Compare commits
No commits in common. "imports/c9/java-17-openjdk-17.0.4.1.1-2.el9_0" and "c8-beta" have entirely different histories.
imports/c9
...
c8-beta
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
SOURCES/openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz
|
SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
|
||||||
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
f57ddb82318be77e9304b68bdf671043fa83662a SOURCES/openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz
|
95213324016613e314e5c97dc87f31a0576df00c SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
|
||||||
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||||
|
649
SOURCES/NEWS
649
SOURCES/NEWS
@ -3,6 +3,653 @@ Key:
|
|||||||
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
|
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
|
||||||
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
|
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
|
||||||
|
|
||||||
|
New in release OpenJDK 17.0.6 (2023-01-17):
|
||||||
|
===========================================
|
||||||
|
Live versions of these release notes can be found at:
|
||||||
|
* https://bitly.com/openjdk1706
|
||||||
|
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html
|
||||||
|
|
||||||
|
* Other changes
|
||||||
|
- JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows
|
||||||
|
- JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
|
||||||
|
- JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails
|
||||||
|
- JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails
|
||||||
|
- JDK-8029633: Raw inner class constructor ref should not perform diamond inference
|
||||||
|
- JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails
|
||||||
|
- JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled
|
||||||
|
- JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails
|
||||||
|
- JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java
|
||||||
|
- JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java
|
||||||
|
- JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout
|
||||||
|
- JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails
|
||||||
|
- JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...'
|
||||||
|
- JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
|
||||||
|
- JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs
|
||||||
|
- JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos
|
||||||
|
- JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos
|
||||||
|
- JDK-8244670: convert clhsdb "whatis" command from javascript to java
|
||||||
|
- JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives.
|
||||||
|
- JDK-8255439: System Tray icons get corrupted when Windows scaling changes
|
||||||
|
- JDK-8256811: Delayed/missed jdwp class unloading events
|
||||||
|
- JDK-8257722: Improve "keytool -printcert -jarfile" output
|
||||||
|
- JDK-8262721: Add Tests to verify single iteration loops are properly optimized
|
||||||
|
- JDK-8265489: Stress test times out because of long ObjectSynchronizer::monitors_iterate(...) operation
|
||||||
|
- JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint
|
||||||
|
- JDK-8266519: Cleanup resolve() leftovers from BarrierSet et al
|
||||||
|
- JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java
|
||||||
|
- JDK-8268033: compiler/intrinsics/bmi/verifycode/BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow"
|
||||||
|
- JDK-8268276: Base64 Decoding optimization for x86 using AVX-512
|
||||||
|
- JDK-8268297: jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out
|
||||||
|
- JDK-8268779: ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space"
|
||||||
|
- JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs
|
||||||
|
- JDK-8269404: Base64 Encoding optimization enhancements for x86 using AVX-512
|
||||||
|
- JDK-8269571: NMT should print total malloc bytes and invocation count
|
||||||
|
- JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m)
|
||||||
|
- JDK-8270086: ARM32-softfp: Do not load CONSTANT_double using the condy helper methods in the interpreter
|
||||||
|
- JDK-8270155: ARM32: Improve register dump in hs_err
|
||||||
|
- JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction
|
||||||
|
- JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns.
|
||||||
|
- JDK-8270947: AArch64: C1: use zero_words to initialize all objects
|
||||||
|
- JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts
|
||||||
|
- JDK-8271834: TestStringDeduplicationAgeThreshold intermittent failures on Shenandoah
|
||||||
|
- JDK-8271956: AArch64: C1 build failed after JDK-8270947
|
||||||
|
- JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline"
|
||||||
|
- JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64
|
||||||
|
- JDK-8272608: java_lang_System::allow_security_manager() doesn't set its initialization flag
|
||||||
|
- JDK-8272776: NullPointerException not reported
|
||||||
|
- JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947
|
||||||
|
- JDK-8272809: JFR thread sampler SI_KERNEL SEGV in metaspace::VirtualSpaceList::contains
|
||||||
|
- JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java
|
||||||
|
- JDK-8273108: RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276
|
||||||
|
- JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints
|
||||||
|
- JDK-8273380: ARM32: Default to {ldrexd,strexd} in StubRoutines::atomic_{load|store}_long
|
||||||
|
- JDK-8273459: Update code segment alignment to 64 bytes
|
||||||
|
- JDK-8273497: building.md should link to both md and html
|
||||||
|
- JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368
|
||||||
|
- JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12
|
||||||
|
- JDK-8273685: Remove jtreg tag manual=yesno for java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction
|
||||||
|
- JDK-8273880: Zero: Print warnings when unsupported intrinsics are enabled
|
||||||
|
- JDK-8273881: Metaspace: test repeated deallocations
|
||||||
|
- JDK-8274029: Remove jtreg tag manual=yesno for java/awt/print/Dialog/DialogOrient.java
|
||||||
|
- JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI
|
||||||
|
- JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/Common.java delay is too high
|
||||||
|
- JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS
|
||||||
|
- JDK-8274456: Remove jtreg tag manual=yesno java/awt/print/PrinterJob/PageDialogTest.java
|
||||||
|
- JDK-8274527: Minimal VM build fails after JDK-8273459
|
||||||
|
- JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening
|
||||||
|
- JDK-8274903: Zero: Support AsyncGetCallTrace
|
||||||
|
- JDK-8275170: Some jtreg sound tests should be marked with sound keyword
|
||||||
|
- JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList
|
||||||
|
- JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
|
||||||
|
- JDK-8275569: Add linux-aarch64 to test-make profiles
|
||||||
|
- JDK-8276108: Wrong instruction generation in aarch64 backend
|
||||||
|
- JDK-8276904: Optional.toString() is unnecessarily expensive
|
||||||
|
- JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM"
|
||||||
|
- JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64
|
||||||
|
- JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64
|
||||||
|
- JDK-8277358: Accelerate CRC32-C
|
||||||
|
- JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check
|
||||||
|
- JDK-8277576: ProblemList runtime/ErrorHandling/CreateCoredumpOnCrash.java on macosx-X64
|
||||||
|
- JDK-8277577: ProblemList compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64
|
||||||
|
- JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64
|
||||||
|
- JDK-8277866: gc/epsilon/TestMemoryMXBeans.java failed with wrong initial heap size
|
||||||
|
- JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
|
||||||
|
- JDK-8277928: Fix compilation on macosx-aarch64 after 8276108
|
||||||
|
- JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch"
|
||||||
|
- JDK-8278826: Print error if Shenandoah flags are empty (instead of crashing)
|
||||||
|
- JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore
|
||||||
|
- JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop"
|
||||||
|
- JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out
|
||||||
|
- JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC
|
||||||
|
- JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails
|
||||||
|
- JDK-8280016: gc/g1/TestShrinkAuxiliaryData30 test fails on large machines
|
||||||
|
- JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes
|
||||||
|
- JDK-8280234: AArch64 "core" variant does not build after JDK-8270947
|
||||||
|
- JDK-8280391: NMT: Correct NMT tag on CollectedHeap
|
||||||
|
- JDK-8280511: AArch64: Combine shift and negate to a single instruction
|
||||||
|
- JDK-8280554: resourcehogs/serviceability/sa/ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered
|
||||||
|
- JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object
|
||||||
|
- JDK-8280872: Reorder code cache segments to improve code density
|
||||||
|
- JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
|
||||||
|
- JDK-8280948: Write a regression test for JDK-4659800
|
||||||
|
- JDK-8281296: Create a regression test for JDK-4515999
|
||||||
|
- JDK-8281744: x86: Use short jumps in TIG::set_vtos_entry_points
|
||||||
|
- JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores
|
||||||
|
- JDK-8282276: Problem list failing two Robot Screen Capture tests
|
||||||
|
- JDK-8282347: AARCH64: Untaken branch in has_negatives stub
|
||||||
|
- JDK-8282398: EndingDotHostname.java test fails because SSL cert expired
|
||||||
|
- JDK-8282402: Create a regression test for JDK-4666101
|
||||||
|
- JDK-8282511: Use fixed certificate validation date in SSLExampleCert template
|
||||||
|
- JDK-8282528: AArch64: Incorrect replicate2L_zero rule
|
||||||
|
- JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
|
||||||
|
- JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1
|
||||||
|
- JDK-8282730: LdapLoginModule throw NPE from logout method after login failure
|
||||||
|
- JDK-8282777: Create a Regression test for JDK-4515031
|
||||||
|
- JDK-8282857: Create a regression test for JDK-4702690
|
||||||
|
- JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2
|
||||||
|
- JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup
|
||||||
|
- JDK-8283298: Make CodeCacheSegmentSize a product flag
|
||||||
|
- JDK-8283337: Posix signal handler modification warning triggering incorrectly
|
||||||
|
- JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32
|
||||||
|
- JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
|
||||||
|
- JDK-8283999: Update JMH devkit to 1.35
|
||||||
|
- JDK-8284533: Improve InterpreterCodelet data footprint
|
||||||
|
- JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction"
|
||||||
|
- JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
|
||||||
|
- JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X
|
||||||
|
- JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation
|
||||||
|
- JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
|
||||||
|
- JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently
|
||||||
|
- JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp -XX:+DeoptimizeALot
|
||||||
|
- JDK-8285093: Introduce UTIL_ARG_WITH
|
||||||
|
- JDK-8285305: Create an automated test for JDK-4495286
|
||||||
|
- JDK-8285373: Create an automated test for JDK-4702233
|
||||||
|
- JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)"
|
||||||
|
- JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java
|
||||||
|
- JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java
|
||||||
|
- JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox
|
||||||
|
- JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment
|
||||||
|
- JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server"
|
||||||
|
- JDK-8286172: Create an automated test for JDK-4516019
|
||||||
|
- JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3"
|
||||||
|
- JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable
|
||||||
|
- JDK-8286452: The array length of testSmallConstArray should be small and const
|
||||||
|
- JDK-8286460: Remove dependence on JAR filename in CDS tests
|
||||||
|
- JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2
|
||||||
|
- JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3
|
||||||
|
- JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray
|
||||||
|
- JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows
|
||||||
|
- JDK-8286872: Refactor add/modify notification icon (TrayIcon)
|
||||||
|
- JDK-8287011: Improve container information
|
||||||
|
- JDK-8287076: Document.normalizeDocument() produces different results
|
||||||
|
- JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance
|
||||||
|
- JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path
|
||||||
|
- JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative
|
||||||
|
- JDK-8287740: NSAccessibilityShowMenuAction not working for text editors
|
||||||
|
- JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile
|
||||||
|
- JDK-8288132: Update test artifacts in QuoVadis CA interop tests
|
||||||
|
- JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces
|
||||||
|
- JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable
|
||||||
|
- JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
|
||||||
|
- JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name
|
||||||
|
- JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support
|
||||||
|
- JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output
|
||||||
|
- JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented
|
||||||
|
- JDK-8289301: P11Cipher should not throw out of bounds exception during padding
|
||||||
|
- JDK-8289524: Add JFR JIT restart event
|
||||||
|
- JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException
|
||||||
|
- JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https
|
||||||
|
- JDK-8290207: Missing notice in dom.md
|
||||||
|
- JDK-8290209: jcup.md missing additional text
|
||||||
|
- JDK-8290374: Shenandoah: Remove inaccurate comment on SBS::load_reference_barrier()
|
||||||
|
- JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1
|
||||||
|
- JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure
|
||||||
|
- JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes
|
||||||
|
- JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS
|
||||||
|
- JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
|
||||||
|
- JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize
|
||||||
|
- JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses
|
||||||
|
- JDK-8290839: jdk/jfr/event/compiler/TestJitRestart.java failed with "RuntimeException: No JIT restart event found: expected true, was false"
|
||||||
|
- JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM
|
||||||
|
- JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is false
|
||||||
|
- JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4
|
||||||
|
- JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
|
||||||
|
- JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127
|
||||||
|
- JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath
|
||||||
|
- JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region
|
||||||
|
- JDK-8292083: Detected container memory limit may exceed physical machine memory
|
||||||
|
- JDK-8292158: AES-CTR cipher state corruption with AVX-512
|
||||||
|
- JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out
|
||||||
|
- JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory
|
||||||
|
- JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle
|
||||||
|
- JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update
|
||||||
|
- JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library
|
||||||
|
- JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free
|
||||||
|
- JDK-8292816: GPL Classpath exception missing from assemblyprefix.h
|
||||||
|
- JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures
|
||||||
|
- JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading
|
||||||
|
- JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java
|
||||||
|
- JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6
|
||||||
|
- JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform
|
||||||
|
- JDK-8292903: enhance round_up_power_of_2 assertion output
|
||||||
|
- JDK-8293010: JDI ObjectReference/referringObjects/referringObjects001 fails: assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) failed: checking
|
||||||
|
- JDK-8293044: C1: Missing access check on non-accessible class
|
||||||
|
- JDK-8293232: Fix race condition in pkcs11 SessionManager
|
||||||
|
- JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if
|
||||||
|
- JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present
|
||||||
|
- JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint
|
||||||
|
- JDK-8293535: jdk/javadoc/doclet/testJavaFX/TestJavaFxMode.java fail with jfx
|
||||||
|
- JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
|
||||||
|
- JDK-8293550: Optionally add get-task-allow entitlement to macos binaries
|
||||||
|
- JDK-8293578: Duplicate ldc generated by javac
|
||||||
|
- JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake"
|
||||||
|
- JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details
|
||||||
|
- JDK-8293672: Update freetype md file
|
||||||
|
- JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present
|
||||||
|
- JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception
|
||||||
|
- JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
|
||||||
|
- JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent
|
||||||
|
- JDK-8293826: Closed test fails after JDK-8276108 on aarch64
|
||||||
|
- JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening
|
||||||
|
- JDK-8293834: Update CLDR data following tzdata 2022c update
|
||||||
|
- JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum
|
||||||
|
- JDK-8293965: Code signing warnings after JDK-8293550
|
||||||
|
- JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
|
||||||
|
- JDK-8294307: ISO 4217 Amendment 173 Update
|
||||||
|
- JDK-8294310: compare.sh fails on macos after JDK-8293550
|
||||||
|
- JDK-8294357: (tz) Update Timezone Data to 2022d
|
||||||
|
- JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode
|
||||||
|
- JDK-8294740: Add cgroups keyword to TestDockerBasic.java
|
||||||
|
- JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md
|
||||||
|
- JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator
|
||||||
|
- JDK-8295173: (tz) Update Timezone Data to 2022e
|
||||||
|
- JDK-8295288: Some vm_flags tests associate with a wrong BugID
|
||||||
|
- JDK-8295405: Add cause in a couple of IllegalArgumentException and InvalidParameterException shown by sun/security/pkcs11 tests
|
||||||
|
- JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp
|
||||||
|
- JDK-8295419: JFR: Change name of jdk.JitRestart
|
||||||
|
- JDK-8295429: Update harfbuzz md file
|
||||||
|
- JDK-8295469: S390X: Optimized builds are broken
|
||||||
|
- JDK-8295554: Move the "sizecalc.h" to the correct location
|
||||||
|
- JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev
|
||||||
|
- JDK-8295714: GHA ::set-output is deprecated and will be removed
|
||||||
|
- JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor
|
||||||
|
- JDK-8295952: Problemlist existing compiler/rtm tests also on x86
|
||||||
|
- JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM
|
||||||
|
- JDK-8296108: (tz) Update Timezone Data to 2022f
|
||||||
|
- JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing
|
||||||
|
- JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException
|
||||||
|
- JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation
|
||||||
|
- JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent
|
||||||
|
- JDK-8296715: CLDR v42 update for tzdata 2022f
|
||||||
|
- JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect
|
||||||
|
- JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds
|
||||||
|
- JDK-8296956: [JVMCI] HotSpotResolvedJavaFieldImpl.getIndex returns wrong value
|
||||||
|
- JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2
|
||||||
|
- JDK-8296958: [JVMCI] add API for retrieving ConstantValue attributes
|
||||||
|
- JDK-8296960: [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool
|
||||||
|
- JDK-8296961: [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField
|
||||||
|
- JDK-8296967: [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod
|
||||||
|
- JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used
|
||||||
|
- JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again
|
||||||
|
- JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java
|
||||||
|
- JDK-8297309: Memory leak in ShenandoahFullGC
|
||||||
|
- JDK-8297481: Create a regression test for JDK-4424517
|
||||||
|
- JDK-8297530: java.lang.IllegalArgumentException: Negative length on strings concatenation
|
||||||
|
- JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run
|
||||||
|
- JDK-8297656: AArch64: Enable AES/GCM Intrinsics
|
||||||
|
- JDK-8297804: (tz) Update Timezone Data to 2022g
|
||||||
|
|
||||||
|
Notes on individual issues:
|
||||||
|
===========================
|
||||||
|
|
||||||
|
security-libs/java.security:
|
||||||
|
|
||||||
|
JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set
|
||||||
|
==========================================================================================================
|
||||||
|
Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to
|
||||||
|
hold principals and credentials so that it rejected null
|
||||||
|
values. Attempts to call add(null), contains(null) or remove(null)
|
||||||
|
were changed to throw a NullPointerException.
|
||||||
|
|
||||||
|
However, the logout() methods in the LoginModule implementations
|
||||||
|
within the JDK were not updated to check for null values, which may
|
||||||
|
occur in the event of a failed login. As a result, a logout() call may
|
||||||
|
throw a NullPointerException.
|
||||||
|
|
||||||
|
The LoginModule implementations have now been updated with such checks
|
||||||
|
and an implementation note added to the specification to suggest that
|
||||||
|
the same change is made in third party modules. Developers of third
|
||||||
|
party modules are advised to verify that their logout() method does not
|
||||||
|
throw a NullPointerException.
|
||||||
|
|
||||||
|
New in release OpenJDK 17.0.5 (2022-10-18):
|
||||||
|
===========================================
|
||||||
|
Live versions of these release notes can be found at:
|
||||||
|
* https://bitly.com/openjdk1705
|
||||||
|
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html
|
||||||
|
|
||||||
|
* Security fixes
|
||||||
|
- JDK-8282252: Improve BigInteger/Decimal validation
|
||||||
|
- JDK-8285662: Better permission resolution
|
||||||
|
- JDK-8286077, CVE-2022-21618: Wider MultiByte conversions
|
||||||
|
- JDK-8286511: Improve macro allocation
|
||||||
|
- JDK-8286519: Better memory handling
|
||||||
|
- JDK-8286526, CVE-2022-21619: Improve NTLM support
|
||||||
|
- JDK-8286910, CVE-2022-21624: Improve JNDI lookups
|
||||||
|
- JDK-8286918, CVE-2022-21628: Better HttpServer service
|
||||||
|
- JDK-8287446: Enhance icon presentations
|
||||||
|
- JDK-8288508: Enhance ECDSA usage
|
||||||
|
- JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage
|
||||||
|
- JDK-8289853: Update HarfBuzz to 4.4.1
|
||||||
|
- JDK-8290334: Update FreeType to 2.12.1
|
||||||
|
* Other changes
|
||||||
|
- JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider
|
||||||
|
- JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7
|
||||||
|
- JDK-7131823: bug in GIFImageReader
|
||||||
|
- JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac
|
||||||
|
- JDK-8028265: Add legacy tz tests to OpenJDK
|
||||||
|
- JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed
|
||||||
|
- JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails
|
||||||
|
- JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java
|
||||||
|
- JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes!
|
||||||
|
- JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad"
|
||||||
|
- JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test.
|
||||||
|
- JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values
|
||||||
|
- JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch
|
||||||
|
- JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues
|
||||||
|
- JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled.
|
||||||
|
- JDK-8227651: Tests fail with SSLProtocolException: Input record too big
|
||||||
|
- JDK-8240903: Add test to check that jmod hashes are reproducible
|
||||||
|
- JDK-8254318: Remove .hgtags
|
||||||
|
- JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline
|
||||||
|
- JDK-8256844: Make NMT late-initializable
|
||||||
|
- JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom"
|
||||||
|
- JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class
|
||||||
|
- JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly.
|
||||||
|
- JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled"
|
||||||
|
- JDK-8269039: Disable SHA-1 Signed JARs
|
||||||
|
- JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr
|
||||||
|
- JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections
|
||||||
|
- JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java
|
||||||
|
- JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest
|
||||||
|
- JDK-8271344: Windows product version issue
|
||||||
|
- JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8
|
||||||
|
- JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData
|
||||||
|
- JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals
|
||||||
|
- JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null]
|
||||||
|
- JDK-8273040: Turning off JpAllowDowngrades (or Upgrades)
|
||||||
|
- JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts
|
||||||
|
- JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12
|
||||||
|
- JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms
|
||||||
|
- JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false]
|
||||||
|
- JDK-8274597: Some of the dnd tests time out and fail intermittently
|
||||||
|
- JDK-8274856: Failing jpackage tests with fastdebug/release build
|
||||||
|
- JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test
|
||||||
|
- JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
|
||||||
|
- JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold
|
||||||
|
- JDK-8276837: [macos]: Error when signing the additional launcher
|
||||||
|
- JDK-8277429: Conflicting jpackage static library name
|
||||||
|
- JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged"
|
||||||
|
- JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
|
||||||
|
- JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript
|
||||||
|
- JDK-8278311: Debian packaging doesn't work
|
||||||
|
- JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS
|
||||||
|
- JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS
|
||||||
|
- JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4
|
||||||
|
- JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0
|
||||||
|
- JDK-8279622: C2: miscompilation of map pattern as a vector reduction
|
||||||
|
- JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl
|
||||||
|
- JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound
|
||||||
|
- JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed
|
||||||
|
- JDK-8280863: Update build README to reflect that MSYS2 is supported
|
||||||
|
- JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method
|
||||||
|
- JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism
|
||||||
|
- JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
|
||||||
|
- JDK-8281181: Do not use CPU Shares to compute active processor count
|
||||||
|
- JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
|
||||||
|
- JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted)
|
||||||
|
- JDK-8281535: Create a regression test for JDK-4670051
|
||||||
|
- JDK-8281569: Create tests for Frame.setMinimumSize() method
|
||||||
|
- JDK-8281628: KeyAgreement : generateSecret intermittently not resetting
|
||||||
|
- JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button
|
||||||
|
- JDK-8281745: Create a regression test for JDK-4514331
|
||||||
|
- JDK-8281988: Create a regression test for JDK-4618767
|
||||||
|
- JDK-8282007: Assorted enhancements to jpackage testing framework
|
||||||
|
- JDK-8282046: Create a regression test for JDK-8000326
|
||||||
|
- JDK-8282214: Upgrade JQuery to version 3.6.0
|
||||||
|
- JDK-8282234: Create a regression test for JDK-4532513
|
||||||
|
- JDK-8282280: Update Xerces to Version 2.12.2
|
||||||
|
- JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access
|
||||||
|
- JDK-8282343: Create a regression test for JDK-4518432
|
||||||
|
- JDK-8282351: jpackage does not work if class file has `$$` in the name on windows
|
||||||
|
- JDK-8282407: Missing ')' in MacResources.properties
|
||||||
|
- JDK-8282467: add extra diagnostics for JDK-8268184
|
||||||
|
- JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler
|
||||||
|
- JDK-8282538: PKCS11 tests fail on CentOS Stream 9
|
||||||
|
- JDK-8282548: Create a regression test for JDK-4330998
|
||||||
|
- JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc
|
||||||
|
- JDK-8282640: Create a test for JDK-4740761
|
||||||
|
- JDK-8282778: Create a regression test for JDK-4699544
|
||||||
|
- JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767
|
||||||
|
- JDK-8282860: Write a regression test for JDK-4164779
|
||||||
|
- JDK-8282933: Create a test for JDK-4529616
|
||||||
|
- JDK-8282936: Write a regression test for JDK-4615365
|
||||||
|
- JDK-8282937: Write a regression test for JDK-4820080
|
||||||
|
- JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
|
||||||
|
- JDK-8283015: Create a test for JDK-4715496
|
||||||
|
- JDK-8283087: Create a test or JDK-4715503
|
||||||
|
- JDK-8283245: Create a test for JDK-4670319
|
||||||
|
- JDK-8283277: ISO 4217 Amendment 171 Update
|
||||||
|
- JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
|
||||||
|
- JDK-8283457: [macos] libpng build failures with Xcode13.3
|
||||||
|
- JDK-8283493: Create an automated regression test for RFE 4231298
|
||||||
|
- JDK-8283507: Create a regression test for RFE 4287690
|
||||||
|
- JDK-8283562: JDK-8282306 breaks gtests on zero
|
||||||
|
- JDK-8283597: [REDO] Invalid generic signature for redefined classes
|
||||||
|
- JDK-8283621: Write a regression test for CCC4400728
|
||||||
|
- JDK-8283623: Create an automated regression test for JDK-4525475
|
||||||
|
- JDK-8283624: Create an automated regression test for RFE-4390885
|
||||||
|
- JDK-8283712: Create a manual test framework class
|
||||||
|
- JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows
|
||||||
|
- JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test
|
||||||
|
- JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
|
||||||
|
- JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
|
||||||
|
- JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
|
||||||
|
- JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS
|
||||||
|
- JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt
|
||||||
|
- JDK-8284077: Create an automated test for JDK-4170173
|
||||||
|
- JDK-8284294: Create an automated regression test for RFE 4138746
|
||||||
|
- JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph
|
||||||
|
- JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1
|
||||||
|
- JDK-8284521: Write an automated regression test for RFE 4371575
|
||||||
|
- JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception
|
||||||
|
- JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest
|
||||||
|
- JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset
|
||||||
|
- JDK-8284686: Interval of < 1 ms disables ExecutionSample events
|
||||||
|
- JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice
|
||||||
|
- JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512
|
||||||
|
- JDK-8284898: Enhance PassFailJFrame
|
||||||
|
- JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization
|
||||||
|
- JDK-8284950: CgroupV1 detection code should consider memory.swappiness
|
||||||
|
- JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment
|
||||||
|
- JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist
|
||||||
|
- JDK-8285081: Improve XPath operators count accuracy
|
||||||
|
- JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java
|
||||||
|
- JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity
|
||||||
|
- JDK-8285380: Fix typos in security
|
||||||
|
- JDK-8285398: Cache the results of constraint checks
|
||||||
|
- JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test
|
||||||
|
- JDK-8285693: Create an automated test for JDK-4702199
|
||||||
|
- JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null
|
||||||
|
- JDK-8285730: unify _WIN32_WINNT settings
|
||||||
|
- JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
|
||||||
|
- JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities
|
||||||
|
- JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java
|
||||||
|
- JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe
|
||||||
|
- JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure
|
||||||
|
- JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5
|
||||||
|
- JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes
|
||||||
|
- JDK-8286277: CDS VerifyError when calling clone() on object array
|
||||||
|
- JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache
|
||||||
|
- JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45]
|
||||||
|
- JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage
|
||||||
|
- JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
|
||||||
|
- JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect
|
||||||
|
- JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis
|
||||||
|
- JDK-8286869: unify os::dir_is_empty across posix platforms
|
||||||
|
- JDK-8286870: Memory leak with RepeatCompilation
|
||||||
|
- JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5
|
||||||
|
- JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
|
||||||
|
- JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
|
||||||
|
- JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
|
||||||
|
- JDK-8287113: JFR: Periodic task thread uses period for method sampling events
|
||||||
|
- JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host
|
||||||
|
- JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event
|
||||||
|
- JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver
|
||||||
|
- JDK-8287366: Improve test failure reporting in GHA
|
||||||
|
- JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number
|
||||||
|
- JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node
|
||||||
|
- JDK-8287463: JFR: Disable TestDevNull.java on Windows
|
||||||
|
- JDK-8287663: Add a regression test for JDK-8287073
|
||||||
|
- JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run
|
||||||
|
- JDK-8287724: Fix various issues with msys2
|
||||||
|
- JDK-8287735: Provide separate event category for dll operations
|
||||||
|
- JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
|
||||||
|
- JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag
|
||||||
|
- JDK-8287895: Some langtools tests fail on msys2
|
||||||
|
- JDK-8287896: PropertiesTest.sh fail on msys2
|
||||||
|
- JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows
|
||||||
|
- JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests
|
||||||
|
- JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
|
||||||
|
- JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs
|
||||||
|
- JDK-8288003: log events for os::dll_unload
|
||||||
|
- JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic
|
||||||
|
- JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes
|
||||||
|
- JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds
|
||||||
|
- JDK-8288467: remove memory_operand assert for spilled instructions
|
||||||
|
- JDK-8288499: Restore cancel-in-progress in GHA
|
||||||
|
- JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ...
|
||||||
|
- JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp
|
||||||
|
- JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small
|
||||||
|
- JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305
|
||||||
|
- JDK-8288992: AArch64: CMN should be handled the same way as CMP
|
||||||
|
- JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible
|
||||||
|
- JDK-8289147: unify os::infinite_sleep on posix platforms
|
||||||
|
- JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion
|
||||||
|
- JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java
|
||||||
|
- JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc
|
||||||
|
- JDK-8289486: Improve XSLT XPath operators count efficiency
|
||||||
|
- JDK-8289549: ISO 4217 Amendment 172 Update
|
||||||
|
- JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl
|
||||||
|
- JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun
|
||||||
|
- JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad
|
||||||
|
- JDK-8289799: Build warning in methodData.cpp memset zero-length parameter
|
||||||
|
- JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060
|
||||||
|
- JDK-8289910: unify os::message_box across posix platforms
|
||||||
|
- JDK-8290000: Bump macOS GitHub actions to macOS 11
|
||||||
|
- JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
|
||||||
|
- JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown
|
||||||
|
- JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers
|
||||||
|
- JDK-8290246: test fails "assert(init != __null) failed: initialization not found"
|
||||||
|
- JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle
|
||||||
|
- JDK-8290456: remove os::print_statistics()
|
||||||
|
- JDK-8291595: [17u] Delete files missed in backport of 8269039
|
||||||
|
- JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr
|
||||||
|
- JDK-8292579: (tz) Update Timezone Data to 2022c
|
||||||
|
- JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5
|
||||||
|
|
||||||
|
Notes on individual issues:
|
||||||
|
===========================
|
||||||
|
|
||||||
|
core-libs/java.net:
|
||||||
|
|
||||||
|
JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
|
||||||
|
===========================================================================
|
||||||
|
Two system properties have been added which control the keep alive
|
||||||
|
behavior of HttpURLConnection in the case where the server does not
|
||||||
|
specify a keep alive time. Two properties are defined for controlling
|
||||||
|
connections to servers and proxies separately. They are:
|
||||||
|
|
||||||
|
* `http.keepAlive.time.server`
|
||||||
|
* `http.keepAlive.time.proxy`
|
||||||
|
|
||||||
|
respectively. More information about them can be found on the
|
||||||
|
Networking Properties page:
|
||||||
|
https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html.
|
||||||
|
|
||||||
|
security-libs/javax.crypto:
|
||||||
|
|
||||||
|
JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location
|
||||||
|
=====================================================================================
|
||||||
|
The Windows KeyStore support in the SunMSCAPI provider has been
|
||||||
|
expanded to include access to the local machine location. The new
|
||||||
|
keystore types are:
|
||||||
|
|
||||||
|
* "Windows-MY-LOCALMACHINE"
|
||||||
|
* "Windows-ROOT-LOCALMACHINE"
|
||||||
|
|
||||||
|
The following keystore types were also added, allowing developers to
|
||||||
|
make it clear they map to the current user:
|
||||||
|
|
||||||
|
* "Windows-MY-CURRENTUSER" (same as "Windows-MY")
|
||||||
|
* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT")
|
||||||
|
|
||||||
|
JDK-8286918: Better HttpServer service
|
||||||
|
======================================
|
||||||
|
The HttpServer can be optionally configured with a maximum connection
|
||||||
|
limit by setting the jdk.httpserver.maxConnections system property. A
|
||||||
|
value of 0 or a negative integer is ignored and considered to
|
||||||
|
represent no connection limit. In the case of a positive integer
|
||||||
|
value, any newly accepted connections will be first checked against
|
||||||
|
the current count of established connections and, if the configured
|
||||||
|
limit has been reached, then the newly accepted connection will be
|
||||||
|
closed immediately.
|
||||||
|
|
||||||
|
hotspot/runtime:
|
||||||
|
|
||||||
|
JDK-8281181: CPU Shares Ignored When Computing Active Processor Count
|
||||||
|
=====================================================================
|
||||||
|
Previous JDK releases used an incorrect interpretation of the Linux
|
||||||
|
cgroups parameter "cpu.shares". This might cause the JVM to use fewer
|
||||||
|
CPUs than available, leading to an under utilization of CPU resources
|
||||||
|
when the JVM is used inside a container.
|
||||||
|
|
||||||
|
Starting from this JDK release, by default, the JVM no longer
|
||||||
|
considers "cpu.shares" when deciding the number of threads to be used
|
||||||
|
by the various thread pools. The `-XX:+UseContainerCpuShares`
|
||||||
|
command-line option can be used to revert to the previous
|
||||||
|
behavior. This option is deprecated and may be removed in a future JDK
|
||||||
|
release.
|
||||||
|
|
||||||
|
security-libs/java.security:
|
||||||
|
|
||||||
|
JDK-8269039: Disabled SHA-1 Signed JARs
|
||||||
|
=======================================
|
||||||
|
JARs signed with SHA-1 algorithms are now restricted by default and
|
||||||
|
treated as if they were unsigned. This applies to the algorithms used
|
||||||
|
to digest, sign, and optionally timestamp the JAR. It also applies to
|
||||||
|
the signature and digest algorithms of the certificates in the
|
||||||
|
certificate chain of the code signer and the Timestamp Authority, and
|
||||||
|
any CRLs or OCSP responses that are used to verify if those
|
||||||
|
certificates have been revoked. These restrictions also apply to
|
||||||
|
signed JCE providers.
|
||||||
|
|
||||||
|
To reduce the compatibility risk for JARs that have been previously
|
||||||
|
timestamped, there is one exception to this policy:
|
||||||
|
|
||||||
|
- Any JAR signed with SHA-1 algorithms and timestamped prior to
|
||||||
|
January 01, 2019 will not be restricted.
|
||||||
|
|
||||||
|
This exception may be removed in a future JDK release. To determine if
|
||||||
|
your signed JARs are affected by this change, run:
|
||||||
|
|
||||||
|
$ jarsigner -verify -verbose -certs`
|
||||||
|
|
||||||
|
on the signed JAR, and look for instances of "SHA1" or "SHA-1" and
|
||||||
|
"disabled" and a warning that the JAR will be treated as unsigned in
|
||||||
|
the output.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
Signed by "CN="Signer""
|
||||||
|
Digest algorithm: SHA-1 (disabled)
|
||||||
|
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
|
||||||
|
|
||||||
|
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
|
||||||
|
|
||||||
|
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
|
||||||
|
|
||||||
|
JARs affected by these new restrictions should be replaced or
|
||||||
|
re-signed with stronger algorithms.
|
||||||
|
|
||||||
|
Users can, *at their own risk*, remove these restrictions by modifying
|
||||||
|
the `java.security` configuration file (or override it by using the
|
||||||
|
`java.security.properties` system property) and removing "SHA1 usage
|
||||||
|
SignedJAR & denyAfter 2019-01-01" from the
|
||||||
|
`jdk.certpath.disabledAlgorithms` security property and "SHA1
|
||||||
|
denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security
|
||||||
|
property.
|
||||||
|
|
||||||
New in release OpenJDK 17.0.4.1 (2022-08-16):
|
New in release OpenJDK 17.0.4.1 (2022-08-16):
|
||||||
===========================================
|
===========================================
|
||||||
Live versions of these release notes can be found at:
|
Live versions of these release notes can be found at:
|
||||||
@ -32,6 +679,7 @@ Live versions of these release notes can be found at:
|
|||||||
* Security fixes
|
* Security fixes
|
||||||
- JDK-8272243: Improve DER parsing
|
- JDK-8272243: Improve DER parsing
|
||||||
- JDK-8272249: Better properties of loaded Properties
|
- JDK-8272249: Better properties of loaded Properties
|
||||||
|
- JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions
|
||||||
- JDK-8277608: Address IP Addressing
|
- JDK-8277608: Address IP Addressing
|
||||||
- JDK-8281859, CVE-2022-21540: Improve class compilation
|
- JDK-8281859, CVE-2022-21540: Improve class compilation
|
||||||
- JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
|
- JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
|
||||||
@ -86,7 +734,6 @@ Live versions of these release notes can be found at:
|
|||||||
- JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
|
- JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
|
||||||
- JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
|
- JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
|
||||||
- JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
|
- JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
|
||||||
- JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions
|
|
||||||
- JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME"
|
- JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME"
|
||||||
- JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
|
- JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
|
||||||
- JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests
|
- JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests
|
||||||
|
@ -15,20 +15,145 @@ You should have received a copy of the GNU Affero General Public License
|
|||||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import java.util.Arrays;
|
import java.text.DateFormatSymbols;
|
||||||
import java.util.Locale;
|
|
||||||
import java.util.ResourceBundle;
|
|
||||||
|
|
||||||
import sun.util.resources.LocaleData;
|
import java.time.ZoneId;
|
||||||
import sun.util.locale.provider.LocaleProviderAdapter;
|
import java.time.format.TextStyle;
|
||||||
|
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Locale;
|
||||||
|
import java.util.Objects;
|
||||||
|
import java.util.TimeZone;
|
||||||
|
|
||||||
public class TestTranslations {
|
public class TestTranslations {
|
||||||
|
|
||||||
|
private static Map<Locale,String[]> KYIV, CIUDAD_JUAREZ;
|
||||||
|
|
||||||
|
static {
|
||||||
|
Map<Locale,String[]> map = new HashMap<Locale,String[]>();
|
||||||
|
map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET",
|
||||||
|
"Eastern European Summer Time", "GMT+03:00", "EEST",
|
||||||
|
"Eastern European Time", "GMT+02:00", "EET"});
|
||||||
|
map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET",
|
||||||
|
"heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST",
|
||||||
|
"heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"});
|
||||||
|
map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ",
|
||||||
|
"Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
|
||||||
|
"Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
|
||||||
|
KYIV = Collections.unmodifiableMap(map);
|
||||||
|
|
||||||
|
map = new HashMap<Locale,String[]>();
|
||||||
|
map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
|
||||||
|
"Mountain Daylight Time", "MDT", "MDT",
|
||||||
|
"Mountain Time", "MT", "MT"});
|
||||||
|
map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST",
|
||||||
|
"heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT",
|
||||||
|
"heure des Rocheuses", "UTC\u221207:00", "MT"});
|
||||||
|
map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST",
|
||||||
|
"Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT",
|
||||||
|
"Rocky-Mountain-Zeit", "GMT-07:00", "MT"});
|
||||||
|
CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public static void main(String[] args) {
|
||||||
for (String zone : args) {
|
if (args.length < 1) {
|
||||||
System.out.printf("Translations for %s\n", zone);
|
System.err.println("Test must be started with the name of the locale provider.");
|
||||||
for (Locale l : Locale.getAvailableLocales()) {
|
System.exit(1);
|
||||||
ResourceBundle bundle = new LocaleData(LocaleProviderAdapter.Type.JRE).getTimeZoneNames(l);
|
}
|
||||||
System.out.printf("Locale: %s, language: %s, translations: %s\n", l, l.getDisplayLanguage(), Arrays.toString(bundle.getStringArray(zone)));
|
|
||||||
|
System.out.println("Checking sanity of full zone string set...");
|
||||||
|
boolean invalid = Arrays.stream(Locale.getAvailableLocales())
|
||||||
|
.peek(l -> System.out.println("Locale: " + l))
|
||||||
|
.map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
|
||||||
|
.flatMap(zs -> Arrays.stream(zs))
|
||||||
|
.flatMap(names -> Arrays.stream(names))
|
||||||
|
.filter(name -> Objects.isNull(name) || name.isEmpty())
|
||||||
|
.findAny()
|
||||||
|
.isPresent();
|
||||||
|
if (invalid) {
|
||||||
|
System.err.println("Zone string for a locale returned null or empty string");
|
||||||
|
System.exit(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
String localeProvider = args[0];
|
||||||
|
testZone(localeProvider, KYIV,
|
||||||
|
new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
|
||||||
|
testZone(localeProvider, CIUDAD_JUAREZ,
|
||||||
|
new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void testZone(String localeProvider, Map<Locale,String[]> exp, String[] ids) {
|
||||||
|
for (Locale l : exp.keySet()) {
|
||||||
|
String[] expected = exp.get(l);
|
||||||
|
System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
|
||||||
|
for (String id : ids) {
|
||||||
|
String expectedShortStd = null;
|
||||||
|
String expectedShortDST = null;
|
||||||
|
String expectedShortGen = null;
|
||||||
|
|
||||||
|
System.out.printf("Checking locale %s for %s...\n", l, id);
|
||||||
|
|
||||||
|
if ("JRE".equals(localeProvider)) {
|
||||||
|
expectedShortStd = expected[2];
|
||||||
|
expectedShortDST = expected[5];
|
||||||
|
expectedShortGen = expected[8];
|
||||||
|
} else if ("CLDR".equals(localeProvider)) {
|
||||||
|
expectedShortStd = expected[1];
|
||||||
|
expectedShortDST = expected[4];
|
||||||
|
expectedShortGen = expected[7];
|
||||||
|
} else {
|
||||||
|
System.err.printf("Invalid locale provider %s\n", localeProvider);
|
||||||
|
System.exit(3);
|
||||||
|
}
|
||||||
|
System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
|
||||||
|
localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
|
||||||
|
|
||||||
|
String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
|
||||||
|
String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
|
||||||
|
String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
|
||||||
|
String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
|
||||||
|
String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
|
||||||
|
String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
|
||||||
|
|
||||||
|
if (!expected[0].equals(longStd)) {
|
||||||
|
System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
|
||||||
|
id, l, longStd, expected[0]);
|
||||||
|
System.exit(4);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!expectedShortStd.equals(shortStd)) {
|
||||||
|
System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
|
||||||
|
id, l, shortStd, expectedShortStd);
|
||||||
|
System.exit(5);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!expected[3].equals(longDST)) {
|
||||||
|
System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
|
||||||
|
id, l, longDST, expected[3]);
|
||||||
|
System.exit(6);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!expectedShortDST.equals(shortDST)) {
|
||||||
|
System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
|
||||||
|
id, l, shortDST, expectedShortDST);
|
||||||
|
System.exit(7);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!expected[6].equals(longGen)) {
|
||||||
|
System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
|
||||||
|
id, l, longGen, expected[6]);
|
||||||
|
System.exit(8);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!expectedShortGen.equals(shortGen)) {
|
||||||
|
System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
|
||||||
|
id, l, shortGen, expectedShortGen);
|
||||||
|
System.exit(9);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,9 +1,33 @@
|
|||||||
|
diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4
|
||||||
|
index 5f4b22bb27f..1ca9f5b8ffe 100644
|
||||||
|
--- a/make/autoconf/build-aux/pkg.m4
|
||||||
|
+++ b/make/autoconf/build-aux/pkg.m4
|
||||||
|
@@ -179,3 +179,19 @@ else
|
||||||
|
ifelse([$3], , :, [$3])
|
||||||
|
fi[]dnl
|
||||||
|
])# PKG_CHECK_MODULES
|
||||||
|
+
|
||||||
|
+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
|
||||||
|
+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
|
||||||
|
+dnl -------------------------------------------
|
||||||
|
+dnl Since: 0.28
|
||||||
|
+dnl
|
||||||
|
+dnl Retrieves the value of the pkg-config variable for the given module.
|
||||||
|
+AC_DEFUN([PKG_CHECK_VAR],
|
||||||
|
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
|
||||||
|
+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
|
||||||
|
+
|
||||||
|
+_PKG_CONFIG([$1], [variable="][$3]["], [$2])
|
||||||
|
+AS_VAR_COPY([$1], [pkg_cv_][$1])
|
||||||
|
+
|
||||||
|
+AS_VAR_IF([$1], [""], [$5], [$4])dnl
|
||||||
|
+])dnl PKG_CHECK_VAR
|
||||||
diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4
|
diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 00000000000..b2b1c1787da
|
index 00000000000..f48fc7f7e80
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/make/autoconf/lib-sysconf.m4
|
+++ b/make/autoconf/lib-sysconf.m4
|
||||||
@@ -0,0 +1,84 @@
|
@@ -0,0 +1,87 @@
|
||||||
+#
|
+#
|
||||||
+# Copyright (c) 2021, Red Hat, Inc.
|
+# Copyright (c) 2021, Red Hat, Inc.
|
||||||
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
@ -38,8 +62,10 @@ index 00000000000..b2b1c1787da
|
|||||||
+ #
|
+ #
|
||||||
+ # Check for the NSS library
|
+ # Check for the NSS library
|
||||||
+ #
|
+ #
|
||||||
|
+ AC_MSG_CHECKING([for NSS library directory])
|
||||||
|
+ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])])
|
||||||
+
|
+
|
||||||
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
|
+ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)])
|
||||||
+
|
+
|
||||||
+ # default is not available
|
+ # default is not available
|
||||||
+ DEFAULT_SYSCONF_NSS=no
|
+ DEFAULT_SYSCONF_NSS=no
|
||||||
@ -87,6 +113,7 @@ index 00000000000..b2b1c1787da
|
|||||||
+ fi
|
+ fi
|
||||||
+ fi
|
+ fi
|
||||||
+ AC_SUBST(USE_SYSCONF_NSS)
|
+ AC_SUBST(USE_SYSCONF_NSS)
|
||||||
|
+ AC_SUBST(NSS_LIBDIR)
|
||||||
+])
|
+])
|
||||||
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
|
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
|
||||||
index a65d91ee974..a8f054c1397 100644
|
index a65d91ee974..a8f054c1397 100644
|
||||||
@ -109,20 +136,43 @@ index a65d91ee974..a8f054c1397 100644
|
|||||||
BASIC_JDKLIB_LIBS=""
|
BASIC_JDKLIB_LIBS=""
|
||||||
if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
|
if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
|
||||||
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
|
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
|
||||||
index c2c9c4adf3a..9d105b37acf 100644
|
index d557549adb3..1cb44bd2595 100644
|
||||||
--- a/make/autoconf/spec.gmk.in
|
--- a/make/autoconf/spec.gmk.in
|
||||||
+++ b/make/autoconf/spec.gmk.in
|
+++ b/make/autoconf/spec.gmk.in
|
||||||
@@ -836,6 +836,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
|
@@ -840,6 +840,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
|
||||||
# Libraries
|
# Libraries
|
||||||
#
|
#
|
||||||
|
|
||||||
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
|
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
|
||||||
+NSS_LIBS:=@NSS_LIBS@
|
+NSS_LIBS:=@NSS_LIBS@
|
||||||
+NSS_CFLAGS:=@NSS_CFLAGS@
|
+NSS_CFLAGS:=@NSS_CFLAGS@
|
||||||
|
+NSS_LIBDIR:=@NSS_LIBDIR@
|
||||||
+
|
+
|
||||||
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
|
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
|
||||||
LCMS_CFLAGS:=@LCMS_CFLAGS@
|
LCMS_CFLAGS:=@LCMS_CFLAGS@
|
||||||
LCMS_LIBS:=@LCMS_LIBS@
|
LCMS_LIBS:=@LCMS_LIBS@
|
||||||
|
diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk
|
||||||
|
index 4b894eeae4a..51567071aa8 100644
|
||||||
|
--- a/make/modules/java.base/Gendata.gmk
|
||||||
|
+++ b/make/modules/java.base/Gendata.gmk
|
||||||
|
@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST
|
||||||
|
TARGETS += $(GENDATA_JAVA_SECURITY)
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
+
|
||||||
|
+GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in
|
||||||
|
+GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg
|
||||||
|
+
|
||||||
|
+$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC)
|
||||||
|
+ $(call LogInfo, Generating nss.fips.cfg)
|
||||||
|
+ $(call MakeTargetDir)
|
||||||
|
+ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \
|
||||||
|
+ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+TARGETS += $(GENDATA_NSS_FIPS_CFG)
|
||||||
|
+
|
||||||
|
+################################################################################
|
||||||
diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk
|
diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk
|
||||||
index 5658ff342e5..c8bc5bde1e1 100644
|
index 5658ff342e5..c8bc5bde1e1 100644
|
||||||
--- a/make/modules/java.base/Lib.gmk
|
--- a/make/modules/java.base/Lib.gmk
|
||||||
@ -1771,7 +1821,7 @@ index f6d3638c3dd..a1ee182d913 100644
|
|||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
|
diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
|
||||||
index 63bb580eb3a..dbbf11bbb22 100644
|
index 9faee9cae36..27f43550aa4 100644
|
||||||
--- a/src/java.base/share/classes/module-info.java
|
--- a/src/java.base/share/classes/module-info.java
|
||||||
+++ b/src/java.base/share/classes/module-info.java
|
+++ b/src/java.base/share/classes/module-info.java
|
||||||
@@ -152,6 +152,8 @@ module java.base {
|
@@ -152,6 +152,8 @@ module java.base {
|
||||||
@ -2193,18 +2243,6 @@ index ca79f25cc44..225517ac69b 100644
|
|||||||
addA(p, "AlgorithmParameters", "RSASSA-PSS",
|
addA(p, "AlgorithmParameters", "RSASSA-PSS",
|
||||||
"sun.security.rsa.PSSParameters", null);
|
"sun.security.rsa.PSSParameters", null);
|
||||||
}
|
}
|
||||||
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
|
||||||
index 6ffdfeda18d..82e896170f0 100644
|
|
||||||
--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
|
||||||
+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
|
||||||
@@ -32,6 +32,7 @@ import java.security.cert.*;
|
|
||||||
import java.util.*;
|
|
||||||
import java.util.concurrent.locks.ReentrantLock;
|
|
||||||
import javax.net.ssl.*;
|
|
||||||
+import jdk.internal.access.SharedSecrets;
|
|
||||||
import sun.security.action.GetPropertyAction;
|
|
||||||
import sun.security.provider.certpath.AlgorithmChecker;
|
|
||||||
import sun.security.validator.Validator;
|
|
||||||
diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java
|
diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 00000000000..dc8bc72fccb
|
index 00000000000..dc8bc72fccb
|
||||||
@ -2509,7 +2547,7 @@ index 00000000000..dc8bc72fccb
|
|||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
||||||
index 6d91e3f8e4e..f357b630460 100644
|
index 63be286686d..b0a589c3fb4 100644
|
||||||
--- a/src/java.base/share/conf/security/java.security
|
--- a/src/java.base/share/conf/security/java.security
|
||||||
+++ b/src/java.base/share/conf/security/java.security
|
+++ b/src/java.base/share/conf/security/java.security
|
||||||
@@ -79,6 +79,16 @@ security.provider.tbd=Apple
|
@@ -79,6 +79,16 @@ security.provider.tbd=Apple
|
||||||
@ -2529,7 +2567,7 @@ index 6d91e3f8e4e..f357b630460 100644
|
|||||||
#
|
#
|
||||||
# A list of preferred providers for specific algorithms. These providers will
|
# A list of preferred providers for specific algorithms. These providers will
|
||||||
# be searched for matching algorithms before the list of registered providers.
|
# be searched for matching algorithms before the list of registered providers.
|
||||||
@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false
|
@@ -289,6 +299,47 @@ policy.ignoreIdentityScope=false
|
||||||
#
|
#
|
||||||
keystore.type=pkcs12
|
keystore.type=pkcs12
|
||||||
|
|
||||||
@ -2537,11 +2575,47 @@ index 6d91e3f8e4e..f357b630460 100644
|
|||||||
+# Default keystore type used when global crypto-policies are set to FIPS.
|
+# Default keystore type used when global crypto-policies are set to FIPS.
|
||||||
+#
|
+#
|
||||||
+fips.keystore.type=pkcs12
|
+fips.keystore.type=pkcs12
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Location of the NSS DB keystore (PKCS11) in FIPS mode.
|
||||||
|
+#
|
||||||
|
+# The syntax for this property is identical to the 'nssSecmodDirectory'
|
||||||
|
+# attribute available in the SunPKCS11 NSS configuration file. Use the
|
||||||
|
+# 'sql:' prefix to refer to an SQLite DB.
|
||||||
|
+#
|
||||||
|
+# If the system property fips.nssdb.path is also specified, it supersedes
|
||||||
|
+# the security property value defined here.
|
||||||
|
+#
|
||||||
|
+# Note: the default value for this property points to an NSS DB that might be
|
||||||
|
+# readable by multiple operating system users and unsuitable to store keys.
|
||||||
|
+#
|
||||||
|
+fips.nssdb.path=sql:/etc/pki/nssdb
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# PIN for the NSS DB keystore (PKCS11) in FIPS mode.
|
||||||
|
+#
|
||||||
|
+# Values must take any of the following forms:
|
||||||
|
+# 1) pin:<value>
|
||||||
|
+# Value: clear text PIN value.
|
||||||
|
+# 2) env:<value>
|
||||||
|
+# Value: environment variable containing the PIN value.
|
||||||
|
+# 3) file:<value>
|
||||||
|
+# Value: path to a file containing the PIN value in its first
|
||||||
|
+# line.
|
||||||
|
+#
|
||||||
|
+# If the system property fips.nssdb.pin is also specified, it supersedes
|
||||||
|
+# the security property value defined here.
|
||||||
|
+#
|
||||||
|
+# When used as a system property, UTF-8 encoded values are valid. When
|
||||||
|
+# used as a security property (such as in this file), encode non-Basic
|
||||||
|
+# Latin Unicode characters with \uXXXX.
|
||||||
|
+#
|
||||||
|
+fips.nssdb.pin=pin:
|
||||||
+
|
+
|
||||||
#
|
#
|
||||||
# Controls compatibility mode for JKS and PKCS12 keystore types.
|
# Controls compatibility mode for JKS and PKCS12 keystore types.
|
||||||
#
|
#
|
||||||
@@ -326,6 +341,13 @@ package.definition=sun.misc.,\
|
@@ -326,6 +377,13 @@ package.definition=sun.misc.,\
|
||||||
#
|
#
|
||||||
security.overridePropertiesFile=true
|
security.overridePropertiesFile=true
|
||||||
|
|
||||||
@ -2555,6 +2629,20 @@ index 6d91e3f8e4e..f357b630460 100644
|
|||||||
#
|
#
|
||||||
# Determines the default key and trust manager factory algorithms for
|
# Determines the default key and trust manager factory algorithms for
|
||||||
# the javax.net.ssl package.
|
# the javax.net.ssl package.
|
||||||
|
diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..55bbba98b7a
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/java.base/share/conf/security/nss.fips.cfg.in
|
||||||
|
@@ -0,0 +1,8 @@
|
||||||
|
+name = NSS-FIPS
|
||||||
|
+nssLibraryDirectory = @NSS_LIBDIR@
|
||||||
|
+nssSecmodDirectory = ${fips.nssdb.path}
|
||||||
|
+nssDbMode = readWrite
|
||||||
|
+nssModule = fips
|
||||||
|
+
|
||||||
|
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
||||||
|
+
|
||||||
diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
|
diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
|
||||||
index b22f26947af..3ee2ce6ea88 100644
|
index b22f26947af..3ee2ce6ea88 100644
|
||||||
--- a/src/java.base/share/lib/security/default.policy
|
--- a/src/java.base/share/lib/security/default.policy
|
||||||
@ -2819,10 +2907,10 @@ index 00000000000..ddf9befe5bc
|
|||||||
+#endif
|
+#endif
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 00000000000..8cfa2734d4e
|
index 00000000000..d3f0bffb821
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
||||||
@@ -0,0 +1,461 @@
|
@@ -0,0 +1,457 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2021, Red Hat, Inc.
|
+ * Copyright (c) 2021, Red Hat, Inc.
|
||||||
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
@ -2897,9 +2985,6 @@ index 00000000000..8cfa2734d4e
|
|||||||
+ private static volatile Provider sunECProvider = null;
|
+ private static volatile Provider sunECProvider = null;
|
||||||
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
|
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
|
||||||
+
|
+
|
||||||
+ private static volatile KeyFactory DHKF = null;
|
|
||||||
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
|
|
||||||
+
|
|
||||||
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
|
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
|
||||||
+ throws PKCS11Exception {
|
+ throws PKCS11Exception {
|
||||||
+ long keyID = -1;
|
+ long keyID = -1;
|
||||||
@ -3144,8 +3229,7 @@ index 00000000000..8cfa2734d4e
|
|||||||
+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
|
+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
|
||||||
+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
|
+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
|
||||||
+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
|
+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
|
||||||
+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey
|
+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey);
|
||||||
+ );
|
|
||||||
+ CK_ATTRIBUTE attr;
|
+ CK_ATTRIBUTE attr;
|
||||||
+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
|
+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
|
||||||
+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
|
+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
|
||||||
@ -3284,6 +3368,162 @@ index 00000000000..8cfa2734d4e
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..f8d505ca815
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
|
||||||
|
@@ -0,0 +1,149 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (c) 2022, Red Hat, Inc.
|
||||||
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
+ *
|
||||||
|
+ * This code is free software; you can redistribute it and/or modify it
|
||||||
|
+ * under the terms of the GNU General Public License version 2 only, as
|
||||||
|
+ * published by the Free Software Foundation. Oracle designates this
|
||||||
|
+ * particular file as subject to the "Classpath" exception as provided
|
||||||
|
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||||
|
+ *
|
||||||
|
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
+ * accompanied this code).
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License version
|
||||||
|
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
+ *
|
||||||
|
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||||
|
+ * or visit www.oracle.com if you need additional information or have any
|
||||||
|
+ * questions.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+package sun.security.pkcs11;
|
||||||
|
+
|
||||||
|
+import java.io.BufferedReader;
|
||||||
|
+import java.io.ByteArrayInputStream;
|
||||||
|
+import java.io.InputStream;
|
||||||
|
+import java.io.InputStreamReader;
|
||||||
|
+import java.io.IOException;
|
||||||
|
+import java.nio.charset.StandardCharsets;
|
||||||
|
+import java.nio.file.Files;
|
||||||
|
+import java.nio.file.Path;
|
||||||
|
+import java.nio.file.Paths;
|
||||||
|
+import java.nio.file.StandardOpenOption;
|
||||||
|
+import java.security.ProviderException;
|
||||||
|
+
|
||||||
|
+import javax.security.auth.callback.Callback;
|
||||||
|
+import javax.security.auth.callback.CallbackHandler;
|
||||||
|
+import javax.security.auth.callback.PasswordCallback;
|
||||||
|
+import javax.security.auth.callback.UnsupportedCallbackException;
|
||||||
|
+
|
||||||
|
+import sun.security.util.Debug;
|
||||||
|
+import sun.security.util.SecurityProperties;
|
||||||
|
+
|
||||||
|
+final class FIPSTokenLoginHandler implements CallbackHandler {
|
||||||
|
+
|
||||||
|
+ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
|
||||||
|
+
|
||||||
|
+ private static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||||
|
+
|
||||||
|
+ public void handle(Callback[] callbacks)
|
||||||
|
+ throws IOException, UnsupportedCallbackException {
|
||||||
|
+ if (!(callbacks[0] instanceof PasswordCallback)) {
|
||||||
|
+ throw new UnsupportedCallbackException(callbacks[0]);
|
||||||
|
+ }
|
||||||
|
+ PasswordCallback pc = (PasswordCallback)callbacks[0];
|
||||||
|
+ pc.setPassword(getFipsNssdbPin());
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ private static char[] getFipsNssdbPin() throws ProviderException {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: Reading NSS DB PIN for token...");
|
||||||
|
+ }
|
||||||
|
+ String pinProp = SecurityProperties
|
||||||
|
+ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP);
|
||||||
|
+ if (pinProp != null && !pinProp.isEmpty()) {
|
||||||
|
+ String[] pinPropParts = pinProp.split(":", 2);
|
||||||
|
+ if (pinPropParts.length < 2) {
|
||||||
|
+ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP +
|
||||||
|
+ " property value.");
|
||||||
|
+ }
|
||||||
|
+ String prefix = pinPropParts[0].toLowerCase();
|
||||||
|
+ String value = pinPropParts[1];
|
||||||
|
+ String pin = null;
|
||||||
|
+ if (prefix.equals("env")) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: PIN value from the '" + value +
|
||||||
|
+ "' environment variable.");
|
||||||
|
+ }
|
||||||
|
+ pin = System.getenv(value);
|
||||||
|
+ } else if (prefix.equals("file")) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: PIN value from the '" + value +
|
||||||
|
+ "' file.");
|
||||||
|
+ }
|
||||||
|
+ pin = getPinFromFile(Paths.get(value));
|
||||||
|
+ } else if (prefix.equals("pin")) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: PIN value from the " +
|
||||||
|
+ FIPS_NSSDB_PIN_PROP + " property.");
|
||||||
|
+ }
|
||||||
|
+ pin = value;
|
||||||
|
+ } else {
|
||||||
|
+ throw new ProviderException("Unsupported prefix for " +
|
||||||
|
+ FIPS_NSSDB_PIN_PROP + ".");
|
||||||
|
+ }
|
||||||
|
+ if (pin != null && !pin.isEmpty()) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: non-empty PIN.");
|
||||||
|
+ }
|
||||||
|
+ /*
|
||||||
|
+ * C_Login in libj2pkcs11 receives the PIN in a char[] and
|
||||||
|
+ * discards the upper byte of each char, before passing
|
||||||
|
+ * the value to the NSS Software Token. However, the
|
||||||
|
+ * NSS Software Token accepts any UTF-8 PIN value. Thus,
|
||||||
|
+ * expand the PIN here to account for later truncation.
|
||||||
|
+ */
|
||||||
|
+ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8);
|
||||||
|
+ char[] pinChar = new char[pinUtf8.length];
|
||||||
|
+ for (int i = 0; i < pinChar.length; i++) {
|
||||||
|
+ pinChar[i] = (char)(pinUtf8[i] & 0xFF);
|
||||||
|
+ }
|
||||||
|
+ return pinChar;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: empty PIN.");
|
||||||
|
+ }
|
||||||
|
+ return null;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * This method extracts the token PIN from the first line of a password
|
||||||
|
+ * file in the same way as NSS modutil. See for example the -newpwfile
|
||||||
|
+ * argument used to change the password for an NSS DB.
|
||||||
|
+ */
|
||||||
|
+ private static String getPinFromFile(Path f) throws ProviderException {
|
||||||
|
+ try (InputStream is =
|
||||||
|
+ Files.newInputStream(f, StandardOpenOption.READ)) {
|
||||||
|
+ /*
|
||||||
|
+ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil,
|
||||||
|
+ * reads up to 4096 bytes. In addition, the NSS Software Token
|
||||||
|
+ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN
|
||||||
|
+ * in nss/lib/softoken/pkcs11i.h).
|
||||||
|
+ */
|
||||||
|
+ BufferedReader in =
|
||||||
|
+ new BufferedReader(new InputStreamReader(
|
||||||
|
+ new ByteArrayInputStream(is.readNBytes(4096)),
|
||||||
|
+ StandardCharsets.UTF_8));
|
||||||
|
+ return in.readLine();
|
||||||
|
+ } catch (IOException ioe) {
|
||||||
|
+ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP +
|
||||||
|
+ " from the '" + f + "' file.", ioe);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
\ No newline at end of file
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
||||||
index 9b69072280e..5696b904979 100644
|
index 9b69072280e..5696b904979 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
||||||
@ -3597,7 +3837,7 @@ index 00000000000..ae4262703e6
|
|||||||
+
|
+
|
||||||
+}
|
+}
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
||||||
index c98960f7fcc..c14319a5356 100644
|
index 8d1b8ccb0ae..950ed20cf62 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
||||||
@@ -31,6 +31,7 @@ import java.security.*;
|
@@ -31,6 +31,7 @@ import java.security.*;
|
||||||
@ -3608,7 +3848,7 @@ index c98960f7fcc..c14319a5356 100644
|
|||||||
import javax.crypto.spec.*;
|
import javax.crypto.spec.*;
|
||||||
|
|
||||||
import static sun.security.pkcs11.TemplateManager.*;
|
import static sun.security.pkcs11.TemplateManager.*;
|
||||||
@@ -193,6 +194,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
@@ -194,6 +195,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
||||||
return p11Key;
|
return p11Key;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3737,7 +3977,7 @@ index c98960f7fcc..c14319a5356 100644
|
|||||||
static void fixDESParity(byte[] key, int offset) {
|
static void fixDESParity(byte[] key, int offset) {
|
||||||
for (int i = 0; i < 8; i++) {
|
for (int i = 0; i < 8; i++) {
|
||||||
int b = key[offset] & 0xfe;
|
int b = key[offset] & 0xfe;
|
||||||
@@ -319,6 +442,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
@@ -320,6 +443,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
||||||
keySpec = new SecretKeySpec(keyBytes, "DESede");
|
keySpec = new SecretKeySpec(keyBytes, "DESede");
|
||||||
return engineGenerateSecret(keySpec);
|
return engineGenerateSecret(keySpec);
|
||||||
}
|
}
|
||||||
@ -3747,7 +3987,7 @@ index c98960f7fcc..c14319a5356 100644
|
|||||||
}
|
}
|
||||||
throw new InvalidKeySpecException
|
throw new InvalidKeySpecException
|
||||||
("Unsupported spec: " + keySpec.getClass().getName());
|
("Unsupported spec: " + keySpec.getClass().getName());
|
||||||
@@ -372,6 +498,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
@@ -373,6 +499,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
||||||
// see JCE spec
|
// see JCE spec
|
||||||
protected SecretKey engineTranslateKey(SecretKey key)
|
protected SecretKey engineTranslateKey(SecretKey key)
|
||||||
throws InvalidKeyException {
|
throws InvalidKeyException {
|
||||||
@ -3880,7 +4120,7 @@ index 262cfc062ad..72b64f72c0a 100644
|
|||||||
Provider p = sun;
|
Provider p = sun;
|
||||||
if (p == null) {
|
if (p == null) {
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
index 112b639aa96..3e170b4c115 100644
|
index aa35e8fa668..f4d7c9cc201 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
@@ -26,6 +26,9 @@
|
@@ -26,6 +26,9 @@
|
||||||
@ -3893,7 +4133,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
import java.util.*;
|
import java.util.*;
|
||||||
|
|
||||||
import java.security.*;
|
import java.security.*;
|
||||||
@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback;
|
@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback;
|
||||||
|
|
||||||
import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
|
import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
|
||||||
|
|
||||||
@ -3901,7 +4141,12 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
import jdk.internal.misc.InnocuousThread;
|
import jdk.internal.misc.InnocuousThread;
|
||||||
import sun.security.util.Debug;
|
import sun.security.util.Debug;
|
||||||
import sun.security.util.ResourcesMgr;
|
import sun.security.util.ResourcesMgr;
|
||||||
@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
|
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||||
|
+import sun.security.util.SecurityProperties;
|
||||||
|
import static sun.security.util.SecurityProviderConstants.getAliases;
|
||||||
|
|
||||||
|
import sun.security.pkcs11.Secmod.*;
|
||||||
|
@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
|
||||||
*/
|
*/
|
||||||
public final class SunPKCS11 extends AuthProvider {
|
public final class SunPKCS11 extends AuthProvider {
|
||||||
|
|
||||||
@ -3935,11 +4180,32 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
+ fipsImportKey = fipsImportKeyTmp;
|
+ fipsImportKey = fipsImportKeyTmp;
|
||||||
+ fipsExportKey = fipsExportKeyTmp;
|
+ fipsExportKey = fipsExportKeyTmp;
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
|
+ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
|
||||||
+
|
+
|
||||||
private static final long serialVersionUID = -1354835039035306505L;
|
private static final long serialVersionUID = -1354835039035306505L;
|
||||||
|
|
||||||
static final Debug debug = Debug.getInstance("sunpkcs11");
|
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||||
@@ -320,10 +355,19 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -115,6 +153,18 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
|
||||||
|
@Override
|
||||||
|
public SunPKCS11 run() throws Exception {
|
||||||
|
+ if (systemFipsEnabled) {
|
||||||
|
+ /*
|
||||||
|
+ * The nssSecmodDirectory attribute in the SunPKCS11
|
||||||
|
+ * NSS configuration file takes the value of the
|
||||||
|
+ * fips.nssdb.path System property after expansion.
|
||||||
|
+ * Security properties expansion is unsupported.
|
||||||
|
+ */
|
||||||
|
+ System.setProperty(
|
||||||
|
+ FIPS_NSSDB_PATH_PROP,
|
||||||
|
+ SecurityProperties.privilegedGetOverridable(
|
||||||
|
+ FIPS_NSSDB_PATH_PROP));
|
||||||
|
+ }
|
||||||
|
return new SunPKCS11(new Config(newConfigName));
|
||||||
|
}
|
||||||
|
});
|
||||||
|
@@ -320,10 +370,19 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
// request multithreaded access first
|
// request multithreaded access first
|
||||||
initArgs.flags = CKF_OS_LOCKING_OK;
|
initArgs.flags = CKF_OS_LOCKING_OK;
|
||||||
PKCS11 tmpPKCS11;
|
PKCS11 tmpPKCS11;
|
||||||
@ -3960,7 +4226,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
} catch (PKCS11Exception e) {
|
} catch (PKCS11Exception e) {
|
||||||
if (debug != null) {
|
if (debug != null) {
|
||||||
debug.println("Multi-threaded initialization failed: " + e);
|
debug.println("Multi-threaded initialization failed: " + e);
|
||||||
@@ -339,11 +383,12 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -339,11 +398,12 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
initArgs.flags = 0;
|
initArgs.flags = 0;
|
||||||
}
|
}
|
||||||
tmpPKCS11 = PKCS11.getInstance(library,
|
tmpPKCS11 = PKCS11.getInstance(library,
|
||||||
@ -3975,32 +4241,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
if (p11Info.cryptokiVersion.major < 2) {
|
if (p11Info.cryptokiVersion.major < 2) {
|
||||||
throw new ProviderException("Only PKCS#11 v2.0 and later "
|
throw new ProviderException("Only PKCS#11 v2.0 and later "
|
||||||
+ "supported, library version is v" + p11Info.cryptokiVersion);
|
+ "supported, library version is v" + p11Info.cryptokiVersion);
|
||||||
@@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -417,14 +477,19 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
if (nssModule != null) {
|
|
||||||
nssModule.setProvider(this);
|
|
||||||
}
|
|
||||||
+ if (systemFipsEnabled) {
|
|
||||||
+ // The NSS Software Token in FIPS 140-2 mode requires a user
|
|
||||||
+ // login for most operations. See sftk_fipsCheck. The NSS DB
|
|
||||||
+ // (/etc/pki/nssdb) PIN is empty.
|
|
||||||
+ Session session = null;
|
|
||||||
+ try {
|
|
||||||
+ session = token.getOpSession();
|
|
||||||
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
|
|
||||||
+ } catch (PKCS11Exception p11e) {
|
|
||||||
+ if (debug != null) {
|
|
||||||
+ debug.println("Error during token login: " +
|
|
||||||
+ p11e.getMessage());
|
|
||||||
+ }
|
|
||||||
+ throw p11e;
|
|
||||||
+ } finally {
|
|
||||||
+ token.releaseSession(session);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
} catch (Exception e) {
|
|
||||||
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
|
||||||
throw new UnsupportedOperationException
|
|
||||||
@@ -417,14 +480,19 @@ public final class SunPKCS11 extends AuthProvider {
|
|
||||||
final String className;
|
final String className;
|
||||||
final List<String> aliases;
|
final List<String> aliases;
|
||||||
final int[] mechanisms;
|
final int[] mechanisms;
|
||||||
@ -4021,7 +4262,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
}
|
}
|
||||||
private P11Service service(Token token, int mechanism) {
|
private P11Service service(Token token, int mechanism) {
|
||||||
return new P11Service
|
return new P11Service
|
||||||
@@ -458,18 +526,29 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -458,18 +523,29 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
|
||||||
private static void d(String type, String algorithm, String className,
|
private static void d(String type, String algorithm, String className,
|
||||||
int[] m) {
|
int[] m) {
|
||||||
@ -4054,7 +4295,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
private static void register(Descriptor d) {
|
private static void register(Descriptor d) {
|
||||||
@@ -525,6 +604,7 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -525,6 +601,7 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
String P11Cipher = "sun.security.pkcs11.P11Cipher";
|
String P11Cipher = "sun.security.pkcs11.P11Cipher";
|
||||||
String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
|
String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
|
||||||
String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher";
|
String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher";
|
||||||
@ -4062,7 +4303,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
String P11Signature = "sun.security.pkcs11.P11Signature";
|
String P11Signature = "sun.security.pkcs11.P11Signature";
|
||||||
String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature";
|
String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature";
|
||||||
|
|
||||||
@@ -587,6 +667,30 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -587,6 +664,30 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
d(MAC, "SslMacSHA1", P11Mac,
|
d(MAC, "SslMacSHA1", P11Mac,
|
||||||
m(CKM_SSL3_SHA1_MAC));
|
m(CKM_SSL3_SHA1_MAC));
|
||||||
|
|
||||||
@ -4093,7 +4334,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
d(KPG, "RSA", P11KeyPairGenerator,
|
d(KPG, "RSA", P11KeyPairGenerator,
|
||||||
getAliases("PKCS1"),
|
getAliases("PKCS1"),
|
||||||
m(CKM_RSA_PKCS_KEY_PAIR_GEN));
|
m(CKM_RSA_PKCS_KEY_PAIR_GEN));
|
||||||
@@ -685,6 +789,66 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -685,6 +786,66 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
d(SKF, "ChaCha20", P11SecretKeyFactory,
|
d(SKF, "ChaCha20", P11SecretKeyFactory,
|
||||||
m(CKM_CHACHA20_POLY1305));
|
m(CKM_CHACHA20_POLY1305));
|
||||||
|
|
||||||
@ -4160,7 +4401,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
// XXX attributes for Ciphers (supported modes, padding)
|
// XXX attributes for Ciphers (supported modes, padding)
|
||||||
dA(CIP, "ARCFOUR", P11Cipher,
|
dA(CIP, "ARCFOUR", P11Cipher,
|
||||||
m(CKM_RC4));
|
m(CKM_RC4));
|
||||||
@@ -754,6 +918,46 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -754,6 +915,46 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
d(CIP, "RSA/ECB/NoPadding", P11RSACipher,
|
d(CIP, "RSA/ECB/NoPadding", P11RSACipher,
|
||||||
m(CKM_RSA_X_509));
|
m(CKM_RSA_X_509));
|
||||||
|
|
||||||
@ -4207,7 +4448,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
d(SIG, "RawDSA", P11Signature,
|
d(SIG, "RawDSA", P11Signature,
|
||||||
List.of("NONEwithDSA"),
|
List.of("NONEwithDSA"),
|
||||||
m(CKM_DSA));
|
m(CKM_DSA));
|
||||||
@@ -1144,9 +1348,21 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -1144,9 +1345,21 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
if (ds == null) {
|
if (ds == null) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@ -4229,7 +4470,35 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
supportedAlgs.put(d, integerMech);
|
supportedAlgs.put(d, integerMech);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@@ -1244,6 +1460,8 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -1225,6 +1438,27 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
if (token.isValid() == false) {
|
||||||
|
throw new NoSuchAlgorithmException("Token has been removed");
|
||||||
|
}
|
||||||
|
+ if (systemFipsEnabled && !token.fipsLoggedIn &&
|
||||||
|
+ !getType().equals("KeyStore")) {
|
||||||
|
+ /*
|
||||||
|
+ * The NSS Software Token in FIPS 140-2 mode requires a
|
||||||
|
+ * user login for most operations. See sftk_fipsCheck
|
||||||
|
+ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore
|
||||||
|
+ * service, let the caller perform the login with
|
||||||
|
+ * KeyStore::load. Keytool, for example, does this to pass a
|
||||||
|
+ * PIN from either the -srcstorepass or -deststorepass
|
||||||
|
+ * argument. In case of a non-KeyStore service, perform the
|
||||||
|
+ * login now with the PIN available in the fips.nssdb.pin
|
||||||
|
+ * property.
|
||||||
|
+ */
|
||||||
|
+ try {
|
||||||
|
+ token.ensureLoggedIn(null);
|
||||||
|
+ } catch (PKCS11Exception | LoginException e) {
|
||||||
|
+ throw new ProviderException("FIPS: error during the Token" +
|
||||||
|
+ " login required for the " + getType() +
|
||||||
|
+ " service.", e);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
try {
|
||||||
|
return newInstance0(param);
|
||||||
|
} catch (PKCS11Exception e) {
|
||||||
|
@@ -1244,6 +1478,8 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
} else if (algorithm.endsWith("GCM/NoPadding") ||
|
} else if (algorithm.endsWith("GCM/NoPadding") ||
|
||||||
algorithm.startsWith("ChaCha20-Poly1305")) {
|
algorithm.startsWith("ChaCha20-Poly1305")) {
|
||||||
return new P11AEADCipher(token, algorithm, mechanism);
|
return new P11AEADCipher(token, algorithm, mechanism);
|
||||||
@ -4238,6 +4507,63 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
} else {
|
} else {
|
||||||
return new P11Cipher(token, algorithm, mechanism);
|
return new P11Cipher(token, algorithm, mechanism);
|
||||||
}
|
}
|
||||||
|
@@ -1579,6 +1815,9 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
try {
|
||||||
|
session = token.getOpSession();
|
||||||
|
p11.C_Logout(session.id());
|
||||||
|
+ if (systemFipsEnabled) {
|
||||||
|
+ token.fipsLoggedIn = false;
|
||||||
|
+ }
|
||||||
|
if (debug != null) {
|
||||||
|
debug.println("logout succeeded");
|
||||||
|
}
|
||||||
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
|
||||||
|
index 9858a5faedf..e63585486d9 100644
|
||||||
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
|
||||||
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
|
||||||
|
@@ -33,6 +33,7 @@ import java.lang.ref.*;
|
||||||
|
import java.security.*;
|
||||||
|
import javax.security.auth.login.LoginException;
|
||||||
|
|
||||||
|
+import jdk.internal.access.SharedSecrets;
|
||||||
|
import sun.security.jca.JCAUtil;
|
||||||
|
|
||||||
|
import sun.security.pkcs11.wrapper.*;
|
||||||
|
@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
|
||||||
|
*/
|
||||||
|
class Token implements Serializable {
|
||||||
|
|
||||||
|
+ private static final boolean systemFipsEnabled = SharedSecrets
|
||||||
|
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||||
|
+
|
||||||
|
// need to be serializable to allow SecureRandom to be serialized
|
||||||
|
private static final long serialVersionUID = 2541527649100571747L;
|
||||||
|
|
||||||
|
@@ -114,6 +118,10 @@ class Token implements Serializable {
|
||||||
|
// flag indicating whether we are logged in
|
||||||
|
private volatile boolean loggedIn;
|
||||||
|
|
||||||
|
+ // Flag indicating the login status for the NSS Software Token in FIPS mode.
|
||||||
|
+ // This Token is never asynchronously removed. Used from SunPKCS11.
|
||||||
|
+ volatile boolean fipsLoggedIn;
|
||||||
|
+
|
||||||
|
// time we last checked login status
|
||||||
|
private long lastLoginCheck;
|
||||||
|
|
||||||
|
@@ -232,7 +240,12 @@ class Token implements Serializable {
|
||||||
|
// call provider.login() if not
|
||||||
|
void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException {
|
||||||
|
if (isLoggedIn(session) == false) {
|
||||||
|
- provider.login(null, null);
|
||||||
|
+ if (systemFipsEnabled) {
|
||||||
|
+ provider.login(null, new FIPSTokenLoginHandler());
|
||||||
|
+ fipsLoggedIn = true;
|
||||||
|
+ } else {
|
||||||
|
+ provider.login(null, null);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
|
||||||
index 88ff8a71fc3..47a2f97eddf 100644
|
index 88ff8a71fc3..47a2f97eddf 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
|
||||||
@ -4877,7 +5203,7 @@ index 5c0aacd1a67..5fbf8addcba 100644
|
|||||||
+}
|
+}
|
||||||
}
|
}
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
||||||
index d22844cfba8..9e02958b4b0 100644
|
index 0d65ee26805..38fd4aff1f3 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
||||||
@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
|
@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
|
||||||
@ -4939,7 +5265,7 @@ index d22844cfba8..9e02958b4b0 100644
|
|||||||
+ /* (CKM_NSS + 32) */ = 0xCE534370L;
|
+ /* (CKM_NSS + 32) */ = 0xCE534370L;
|
||||||
}
|
}
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
||||||
index 666c5eb9b3b..5523dafcdb4 100644
|
index d941b574cc7..e2de13648be 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
||||||
@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
|
@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
|
@ -1,26 +0,0 @@
|
|||||||
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
|
|
||||||
index 70903206ea0..09956084cf9 100644
|
|
||||||
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
|
|
||||||
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
|
|
||||||
@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
|
|
||||||
ctx = getLdapCtxFromUrl(
|
|
||||||
r.getDomainName(), url, new LdapURL(u), env);
|
|
||||||
return ctx;
|
|
||||||
+ } catch (AuthenticationException e) {
|
|
||||||
+ // do not retry on a different endpoint to avoid blocking
|
|
||||||
+ // the user if authentication credentials are wrong.
|
|
||||||
+ throw e;
|
|
||||||
} catch (NamingException e) {
|
|
||||||
// try the next element
|
|
||||||
lastException = e;
|
|
||||||
@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
|
|
||||||
for (String u : urls) {
|
|
||||||
try {
|
|
||||||
return getUsingURL(u, env);
|
|
||||||
+ } catch (AuthenticationException e) {
|
|
||||||
+ // do not retry on a different URL to avoid blocking
|
|
||||||
+ // the user if authentication credentials are wrong.
|
|
||||||
+ throw e;
|
|
||||||
} catch (NamingException e) {
|
|
||||||
ex = e;
|
|
||||||
}
|
|
@ -1,132 +0,0 @@
|
|||||||
diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
|
|
||||||
index 8759aab3995..11ccbf73839 100644
|
|
||||||
--- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
|
|
||||||
+++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
|
|
||||||
@@ -847,6 +847,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00",
|
|
||||||
"Kirov Daylight Time", "GMT+03:00",
|
|
||||||
"Kirov Time", "GMT+03:00"}},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
||||||
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
|
|
||||||
index f007c1a8d3b..617268e4cf3 100644
|
|
||||||
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
|
|
||||||
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
|
|
||||||
@@ -825,6 +825,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Jersey", GMTBST},
|
|
||||||
{"Europe/Kaliningrad", EET},
|
|
||||||
{"Europe/Kiev", EET},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
||||||
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
|
|
||||||
index 386414e16e6..14c5d89b9c5 100644
|
|
||||||
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
|
|
||||||
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
|
|
||||||
@@ -825,6 +825,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Jersey", GMTBST},
|
|
||||||
{"Europe/Kaliningrad", EET},
|
|
||||||
{"Europe/Kiev", EET},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
||||||
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
|
|
||||||
index d23f5fd49e6..44117125619 100644
|
|
||||||
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
|
|
||||||
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
|
|
||||||
@@ -825,6 +825,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Jersey", GMTBST},
|
|
||||||
{"Europe/Kaliningrad", EET},
|
|
||||||
{"Europe/Kiev", EET},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
||||||
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
|
|
||||||
index b4f57d4568c..efa818f3865 100644
|
|
||||||
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
|
|
||||||
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
|
|
||||||
@@ -825,6 +825,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Jersey", GMTBST},
|
|
||||||
{"Europe/Kaliningrad", EET},
|
|
||||||
{"Europe/Kiev", EET},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
||||||
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
|
|
||||||
index 1a10a9f96dc..7c0565461ad 100644
|
|
||||||
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
|
|
||||||
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
|
|
||||||
@@ -825,6 +825,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Jersey", GMTBST},
|
|
||||||
{"Europe/Kaliningrad", EET},
|
|
||||||
{"Europe/Kiev", EET},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
||||||
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
|
|
||||||
index 9a2d9e5c57c..8a2c805997f 100644
|
|
||||||
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
|
|
||||||
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
|
|
||||||
@@ -825,6 +825,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Jersey", GMTBST},
|
|
||||||
{"Europe/Kaliningrad", EET},
|
|
||||||
{"Europe/Kiev", EET},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
||||||
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
|
|
||||||
index de5e5c82daa..e3c06417f09 100644
|
|
||||||
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
|
|
||||||
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
|
|
||||||
@@ -825,6 +825,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Jersey", GMTBST},
|
|
||||||
{"Europe/Kaliningrad", EET},
|
|
||||||
{"Europe/Kiev", EET},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
||||||
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
|
|
||||||
index b53de4d8c89..3e46b6a063e 100644
|
|
||||||
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
|
|
||||||
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
|
|
||||||
@@ -825,6 +825,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Jersey", GMTBST},
|
|
||||||
{"Europe/Kaliningrad", EET},
|
|
||||||
{"Europe/Kiev", EET},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
||||||
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
|
|
||||||
index 7797cda19d5..590908409a8 100644
|
|
||||||
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
|
|
||||||
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
|
|
||||||
@@ -825,6 +825,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Jersey", GMTBST},
|
|
||||||
{"Europe/Kaliningrad", EET},
|
|
||||||
{"Europe/Kiev", EET},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
||||||
diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
|
|
||||||
index 2cd10554853..23c5f180b6d 100644
|
|
||||||
--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
|
|
||||||
+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
|
|
||||||
@@ -827,6 +827,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
|
|
||||||
{"Europe/Jersey", GMTBST},
|
|
||||||
{"Europe/Kaliningrad", EET},
|
|
||||||
{"Europe/Kiev", EET},
|
|
||||||
+ {"Europe/Kyiv", EET},
|
|
||||||
{"Europe/Lisbon", WET},
|
|
||||||
{"Europe/Ljubljana", CET},
|
|
||||||
{"Europe/London", GMTBST},
|
|
@ -1,8 +0,0 @@
|
|||||||
name = NSS-FIPS
|
|
||||||
nssLibraryDirectory = @NSS_LIBDIR@
|
|
||||||
nssSecmodDirectory = sql:/etc/pki/nssdb
|
|
||||||
nssDbMode = readOnly
|
|
||||||
nssModule = fips
|
|
||||||
|
|
||||||
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
|
||||||
|
|
@ -5,6 +5,7 @@ TREE=${1}
|
|||||||
TYPE=${2}
|
TYPE=${2}
|
||||||
|
|
||||||
ZIP_SRC=src/java.base/share/native/libzip/zlib/
|
ZIP_SRC=src/java.base/share/native/libzip/zlib/
|
||||||
|
FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
|
||||||
JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
|
JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
|
||||||
GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
|
GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
|
||||||
PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
|
PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
|
||||||
@ -31,15 +32,21 @@ cd ${TREE}
|
|||||||
|
|
||||||
echo "Removing built-in libs (they will be linked)"
|
echo "Removing built-in libs (they will be linked)"
|
||||||
|
|
||||||
# On full runs, allow for zlib having already been deleted by minimal
|
# On full runs, allow for zlib & freetype having already been deleted by minimal
|
||||||
echo "Removing zlib"
|
echo "Removing zlib"
|
||||||
if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
|
if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
|
||||||
echo "${ZIP_SRC} does not exist. Refusing to proceed."
|
echo "${ZIP_SRC} does not exist. Refusing to proceed."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
rm -rvf ${ZIP_SRC}
|
rm -rvf ${ZIP_SRC}
|
||||||
|
echo "Removing freetype"
|
||||||
|
if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
|
||||||
|
echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
rm -rvf ${FREETYPE_SRC}
|
||||||
|
|
||||||
# Minimal is limited to just zlib so finish here
|
# Minimal is limited to just zlib and freetype so finish here
|
||||||
if test "x${TYPE}" = "xminimal"; then
|
if test "x${TYPE}" = "xminimal"; then
|
||||||
echo "Finished.";
|
echo "Finished.";
|
||||||
exit 0;
|
exit 0;
|
||||||
|
@ -23,6 +23,8 @@
|
|||||||
%bcond_without staticlibs
|
%bcond_without staticlibs
|
||||||
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
|
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
|
||||||
%bcond_without fresh_libjvm
|
%bcond_without fresh_libjvm
|
||||||
|
# Build with system libraries
|
||||||
|
%bcond_with system_libs
|
||||||
|
|
||||||
# Workaround for stripping of debug symbols from static libraries
|
# Workaround for stripping of debug symbols from static libraries
|
||||||
%if %{with staticlibs}
|
%if %{with staticlibs}
|
||||||
@ -39,6 +41,16 @@
|
|||||||
%global build_hotspot_first 0
|
%global build_hotspot_first 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if %{with system_libs}
|
||||||
|
%global system_libs 1
|
||||||
|
%global link_type system
|
||||||
|
%global freetype_lib %{nil}
|
||||||
|
%else
|
||||||
|
%global system_libs 0
|
||||||
|
%global link_type bundled
|
||||||
|
%global freetype_lib |libfreetype[.]so.*
|
||||||
|
%endif
|
||||||
|
|
||||||
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
|
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
|
||||||
# This fixes detailed NMT and other tools which need minimal debug info.
|
# This fixes detailed NMT and other tools which need minimal debug info.
|
||||||
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
|
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
|
||||||
@ -190,11 +202,15 @@
|
|||||||
%global staticlibs_loop %{nil}
|
%global staticlibs_loop %{nil}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?flatpak}
|
||||||
|
%global bootstrap_build false
|
||||||
|
%else
|
||||||
%ifarch %{bootstrap_arches}
|
%ifarch %{bootstrap_arches}
|
||||||
%global bootstrap_build true
|
%global bootstrap_build true
|
||||||
%else
|
%else
|
||||||
%global bootstrap_build false
|
%global bootstrap_build false
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
%if %{include_staticlibs}
|
%if %{include_staticlibs}
|
||||||
# Extra target for producing the static-libraries. Separate from
|
# Extra target for producing the static-libraries. Separate from
|
||||||
@ -305,8 +321,8 @@
|
|||||||
# New Version-String scheme-style defines
|
# New Version-String scheme-style defines
|
||||||
%global featurever 17
|
%global featurever 17
|
||||||
%global interimver 0
|
%global interimver 0
|
||||||
%global updatever 4
|
%global updatever 6
|
||||||
%global patchver 1
|
%global patchver 0
|
||||||
# buildjdkver is usually same as %%{featurever},
|
# buildjdkver is usually same as %%{featurever},
|
||||||
# but in time of bootstrap of next jdk, it is featurever-1,
|
# but in time of bootstrap of next jdk, it is featurever-1,
|
||||||
# and this it is better to change it here, on single place
|
# and this it is better to change it here, on single place
|
||||||
@ -345,15 +361,15 @@
|
|||||||
# Define IcedTea version used for SystemTap tapsets and desktop file
|
# Define IcedTea version used for SystemTap tapsets and desktop file
|
||||||
%global icedteaver 6.0.0pre00-c848b93a8598
|
%global icedteaver 6.0.0pre00-c848b93a8598
|
||||||
# Define current Git revision for the FIPS support patches
|
# Define current Git revision for the FIPS support patches
|
||||||
%global fipsver 0bd5ca9ccc5
|
%global fipsver 72d08e3226f
|
||||||
|
|
||||||
# Standard JPackage naming and versioning defines
|
# Standard JPackage naming and versioning defines
|
||||||
%global origin openjdk
|
%global origin openjdk
|
||||||
%global origin_nice OpenJDK
|
%global origin_nice OpenJDK
|
||||||
%global top_level_dir_name %{origin}
|
%global top_level_dir_name %{origin}
|
||||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||||
%global buildver 1
|
%global buildver 9
|
||||||
%global rpmrelease 2
|
%global rpmrelease 3
|
||||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||||
%if %is_system_jdk
|
%if %is_system_jdk
|
||||||
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
||||||
@ -379,7 +395,7 @@
|
|||||||
# Release will be (where N is usually a number starting at 1):
|
# Release will be (where N is usually a number starting at 1):
|
||||||
# - 0.N%%{?extraver}%%{?dist} for EA releases,
|
# - 0.N%%{?extraver}%%{?dist} for EA releases,
|
||||||
# - N%%{?extraver}{?dist} for GA releases
|
# - N%%{?extraver}{?dist} for GA releases
|
||||||
%global is_ga 1
|
%global is_ga 0
|
||||||
%if %{is_ga}
|
%if %{is_ga}
|
||||||
%global build_type GA
|
%global build_type GA
|
||||||
%global ea_designator ""
|
%global ea_designator ""
|
||||||
@ -411,7 +427,7 @@
|
|||||||
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
|
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
|
||||||
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*
|
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
|
||||||
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
|
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
|
||||||
%if %is_system_jdk
|
%if %is_system_jdk
|
||||||
%global __provides_exclude ^(%{_privatelibs})$
|
%global __provides_exclude ^(%{_privatelibs})$
|
||||||
@ -815,6 +831,9 @@ exit 0
|
|||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
|
||||||
|
%if ! %{system_libs}
|
||||||
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
|
||||||
|
%endif
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
|
||||||
@ -933,7 +952,7 @@ exit 0
|
|||||||
%ifarch %{sa_arches}
|
%ifarch %{sa_arches}
|
||||||
%ifnarch %{zero_arches}
|
%ifnarch %{zero_arches}
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
|
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
|
||||||
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
|
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
|
||||||
@ -972,11 +991,11 @@ exit 0
|
|||||||
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
|
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
|
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
|
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
|
||||||
|
|
||||||
%if %{with_systemtap}
|
%if %{with_systemtap}
|
||||||
%dir %{tapsetroot}
|
%dir %{tapsetroot}
|
||||||
@ -1099,8 +1118,8 @@ Requires: ca-certificates
|
|||||||
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
|
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
|
||||||
Requires: javapackages-filesystem
|
Requires: javapackages-filesystem
|
||||||
# Require zone-info data provided by tzdata-java sub-package
|
# Require zone-info data provided by tzdata-java sub-package
|
||||||
# 2022a required as of JDK-8283350 in 17.0.4
|
# 2022g required as of JDK-8297804
|
||||||
Requires: tzdata-java >= 2022a
|
Requires: tzdata-java >= 2022g
|
||||||
# for support of kernel stream control
|
# for support of kernel stream control
|
||||||
# libsctp.so.1 is being `dlopen`ed on demand
|
# libsctp.so.1 is being `dlopen`ed on demand
|
||||||
Requires: lksctp-tools%{?_isa}
|
Requires: lksctp-tools%{?_isa}
|
||||||
@ -1108,7 +1127,7 @@ Requires: lksctp-tools%{?_isa}
|
|||||||
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
|
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
|
||||||
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
|
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
|
||||||
# considered as regression
|
# considered as regression
|
||||||
Requires: copy-jdk-configs >= 4.0
|
Requires: copy-jdk-configs >= 3.3
|
||||||
OrderWithRequires: copy-jdk-configs
|
OrderWithRequires: copy-jdk-configs
|
||||||
%endif
|
%endif
|
||||||
# for printing support
|
# for printing support
|
||||||
@ -1292,9 +1311,6 @@ Source15: TestSecurityProperties.java
|
|||||||
# Ensure vendor settings are correct
|
# Ensure vendor settings are correct
|
||||||
Source16: CheckVendor.java
|
Source16: CheckVendor.java
|
||||||
|
|
||||||
# nss fips configuration file
|
|
||||||
Source17: nss.fips.cfg.in
|
|
||||||
|
|
||||||
# Ensure translations are available for new timezones
|
# Ensure translations are available for new timezones
|
||||||
Source18: TestTranslations.java
|
Source18: TestTranslations.java
|
||||||
|
|
||||||
@ -1317,11 +1333,9 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch
|
|||||||
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
|
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
|
||||||
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
|
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
|
||||||
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
|
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
|
||||||
# Add translations for Europe/Kyiv locally until upstream is fully updated for tzdata2022b
|
|
||||||
Patch7: jdk8292223-tzdata2022b-kyiv.patch
|
|
||||||
|
|
||||||
# Crypto policy and FIPS support patches
|
# Crypto policy and FIPS support patches
|
||||||
# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u-cpu-2022-07
|
# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
|
||||||
# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
|
# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
|
||||||
# Diff is limited to src and make subdirectories to exclude .github changes
|
# Diff is limited to src and make subdirectories to exclude .github changes
|
||||||
# Fixes currently included:
|
# Fixes currently included:
|
||||||
@ -1348,6 +1362,9 @@ Patch7: jdk8292223-tzdata2022b-kyiv.patch
|
|||||||
# Build the systemconf library on all platforms
|
# Build the systemconf library on all platforms
|
||||||
# RH2048582: Support PKCS#12 keystores
|
# RH2048582: Support PKCS#12 keystores
|
||||||
# RH2020290: Support TLS 1.3 in FIPS mode
|
# RH2020290: Support TLS 1.3 in FIPS mode
|
||||||
|
# Add nss.fips.cfg support to OpenJDK tree
|
||||||
|
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
|
||||||
|
# Remove forgotten dead code from RH2020290 and RH2104724
|
||||||
Patch1001: fips-17u-%{fipsver}.patch
|
Patch1001: fips-17u-%{fipsver}.patch
|
||||||
|
|
||||||
#############################################
|
#############################################
|
||||||
@ -1355,12 +1372,16 @@ Patch1001: fips-17u-%{fipsver}.patch
|
|||||||
# OpenJDK patches in need of upstreaming
|
# OpenJDK patches in need of upstreaming
|
||||||
#
|
#
|
||||||
#############################################
|
#############################################
|
||||||
# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
|
|
||||||
Patch2000: jdk8275535-rh2053256-ldap_auth.patch
|
|
||||||
|
|
||||||
#############################################
|
#############################################
|
||||||
#
|
#
|
||||||
# OpenJDK patches appearing in 17.0.3
|
# OpenJDK patches appearing in 17.0.5
|
||||||
|
#
|
||||||
|
#############################################
|
||||||
|
|
||||||
|
#############################################
|
||||||
|
#
|
||||||
|
# OpenJDK patches targetted for 17.0.6
|
||||||
#
|
#
|
||||||
#############################################
|
#############################################
|
||||||
|
|
||||||
@ -1373,14 +1394,8 @@ BuildRequires: desktop-file-utils
|
|||||||
# elfutils only are OK for build without AOT
|
# elfutils only are OK for build without AOT
|
||||||
BuildRequires: elfutils-devel
|
BuildRequires: elfutils-devel
|
||||||
BuildRequires: fontconfig-devel
|
BuildRequires: fontconfig-devel
|
||||||
BuildRequires: freetype-devel
|
|
||||||
BuildRequires: giflib-devel
|
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
BuildRequires: gdb
|
BuildRequires: gdb
|
||||||
BuildRequires: harfbuzz-devel
|
|
||||||
BuildRequires: lcms2-devel
|
|
||||||
BuildRequires: libjpeg-devel
|
|
||||||
BuildRequires: libpng-devel
|
|
||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: libX11-devel
|
BuildRequires: libX11-devel
|
||||||
BuildRequires: libXi-devel
|
BuildRequires: libXi-devel
|
||||||
@ -1402,8 +1417,8 @@ BuildRequires: java-17-openjdk-devel
|
|||||||
%ifarch %{zero_arches}
|
%ifarch %{zero_arches}
|
||||||
BuildRequires: libffi-devel
|
BuildRequires: libffi-devel
|
||||||
%endif
|
%endif
|
||||||
# 2022a required as of JDK-8283350 in 17.0.4
|
# 2022g required as of JDK-8297804
|
||||||
BuildRequires: tzdata-java >= 2022a
|
BuildRequires: tzdata-java >= 2022g
|
||||||
# Earlier versions have a bug in tree vectorization on PPC
|
# Earlier versions have a bug in tree vectorization on PPC
|
||||||
BuildRequires: gcc >= 4.8.3-8
|
BuildRequires: gcc >= 4.8.3-8
|
||||||
|
|
||||||
@ -1412,6 +1427,30 @@ BuildRequires: systemtap-sdt-devel
|
|||||||
%endif
|
%endif
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
|
|
||||||
|
%if %{system_libs}
|
||||||
|
BuildRequires: freetype-devel
|
||||||
|
BuildRequires: giflib-devel
|
||||||
|
BuildRequires: harfbuzz-devel
|
||||||
|
BuildRequires: lcms2-devel
|
||||||
|
BuildRequires: libjpeg-devel
|
||||||
|
BuildRequires: libpng-devel
|
||||||
|
%else
|
||||||
|
# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
|
||||||
|
Provides: bundled(freetype) = 2.12.1
|
||||||
|
# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
|
||||||
|
Provides: bundled(giflib) = 5.2.1
|
||||||
|
# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
|
||||||
|
Provides: bundled(harfbuzz) = 4.4.1
|
||||||
|
# Version in src/java.desktop/share/native/liblcms/lcms2.h
|
||||||
|
Provides: bundled(lcms2) = 2.12.0
|
||||||
|
# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
|
||||||
|
Provides: bundled(libjpeg) = 6b
|
||||||
|
# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
|
||||||
|
Provides: bundled(libpng) = 1.6.37
|
||||||
|
# We link statically against libstdc++ to increase portability
|
||||||
|
BuildRequires: libstdc++-static
|
||||||
|
%endif
|
||||||
|
|
||||||
# this is always built, also during debug-only build
|
# this is always built, also during debug-only build
|
||||||
# when it is built in debug-only this package is just placeholder
|
# when it is built in debug-only this package is just placeholder
|
||||||
%{java_rpo %{nil}}
|
%{java_rpo %{nil}}
|
||||||
@ -1761,8 +1800,11 @@ if [ $prioritylength -ne 8 ] ; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# OpenJDK patches
|
# OpenJDK patches
|
||||||
|
|
||||||
|
%if %{system_libs}
|
||||||
# Remove libraries that are linked by both static and dynamic builds
|
# Remove libraries that are linked by both static and dynamic builds
|
||||||
sh %{SOURCE12} %{top_level_dir_name}
|
sh %{SOURCE12} %{top_level_dir_name}
|
||||||
|
%endif
|
||||||
|
|
||||||
# Patch the JDK
|
# Patch the JDK
|
||||||
pushd %{top_level_dir_name}
|
pushd %{top_level_dir_name}
|
||||||
@ -1770,7 +1812,6 @@ pushd %{top_level_dir_name}
|
|||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
|
||||||
# Add crypto policy and FIPS support
|
# Add crypto policy and FIPS support
|
||||||
%patch1001 -p1
|
%patch1001 -p1
|
||||||
# nss.cfg PKCS11 support; must come last as it also alters java.security
|
# nss.cfg PKCS11 support; must come last as it also alters java.security
|
||||||
@ -1779,8 +1820,6 @@ popd # openjdk
|
|||||||
|
|
||||||
%patch600
|
%patch600
|
||||||
|
|
||||||
%patch2000
|
|
||||||
|
|
||||||
# The OpenJDK version file includes the current
|
# The OpenJDK version file includes the current
|
||||||
# upstream version information. For some reason,
|
# upstream version information. For some reason,
|
||||||
# configure does not automatically use the
|
# configure does not automatically use the
|
||||||
@ -1798,8 +1837,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
|
|||||||
echo "WARNING: Designator mismatch";
|
echo "WARNING: Designator mismatch";
|
||||||
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
|
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
|
||||||
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
|
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
|
||||||
# Don't fail at present as upstream are not maintaining the value correctly
|
exit 17
|
||||||
#exit 17
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Extract systemtap tapsets
|
# Extract systemtap tapsets
|
||||||
@ -1851,9 +1889,6 @@ done
|
|||||||
# Setup nss.cfg
|
# Setup nss.cfg
|
||||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
||||||
|
|
||||||
# Setup nss.fips.cfg
|
|
||||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# How many CPU's do we have?
|
# How many CPU's do we have?
|
||||||
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
|
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
|
||||||
@ -1897,6 +1932,14 @@ function buildjdk() {
|
|||||||
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
|
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
|
||||||
local top_dir_abs_build_path=$(pwd)/${outputdir}
|
local top_dir_abs_build_path=$(pwd)/${outputdir}
|
||||||
|
|
||||||
|
# This must be set using the global, so that the
|
||||||
|
# static libraries still use a dynamic stdc++lib
|
||||||
|
if [ "x%{link_type}" = "xbundled" ] ; then
|
||||||
|
libc_link_opt="static";
|
||||||
|
else
|
||||||
|
libc_link_opt="dynamic";
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Using output directory: ${outputdir}";
|
echo "Using output directory: ${outputdir}";
|
||||||
echo "Checking build JDK ${buildjdk} is operational..."
|
echo "Checking build JDK ${buildjdk} is operational..."
|
||||||
${buildjdk}/bin/java -version
|
${buildjdk}/bin/java -version
|
||||||
@ -1908,6 +1951,10 @@ function buildjdk() {
|
|||||||
mkdir -p ${outputdir}
|
mkdir -p ${outputdir}
|
||||||
pushd ${outputdir}
|
pushd ${outputdir}
|
||||||
|
|
||||||
|
# Note: zlib and freetype use %{link_type}
|
||||||
|
# rather than ${link_opt} as the system versions
|
||||||
|
# are always used in a system_libs build, even
|
||||||
|
# for the static library build
|
||||||
bash ${top_dir_abs_src_path}/configure \
|
bash ${top_dir_abs_src_path}/configure \
|
||||||
%ifarch %{zero_arches}
|
%ifarch %{zero_arches}
|
||||||
--with-jvm-variants=zero \
|
--with-jvm-variants=zero \
|
||||||
@ -1928,13 +1975,14 @@ function buildjdk() {
|
|||||||
--with-native-debug-symbols="%{debug_symbols}" \
|
--with-native-debug-symbols="%{debug_symbols}" \
|
||||||
--disable-sysconf-nss \
|
--disable-sysconf-nss \
|
||||||
--enable-unlimited-crypto \
|
--enable-unlimited-crypto \
|
||||||
--with-zlib=system \
|
--with-zlib=%{link_type} \
|
||||||
|
--with-freetype=%{link_type} \
|
||||||
--with-libjpeg=${link_opt} \
|
--with-libjpeg=${link_opt} \
|
||||||
--with-giflib=${link_opt} \
|
--with-giflib=${link_opt} \
|
||||||
--with-libpng=${link_opt} \
|
--with-libpng=${link_opt} \
|
||||||
--with-lcms=${link_opt} \
|
--with-lcms=${link_opt} \
|
||||||
--with-harfbuzz=${link_opt} \
|
--with-harfbuzz=${link_opt} \
|
||||||
--with-stdc++lib=dynamic \
|
--with-stdc++lib=${libc_link_opt} \
|
||||||
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
|
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
|
||||||
--with-extra-cflags="$EXTRA_CFLAGS" \
|
--with-extra-cflags="$EXTRA_CFLAGS" \
|
||||||
--with-extra-ldflags="%{ourldflags}" \
|
--with-extra-ldflags="%{ourldflags}" \
|
||||||
@ -1974,9 +2022,6 @@ function installjdk() {
|
|||||||
# Install nss.cfg right away as we will be using the JRE above
|
# Install nss.cfg right away as we will be using the JRE above
|
||||||
install -m 644 nss.cfg ${imagepath}/conf/security/
|
install -m 644 nss.cfg ${imagepath}/conf/security/
|
||||||
|
|
||||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
|
||||||
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
|
|
||||||
|
|
||||||
# Turn on system security properties
|
# Turn on system security properties
|
||||||
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
|
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
|
||||||
${imagepath}/conf/security/java.security
|
${imagepath}/conf/security/java.security
|
||||||
@ -2020,12 +2065,13 @@ for suffix in %{build_loop} ; do
|
|||||||
bootbuilddir=boot${builddir}
|
bootbuilddir=boot${builddir}
|
||||||
|
|
||||||
if test "x${loop}" = "x%{main_suffix}" ; then
|
if test "x${loop}" = "x%{main_suffix}" ; then
|
||||||
|
link_opt="%{link_type}"
|
||||||
|
%if %{system_libs}
|
||||||
# Copy the source tree so we can remove all in-tree libraries
|
# Copy the source tree so we can remove all in-tree libraries
|
||||||
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
|
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
|
||||||
# Remove all libraries that are linked
|
# Remove all libraries that are linked
|
||||||
sh %{SOURCE12} %{top_level_dir_name} full
|
sh %{SOURCE12} %{top_level_dir_name} full
|
||||||
# Use system libraries
|
%endif
|
||||||
link_opt="system"
|
|
||||||
# Debug builds don't need same targets as release for
|
# Debug builds don't need same targets as release for
|
||||||
# build speed-up. We also avoid bootstrapping these
|
# build speed-up. We also avoid bootstrapping these
|
||||||
# slower builds.
|
# slower builds.
|
||||||
@ -2043,9 +2089,11 @@ for suffix in %{build_loop} ; do
|
|||||||
else
|
else
|
||||||
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
|
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
|
||||||
fi
|
fi
|
||||||
|
%if %{system_libs}
|
||||||
# Restore original source tree we modified by removing full in-tree sources
|
# Restore original source tree we modified by removing full in-tree sources
|
||||||
rm -rf %{top_level_dir_name}
|
rm -rf %{top_level_dir_name}
|
||||||
mv %{top_level_dir_name_backup} %{top_level_dir_name}
|
mv %{top_level_dir_name_backup} %{top_level_dir_name}
|
||||||
|
%endif
|
||||||
else
|
else
|
||||||
# Use bundled libraries for building statically
|
# Use bundled libraries for building statically
|
||||||
link_opt="bundled"
|
link_opt="bundled"
|
||||||
@ -2079,6 +2127,8 @@ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticli
|
|||||||
|
|
||||||
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||||
|
|
||||||
|
# Pre-test setup
|
||||||
|
|
||||||
#check Shenandoah is enabled
|
#check Shenandoah is enabled
|
||||||
%if %{use_shenandoah_hotspot}
|
%if %{use_shenandoah_hotspot}
|
||||||
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
|
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
|
||||||
@ -2112,12 +2162,9 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Check translations are available for new timezones
|
# Check translations are available for new timezones
|
||||||
$JAVA_HOME/bin/javac --add-exports java.base/sun.util.resources=ALL-UNNAMED \
|
$JAVA_HOME/bin/javac -d . %{SOURCE18}
|
||||||
--add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
|
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
|
||||||
-d . %{SOURCE18}
|
$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
|
||||||
$JAVA_HOME/bin/java --add-exports java.base/sun.util.resources=ALL-UNNAMED \
|
|
||||||
--add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
|
|
||||||
$(echo $(basename %{SOURCE18})|sed "s|\.java||") "Europe/Kiev" "Europe/Kyiv"
|
|
||||||
|
|
||||||
%if %{include_staticlibs}
|
%if %{include_staticlibs}
|
||||||
# Check debug symbols in static libraries (smoke test)
|
# Check debug symbols in static libraries (smoke test)
|
||||||
@ -2376,10 +2423,9 @@ else
|
|||||||
return
|
return
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
|
-- run content of included file with fake args
|
||||||
cjc = require "copy_jdk_configs.lua"
|
arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
|
||||||
args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
|
require "copy_jdk_configs.lua"
|
||||||
cjc.mainProgram(args)
|
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%{post_script %{nil}}
|
%{post_script %{nil}}
|
||||||
@ -2575,28 +2621,98 @@ cjc.mainProgram(args)
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Sep 02 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2
|
* Wed Jan 04 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.3.ea
|
||||||
|
- Update to jdk-17.0.6+9
|
||||||
|
- Update release notes to 17.0.6+9
|
||||||
|
- Drop local copy of JDK-8293834 now this is upstream
|
||||||
|
- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
|
||||||
|
- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
|
||||||
|
- Resolves: rhbz#2150195
|
||||||
|
|
||||||
|
* Sat Dec 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.1-0.3.ea
|
||||||
|
- Update to jdk-17.0.6+1
|
||||||
|
- Update release notes to 17.0.6+1
|
||||||
|
- Switch to EA mode for 17.0.6 pre-release builds.
|
||||||
|
- Re-enable EA upstream status check now it is being actively maintained.
|
||||||
|
- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
|
||||||
|
- Drop JDK-8275535 local patch now this has been accepted and backported upstream
|
||||||
|
- Bump tzdata requirement to 2022e now the package is available in RHEL
|
||||||
|
- Related: rhbz#2150195
|
||||||
|
|
||||||
|
* Wed Nov 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-5
|
||||||
|
- Update FIPS support to bring in latest changes
|
||||||
|
- * Add nss.fips.cfg support to OpenJDK tree
|
||||||
|
- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
|
||||||
|
- * Remove forgotten dead code from RH2020290 and RH2104724
|
||||||
|
- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
|
||||||
|
- Resolves: rhbz#2117972
|
||||||
|
|
||||||
|
* Wed Oct 26 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-2
|
||||||
|
- Update to jdk-17.0.5+8 (GA)
|
||||||
|
- Update release notes to 17.0.5+8 (GA)
|
||||||
|
- Switch to GA mode for final release.
|
||||||
|
- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
|
||||||
|
- Update CLDR data with Europe/Kyiv (JDK-8293834)
|
||||||
|
- Drop JDK-8292223 patch which we found to be unnecessary
|
||||||
|
- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
|
||||||
|
- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
|
||||||
|
- Remove freetype sources along with zlib sources
|
||||||
|
- Resolves: rhbz#2133695
|
||||||
|
|
||||||
|
* Tue Oct 04 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.7-0.2.ea
|
||||||
|
- Update to jdk-17.0.5+7
|
||||||
|
- Update release notes to 17.0.5+7
|
||||||
|
- Drop JDK-8288985 patch that is now upstream
|
||||||
|
- Resolves: rhbz#2130617
|
||||||
|
|
||||||
|
* Mon Oct 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.1-0.2.ea
|
||||||
|
- Update to jdk-17.0.5+1
|
||||||
|
- Update release notes to 17.0.5+1
|
||||||
|
- Switch to EA mode for 17.0.5 pre-release builds.
|
||||||
|
- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
|
||||||
|
- Bump FreeType bundled version to 2.12.1 following JDK-8290334
|
||||||
|
- Related: rhbz#2130617
|
||||||
|
|
||||||
|
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-6
|
||||||
|
- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider
|
||||||
|
- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650
|
||||||
|
- Resolves: rhbz#2006351
|
||||||
|
|
||||||
|
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-5
|
||||||
|
- Switch to static builds, reducing system dependencies and making build more portable
|
||||||
|
- Resolves: rhbz#2121263
|
||||||
|
|
||||||
|
* Mon Aug 29 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.4.1.1-4
|
||||||
|
- Fix flatpak builds (catering for their uncompressed manual pages)
|
||||||
|
- Fix flatpak builds by exempting them from bootstrap
|
||||||
|
- Resolves: rhbz#2102734
|
||||||
|
|
||||||
|
* Mon Aug 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-3
|
||||||
- Update FIPS support to bring in latest changes
|
- Update FIPS support to bring in latest changes
|
||||||
- * RH2023467: Enable FIPS keys export
|
|
||||||
- * RH2104724: Avoid import/export of DH private keys
|
- * RH2104724: Avoid import/export of DH private keys
|
||||||
- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
|
- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
|
||||||
- * Build the systemconf library on all platforms
|
- * Build the systemconf library on all platforms
|
||||||
- * RH2048582: Support PKCS#12 keystores
|
- * RH2048582: Support PKCS#12 keystores
|
||||||
- * RH2020290: Support TLS 1.3 in FIPS mode
|
- * RH2020290: Support TLS 1.3 in FIPS mode
|
||||||
- Resolves: rhbz#2123579
|
- Resolves: rhbz#2104724
|
||||||
- Resolves: rhbz#2123580
|
- Resolves: rhbz#2092507
|
||||||
- Resolves: rhbz#2123581
|
- Resolves: rhbz#2048582
|
||||||
- Resolves: rhbz#2123583
|
- Resolves: rhbz#2020290
|
||||||
- Resolves: rhbz#2123584
|
|
||||||
|
|
||||||
* Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-1
|
* Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2
|
||||||
- Update to jdk-17.0.4.1+1
|
- Update to jdk-17.0.4.1+1
|
||||||
- Update release notes to 17.0.4.1+1
|
- Update release notes to 17.0.4.1+1
|
||||||
- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
|
- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
|
||||||
- Add test to ensure timezones can be translated
|
- Add test to ensure timezones can be translated
|
||||||
- Resolves: rhbz#2120058
|
- Resolves: rhbz#2119531
|
||||||
|
|
||||||
* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-0.2.ea
|
* Fri Jul 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-3
|
||||||
|
- Update to jdk-17.0.4.0+8
|
||||||
|
- Update release notes to 17.0.4.0+8
|
||||||
|
- Switch to GA mode for release
|
||||||
|
- Resolves: rhbz#2106522
|
||||||
|
|
||||||
|
* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.2.ea
|
||||||
- Revert the following changes until copy-java-configs has adapted to relative symlinks:
|
- Revert the following changes until copy-java-configs has adapted to relative symlinks:
|
||||||
- * Move cacerts replacement to install section and retain original of this and tzdb.dat
|
- * Move cacerts replacement to install section and retain original of this and tzdb.dat
|
||||||
- * Run tests on the installed image, rather than the build image
|
- * Run tests on the installed image, rather than the build image
|
||||||
@ -2604,11 +2720,19 @@ cjc.mainProgram(args)
|
|||||||
- * Use relative symlinks so they work within the image
|
- * Use relative symlinks so they work within the image
|
||||||
- * Run debug symbols check during build stage, before the install strips them
|
- * Run debug symbols check during build stage, before the install strips them
|
||||||
- The move of turning on system security properties is retained so we don't ship with them off
|
- The move of turning on system security properties is retained so we don't ship with them off
|
||||||
- Related: rhbz#2084779
|
- Related: rhbz#2100674
|
||||||
|
|
||||||
* Mon Jul 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-1
|
* Wed Jul 20 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.4.0.7-0.2.ea
|
||||||
- Update to jdk-17.0.4.0+8
|
- retutrned absolute symlinks
|
||||||
- Update release notes to 17.0.4.0+8
|
- relative symlinks are breaking cjc, and deeper investigations are necessary
|
||||||
|
-- why cjc intentionally skips relative symllinks
|
||||||
|
- images have to be workarounded differently
|
||||||
|
- Related: rhbz#2100674
|
||||||
|
|
||||||
|
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.1.ea
|
||||||
|
- Update to jdk-17.0.4.0+7
|
||||||
|
- Update release notes to 17.0.4.0+7
|
||||||
|
- Switch to EA mode for 17.0.4 pre-release builds.
|
||||||
- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
|
- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
|
||||||
- Print release file during build, which should now include a correct SOURCE value from .src-rev
|
- Print release file during build, which should now include a correct SOURCE value from .src-rev
|
||||||
- Update tarball script with IcedTea GitHub URL and .src-rev generation
|
- Update tarball script with IcedTea GitHub URL and .src-rev generation
|
||||||
@ -2619,54 +2743,100 @@ cjc.mainProgram(args)
|
|||||||
- Explicitly require crypto-policies during build and runtime for system security properties
|
- Explicitly require crypto-policies during build and runtime for system security properties
|
||||||
- Make use of the vendor version string to store our version & release rather than an upstream release date
|
- Make use of the vendor version string to store our version & release rather than an upstream release date
|
||||||
- Include a test in the RPM to check the build has the correct vendor information.
|
- Include a test in the RPM to check the build has the correct vendor information.
|
||||||
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
|
- Resolves: rhbz#2083316
|
||||||
- * RH2094027: SunEC runtime permission for FIPS
|
|
||||||
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
|
* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea
|
||||||
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
|
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
|
||||||
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
|
- Add proper quoting so '&' is not treated as a special character by the shell.
|
||||||
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
|
- Related: rhbz#2083316
|
||||||
- Improve security properties test to check both enabled and disabled behaviour
|
|
||||||
- Run security properties test with property debugging on
|
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
|
||||||
|
- Fix whitespace in spec file
|
||||||
|
- Related: rhbz#2100674
|
||||||
|
|
||||||
|
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
|
||||||
|
- Sequence spec file sections as they are run by rpmbuild (build, install then test)
|
||||||
|
- Related: rhbz#2100674
|
||||||
|
|
||||||
|
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
|
||||||
- Turn on system security properties as part of the build's install section
|
- Turn on system security properties as part of the build's install section
|
||||||
- Move cacerts replacement to install section and retain original of this and tzdb.dat
|
- Move cacerts replacement to install section and retain original of this and tzdb.dat
|
||||||
- Run tests on the installed image, rather than the build image
|
- Run tests on the installed image, rather than the build image
|
||||||
- Introduce variables to refer to the static library installation directories
|
- Introduce variables to refer to the static library installation directories
|
||||||
- Use relative symlinks so they work within the image
|
- Use relative symlinks so they work within the image
|
||||||
- Run debug symbols check during build stage, before the install strips them
|
- Run debug symbols check during build stage, before the install strips them
|
||||||
- Resolves: rhbz#2084779
|
- Related: rhbz#2100674
|
||||||
- Resolves: rhbz#2099919
|
|
||||||
- Resolves: rhbz#2107943
|
|
||||||
- Resolves: rhbz#2107941
|
|
||||||
- Resolves: rhbz#2106523
|
|
||||||
|
|
||||||
* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea
|
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-5
|
||||||
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
|
|
||||||
- Add proper quoting so '&' is not treated as a special character by the shell.
|
|
||||||
- Related: rhbz#2084779
|
|
||||||
|
|
||||||
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-2
|
|
||||||
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
|
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
|
||||||
- Resolves: rhbz#2105395
|
- Resolves: rhbz#2007331
|
||||||
|
|
||||||
|
* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-4
|
||||||
|
- Update FIPS support to bring in latest changes
|
||||||
|
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
|
||||||
|
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
|
||||||
|
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
|
||||||
|
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
|
||||||
|
- Improve security properties test to check both enabled and disabled behaviour
|
||||||
|
- Run security properties test with property debugging on
|
||||||
|
- Resolves: rhbz#2099840
|
||||||
|
- Resolves: rhbz#2100674
|
||||||
|
|
||||||
|
* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-3
|
||||||
|
- Add rpminspect.yaml to turn off Java bytecode inspections
|
||||||
|
- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
|
||||||
|
- Resolves: rhbz#2101524
|
||||||
|
|
||||||
|
* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2
|
||||||
|
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
|
||||||
|
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
|
||||||
|
- RH2023467: Enable FIPS keys export
|
||||||
|
- RH2094027: SunEC runtime permission for FIPS
|
||||||
|
- Resolves: rhbz#2023467
|
||||||
|
- Resolves: rhbz#2094027
|
||||||
|
|
||||||
* Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
|
* Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
|
||||||
- April 2022 security update to jdk 17.0.3+7
|
- April 2022 security update to jdk 17.0.3+7
|
||||||
- Update to jdk-17.0.3.0+7 tarball
|
- Update to jdk-17.0.3.0+7 release tarball
|
||||||
- Update release notes to 17.0.3.0+7
|
- Update release notes to 17.0.3.0+6
|
||||||
- Add missing README.md and generate_source_tarball.sh
|
- Add missing README.md and generate_source_tarball.sh
|
||||||
- Resolves: rhbz#2073578
|
- Switch to GA mode for release
|
||||||
|
- JDK-8283911 patch no longer needed now we're GA...
|
||||||
|
- Resolves: rhbz#2073577
|
||||||
|
|
||||||
* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-13
|
* Wed Apr 06 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea
|
||||||
|
- Update to jdk-17.0.3.0+5
|
||||||
|
- Update release notes to 17.0.3.0+5
|
||||||
|
- Resolves: rhbz#2050456
|
||||||
|
|
||||||
|
* Tue Mar 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.1-0.1.ea
|
||||||
|
- Update to jdk-17.0.3.0+1
|
||||||
|
- Update release notes to 17.0.3.0+1
|
||||||
|
- Switch to EA mode for 17.0.3 pre-release builds.
|
||||||
|
- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
|
||||||
|
- Related: rhbz#2050456
|
||||||
|
|
||||||
|
* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-15
|
||||||
- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
|
- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
|
||||||
- Resolves: rhbz#2055383
|
- Resolves: rhbz#2052070
|
||||||
|
|
||||||
* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-12
|
* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-14
|
||||||
- Add rpminspect.yaml to turn off Java bytecode inspections
|
|
||||||
- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
|
|
||||||
- Resolves: rhbz#2023540
|
|
||||||
|
|
||||||
* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-11
|
|
||||||
- Introduce tests/tests.yml, based on the one in java-11-openjdk
|
- Introduce tests/tests.yml, based on the one in java-11-openjdk
|
||||||
- Resolves: rhbz#2058490
|
- Resolves: rhbz#2058493
|
||||||
|
|
||||||
|
* Sun Feb 27 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-13
|
||||||
|
- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
|
||||||
|
secmod.db file as part of nss
|
||||||
|
- Resolves: rhbz#2023536
|
||||||
|
|
||||||
|
* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-12
|
||||||
|
- Detect NSS at runtime for FIPS detection
|
||||||
|
- Turn off build-time NSS linking and go back to an explicit Requires on NSS
|
||||||
|
- Resolves: rhbz#2051605
|
||||||
|
|
||||||
|
* Fri Feb 25 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-11
|
||||||
|
- Add JDK-8275535 patch to fix LDAP authentication issue.
|
||||||
|
- Resolves: rhbz#2053256
|
||||||
|
|
||||||
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-10
|
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-10
|
||||||
- Storing and restoring alterntives during update manually
|
- Storing and restoring alterntives during update manually
|
||||||
@ -2678,30 +2848,28 @@ cjc.mainProgram(args)
|
|||||||
-- the selection in family
|
-- the selection in family
|
||||||
-- Thus this fix, is storing the family of manually selected master, and if
|
-- Thus this fix, is storing the family of manually selected master, and if
|
||||||
-- stored, then it is restoring the family of the master
|
-- stored, then it is restoring the family of the master
|
||||||
- Resolves: rhbz#2008206
|
- Resolves: rhbz#2008200
|
||||||
|
|
||||||
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-9
|
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-9
|
||||||
- Family extracted to globals
|
- Family extracted to globals
|
||||||
- Related: rhbz#2008206
|
- Resolves: rhbz#2008200
|
||||||
|
|
||||||
* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-8
|
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-8
|
||||||
- Detect NSS at runtime for FIPS detection
|
- alternatives creation moved to posttrans
|
||||||
- Turn off build-time NSS linking and go back to an explicit Requires on NSS
|
- Thus fixing the old reisntall issue:
|
||||||
- Resolves: rhbz#2052829
|
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
|
||||||
|
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
|
||||||
|
- Resolves: rhbz#2008200
|
||||||
|
|
||||||
* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7
|
* Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7
|
||||||
- Add JDK-8275535 patch to fix LDAP authentication issue.
|
|
||||||
- Resolves: rhbz#2053521
|
|
||||||
|
|
||||||
* Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
|
|
||||||
- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
|
- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
|
||||||
- Resolves: rhbz#2052819
|
- Resolves: rhbz#2051590
|
||||||
|
|
||||||
* Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
|
* Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
|
||||||
- Fix FIPS issues in native code and with initialisation of java.security.Security
|
- Fix FIPS issues in native code and with initialisation of java.security.Security
|
||||||
- Resolves: rhbz#2023531
|
- Resolves: rhbz#2023378
|
||||||
|
|
||||||
* Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-4
|
* Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
|
||||||
- Restructure the build so a minimal initial build is then used for the final build (with docs)
|
- Restructure the build so a minimal initial build is then used for the final build (with docs)
|
||||||
- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
|
- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
|
||||||
- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
|
- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
|
||||||
@ -2714,108 +2882,92 @@ cjc.mainProgram(args)
|
|||||||
- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
|
- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
|
||||||
- Explicitly list JIT architectures rather than relying on those with slowdebug builds
|
- Explicitly list JIT architectures rather than relying on those with slowdebug builds
|
||||||
- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
|
- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
|
||||||
- Resolves: rhbz#2022826
|
- Resolves: rhbz#2022822
|
||||||
|
|
||||||
* Thu Feb 17 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-4
|
* Thu Feb 17 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-5
|
||||||
- Replaced tabs by sets of spaces to make rpmlint happy
|
- Replaced tabs by sets of spaces to make rpmlint happy
|
||||||
- javadoc-zip gets its own provides next to plain javadoc ones
|
- javadoc-zip gets its own provides next to plain javadoc ones
|
||||||
- Resolves: rhbz#2022826
|
- Resolves: rhbz#2022822
|
||||||
|
|
||||||
* Wed Feb 16 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-3
|
* Tue Feb 08 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-4
|
||||||
- Minor cosmetic improvements to make spec more comparable between variants
|
- Minor cosmetic improvements to make spec more comparable between variants
|
||||||
- Related: rhbz#2022826
|
- Related: rhbz#2022822
|
||||||
|
|
||||||
* Wed Feb 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2
|
* Thu Feb 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-3
|
||||||
- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
|
- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
|
||||||
- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
|
- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
|
||||||
- Related: rhbz#2022826
|
- Related: rhbz#2022822
|
||||||
|
|
||||||
* Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1
|
* Thu Feb 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2
|
||||||
|
- Extend LTS check to exclude EPEL.
|
||||||
|
- Related: rhbz#2022822
|
||||||
|
|
||||||
|
* Thu Feb 03 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-2
|
||||||
|
- Set LTS designator.
|
||||||
|
- Related: rhbz#2022822
|
||||||
|
|
||||||
|
* Wed Jan 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1
|
||||||
- January 2022 security update to jdk 17.0.2+8
|
- January 2022 security update to jdk 17.0.2+8
|
||||||
- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
|
- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
|
||||||
- Rename libsvml.so to libjsvml.so following JDK-8276025
|
- Rename libsvml.so to libjsvml.so following JDK-8276025
|
||||||
- Drop JDK-8276572 patch which is now upstream
|
- Resolves: rhbz#2039366
|
||||||
- Resolves: rhbz#2039392
|
|
||||||
|
|
||||||
* Thu Feb 10 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-3
|
* Thu Oct 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-3
|
||||||
- Sync desktop files with upstream IcedTea release 3.15.0 using new script
|
- Sync desktop files with upstream IcedTea release 3.15.0 using new script
|
||||||
- Related: rhbz#2022826
|
- Related: rhbz#2013842
|
||||||
|
|
||||||
* Mon Nov 29 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.1.0.12-2
|
* Tue Oct 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-2
|
||||||
- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
|
- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1
|
||||||
secmod.db file as part of nss
|
- Resolves: rhbz#2013842
|
||||||
- Resolves: rhbz#2023537
|
|
||||||
|
|
||||||
* Tue Nov 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-1
|
* Wed Oct 20 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.1.0.12-2
|
||||||
- Drop JDK-8272332 patch now included upstream.
|
|
||||||
- Resolves: rhbz#2013846
|
|
||||||
|
|
||||||
* Tue Nov 16 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.1.0.12-1
|
|
||||||
- October CPU update to jdk 17.0.1+12
|
- October CPU update to jdk 17.0.1+12
|
||||||
- Dropped commented-out source line
|
- Dropped commented-out source line
|
||||||
- Resolves: rhbz#2013846
|
- Resolves: rhbz#2013842
|
||||||
|
|
||||||
* Tue Nov 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-8
|
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-6
|
||||||
- Extend LTS check to exclude EPEL.
|
|
||||||
- Related: rhbz#2013846
|
|
||||||
|
|
||||||
* Tue Nov 09 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.35-8
|
|
||||||
- Set LTS designator.
|
|
||||||
- Related: rhbz#2013846
|
|
||||||
|
|
||||||
* Mon Nov 08 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.35-7
|
|
||||||
- alternatives creation moved to posttrans
|
|
||||||
- Thus fixing the old reinstall issue:
|
|
||||||
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
|
|
||||||
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
|
|
||||||
- Resolves: rhbz#2008206
|
|
||||||
|
|
||||||
* Fri Nov 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-6
|
|
||||||
- Patch syslookup.c so it actually has some code to be compiled into libsyslookup
|
|
||||||
- Related: rhbz#2013846
|
|
||||||
|
|
||||||
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-5
|
|
||||||
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
|
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
|
||||||
- Resolves: rhbz#1994682
|
- Resolves: rhbz#1994661
|
||||||
|
|
||||||
* Sun Oct 10 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-5
|
* Sun Oct 10 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-6
|
||||||
- Add patch to allow plain key import.
|
- Add patch to allow plain key import.
|
||||||
- Resolves: rhbz#1994682
|
- Resolves: rhbz#1994661
|
||||||
|
|
||||||
* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-4
|
* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-5
|
||||||
- Update release notes to document the major changes between OpenJDK 11 & 17.
|
- Update release notes to document the major changes between OpenJDK 11 & 17.
|
||||||
- Resolves: rhbz#2000925
|
- Resolves: rhbz#2003072
|
||||||
|
|
||||||
* Thu Sep 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3
|
* Thu Sep 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3
|
||||||
- Update to jdk-17+35, also known as jdk-17-ga.
|
- Update to jdk-17+35, also known as jdk-17-ga.
|
||||||
- Switch to GA mode.
|
- Switch to GA mode.
|
||||||
- Add JDK-8272332 fix so we actually link against HarfBuzz.
|
- Add JDK-8272332 fix so we actually link against HarfBuzz.
|
||||||
- Resolves: rhbz#2000925
|
- Resolves: rhbz#2003072
|
||||||
|
- Resolves: rhbz#2004078
|
||||||
|
|
||||||
* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.5.ea
|
* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.5.ea
|
||||||
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
|
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
|
||||||
- Resolves: rhbz#1997359
|
- Resolves: rhbz#1996182
|
||||||
|
|
||||||
* Sat Aug 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.4.ea
|
* Sat Aug 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.4.ea
|
||||||
- Fix unused function compiler warning found in systemconf.c
|
- Fix unused function compiler warning found in systemconf.c
|
||||||
- Related: rhbz#1995889
|
- Related: rhbz#1995150
|
||||||
|
|
||||||
* Sat Aug 28 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.4.ea
|
* Sat Aug 28 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.4.ea
|
||||||
- Add patch to login to the NSS software token when in FIPS mode.
|
- Add patch to login to the NSS software token when in FIPS mode.
|
||||||
- Resolves: rhbz#1997359
|
- Resolves: rhbz#1996182
|
||||||
|
|
||||||
* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.3.ea
|
* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.3.ea
|
||||||
- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
|
- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
|
||||||
- Resolves: rhbz#1995889
|
- Resolves: rhbz#1995150
|
||||||
|
|
||||||
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.2.ea
|
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.2.ea
|
||||||
- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
|
- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
|
||||||
- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
|
- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
|
||||||
- Related: rhbz#1995889
|
- Related: rhbz#1995150
|
||||||
|
|
||||||
* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.2.ea
|
* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.2.ea
|
||||||
- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
|
- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
|
||||||
- Related: rhbz#1995889
|
- Related: rhbz#1995150
|
||||||
|
|
||||||
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.1.ea
|
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.1.ea
|
||||||
- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
|
- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
|
||||||
@ -2826,56 +2978,51 @@ cjc.mainProgram(args)
|
|||||||
- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
|
- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
|
||||||
- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
|
- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
|
||||||
- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
|
- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
|
||||||
- Related: rhbz#1995889
|
- Related: rhbz#1995150
|
||||||
|
|
||||||
* Thu Aug 26 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.1.ea
|
* Thu Aug 26 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.1.ea
|
||||||
- Support the FIPS mode crypto policy (RH1655466)
|
- Support the FIPS mode crypto policy (RH1655466)
|
||||||
- Use appropriate keystore types when in FIPS mode (RH1818909)
|
- Use appropriate keystore types when in FIPS mode (RH1818909)
|
||||||
- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
|
- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
|
||||||
- Related: rhbz#1995889
|
- Related: rhbz#1995150
|
||||||
|
|
||||||
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.0.ea
|
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.0.ea
|
||||||
- Update to jdk-17+33, including JDWP fix and July 2021 CPU
|
- Update to jdk-17+33, including JDWP fix and July 2021 CPU
|
||||||
- Resolves: rhbz#1870625
|
- Resolves: rhbz#1959487
|
||||||
|
|
||||||
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.5.ea
|
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.5.ea
|
||||||
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
|
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
|
||||||
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
|
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
|
||||||
- Resolves: rhbz#1870625
|
- Resolves: rhbz#1959487
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:17.0.0.0.26-0.4.ea.1
|
* Wed Aug 25 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.4.ea
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
|
||||||
Related: rhbz#1991688
|
|
||||||
|
|
||||||
* Wed Jul 14 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.4.ea
|
|
||||||
- Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
|
- Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
|
||||||
- Resolves: rhbz#1870625
|
- Resolves: rhbz#1959487
|
||||||
|
|
||||||
* Tue Jul 13 2021 Jiri Vanek <pmikova@redhat.com> - 1:17.0.0.0.26-0.3.ea
|
* Wed Aug 25 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.3.ea
|
||||||
- Add gating support
|
|
||||||
- Resolves: rhbz#1870625
|
|
||||||
|
|
||||||
* Fri Jun 25 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.2.ea
|
|
||||||
- Re-enable TestSecurityProperties after inclusion of PR3695
|
- Re-enable TestSecurityProperties after inclusion of PR3695
|
||||||
- Resolves: rhbz#1870625
|
- Resolves: rhbz#1959487
|
||||||
|
|
||||||
* Fri Jun 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.2.ea
|
* Wed Aug 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.3.ea
|
||||||
- Add PR3695 to allow the system crypto policy to be turned off
|
- Add PR3695 to allow the system crypto policy to be turned off
|
||||||
- Resolves: rhbz#1870625
|
- Resolves: rhbz#1959487
|
||||||
|
|
||||||
* Fri Jun 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.1.ea
|
* Wed Jul 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.2.ea
|
||||||
- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
|
- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
|
||||||
- Resolves: rhbz#1870625
|
- Resolves: rhbz#1959487
|
||||||
|
|
||||||
* Thu Jun 24 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.1.ea
|
* Wed Jul 14 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.2.ea
|
||||||
- Update buildjdkver to 17 so as to build with itself
|
- Update buildjdkver to 17 so as to build with itself
|
||||||
- Resolves: rhbz#1870625
|
- Resolves: rhbz#1959487
|
||||||
|
|
||||||
|
* Tue Jul 13 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.26-0.1.ea
|
||||||
|
- Add gating support
|
||||||
|
- Resolves: rhbz#1959487
|
||||||
|
|
||||||
* Mon Jun 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.0.ea
|
* Mon Jun 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.0.ea
|
||||||
- Rename to java-17-openjdk and bootstrap using boot JDK in local sources
|
- Rename as java-17-openjdk and bootstrap using boot JDK in local sources
|
||||||
- Exclude x86 as this is not supported by OpenJDK 17
|
- Exclude x86 as this is not supported by OpenJDK 17
|
||||||
- Use unzip to test src.zip to avoid looking for jar on path
|
- Resolves: rhbz#1959487
|
||||||
- Resolves: rhbz#1870625
|
|
||||||
|
|
||||||
* Fri Jun 11 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.0.ea.rolling
|
* Fri Jun 11 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.0.ea.rolling
|
||||||
- update sources to jdk 17.0.0+26
|
- update sources to jdk 17.0.0+26
|
||||||
@ -2889,9 +3036,6 @@ cjc.mainProgram(args)
|
|||||||
- add lib/libsvml.so for intel
|
- add lib/libsvml.so for intel
|
||||||
- skip debuginfo check for libsyslookup.so on s390x
|
- skip debuginfo check for libsyslookup.so on s390x
|
||||||
|
|
||||||
* Fri May 07 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling
|
|
||||||
- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
|
|
||||||
|
|
||||||
* Thu Apr 29 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling
|
* Thu Apr 29 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling
|
||||||
- adapted to debug handling in newer cjc
|
- adapted to debug handling in newer cjc
|
||||||
- The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution
|
- The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution
|
||||||
|
Loading…
Reference in New Issue
Block a user