz#2000925 - Resolves: rhbz#2003072
- Resolves: rhbz#2004078
* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.5.ea * Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.5.ea
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
- Resolves: rhbz#1997359 - Resolves: rhbz#1996182
* Sat Aug 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.4.ea * Sat Aug 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.4.ea
- Fix unused function compiler warning found in systemconf.c - Fix unused function compiler warning found in systemconf.c
- Related: rhbz#1995889 - Related: rhbz#1995150
* Sat Aug 28 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.4.ea * Sat Aug 28 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.4.ea
- Add patch to login to the NSS software token when in FIPS mode. - Add patch to login to the NSS software token when in FIPS mode.
- Resolves: rhbz#1997359 - Resolves: rhbz#1996182
* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.3.ea * Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.3.ea
- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
- Resolves: rhbz#1995889 - Resolves: rhbz#1995150
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.2.ea * Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.2.ea
- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
- Related: rhbz#1995889 - Related: rhbz#1995150
* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.2.ea * Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.2.ea
- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
- Related: rhbz#1995889 - Related: rhbz#1995150
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.1.ea * Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.1.ea
- Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
@ -2826,56 +2978,51 @@ cjc.mainProgram(args)
- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
- Related: rhbz#1995889 - Related: rhbz#1995150
* Thu Aug 26 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.1.ea * Thu Aug 26 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.1.ea
- Support the FIPS mode crypto policy (RH1655466) - Support the FIPS mode crypto policy (RH1655466)
- Use appropriate keystore types when in FIPS mode (RH1818909) - Use appropriate keystore types when in FIPS mode (RH1818909)
- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
- Related: rhbz#1995889 - Related: rhbz#1995150
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.0.ea * Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.0.ea
- Update to jdk-17+33, including JDWP fix and July 2021 CPU - Update to jdk-17+33, including JDWP fix and July 2021 CPU
- Resolves: rhbz#1870625 - Resolves: rhbz#1959487
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.5.ea * Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.5.ea
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
- Resolves: rhbz#1870625 - Resolves: rhbz#1959487
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:17.0.0.0.26-0.4.ea.1 * Wed Aug 25 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.4.ea
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 14 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.4.ea
- Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
- Resolves: rhbz#1870625 - Resolves: rhbz#1959487
* Tue Jul 13 2021 Jiri Vanek <pmikova@redhat.com> - 1:17.0.0.0.26-0.3.ea * Wed Aug 25 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.3.ea
- Add gating support
- Resolves: rhbz#1870625
* Fri Jun 25 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.2.ea
- Re-enable TestSecurityProperties after inclusion of PR3695 - Re-enable TestSecurityProperties after inclusion of PR3695
- Resolves: rhbz#1870625 - Resolves: rhbz#1959487
* Fri Jun 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.2.ea * Wed Aug 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.3.ea
- Add PR3695 to allow the system crypto policy to be turned off - Add PR3695 to allow the system crypto policy to be turned off
- Resolves: rhbz#1870625 - Resolves: rhbz#1959487
* Fri Jun 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.1.ea * Wed Jul 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.2.ea
- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
- Resolves: rhbz#1870625 - Resolves: rhbz#1959487
* Thu Jun 24 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.1.ea * Wed Jul 14 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.2.ea
- Update buildjdkver to 17 so as to build with itself - Update buildjdkver to 17 so as to build with itself
- Resolves: rhbz#1870625 - Resolves: rhbz#1959487
* Tue Jul 13 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.26-0.1.ea
- Add gating support
- Resolves: rhbz#1959487
* Mon Jun 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.0.ea * Mon Jun 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.0.ea
- Rename to java-17-openjdk and bootstrap using boot JDK in local sources - Rename as java-17-openjdk and bootstrap using boot JDK in local sources
- Exclude x86 as this is not supported by OpenJDK 17 - Exclude x86 as this is not supported by OpenJDK 17
- Use unzip to test src.zip to avoid looking for jar on path - Resolves: rhbz#1959487
- Resolves: rhbz#1870625
* Fri Jun 11 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.0.ea.rolling * Fri Jun 11 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.0.ea.rolling
- update sources to jdk 17.0.0+26 - update sources to jdk 17.0.0+26
@ -2889,9 +3036,6 @@ cjc.mainProgram(args)
- add lib/libsvml.so for intel - add lib/libsvml.so for intel
- skip debuginfo check for libsyslookup.so on s390x - skip debuginfo check for libsyslookup.so on s390x
* Fri May 07 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling
- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
* Thu Apr 29 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling * Thu Apr 29 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling
- adapted to debug handling in newer cjc - adapted to debug handling in newer cjc
- The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution - The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution