From 0f79d6096eee84c5b5555dac3e95d5430a493c98 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 11 Mar 2025 07:30:09 +0000 Subject: [PATCH] import CS java-21-openjdk-21.0.6.0.7-2.el9 --- .gitignore | 2 +- .java-21-openjdk.metadata | 2 +- .../0001-Allow-devkit-to-work-with-RHEL.patch | 54 + SOURCES/0002-Disable-multilib-on-x86_64.patch | 50 + SOURCES/0003-Log-devkit-build-to-stdout.patch | 92 + ...omment-sections-from-sysroot-objects.patch | 41 + ...ure-binutils-with-enable-determinist.patch | 35 + ...-enable-linker-build-id-to-gcc-build.patch | 35 + ...e-systemtap-sdt-devel-on-s390x-ppc64.patch | 38 + ...date-repository-on-RHEL-rather-than-.patch | 33 + SOURCES/NEWS | 2641 +++++++++++++ SOURCES/README.md | 39 +- SOURCES/TestTranslations.java | 2 +- SOURCES/alt-java.c | 100 + SOURCES/discover_trees.sh | 54 - ...ecce3.patch => fips-21u-0a42e29b391.patch} | 3480 ++--------------- SOURCES/gating.yaml | 7 - SOURCES/generate_source_tarball.sh | 210 - SOURCES/icedtea_sync.sh | 191 - SOURCES/java-21-openjdk-portable.specfile | 1110 ++++-- .../jdk8274864-remove_amman_cairo_hacks.patch | 53 - SOURCES/jdk8305113-tzdata2023c.patch | 1098 ------ SOURCES/nss.cfg.in | 5 - SOURCES/openjdk-devkit.specfile | 230 ++ SOURCES/openjdk_news.sh | 76 - ...sible_toolkit_crash_do_not_break_jvm.patch | 16 - ...ut_nss_cfg_provider_to_java_security.patch | 12 - ...va_access_bridge_privileged_security.patch | 20 - ...lite-libs_instead_of_pcsc-lite-devel.patch | 13 - SOURCES/rh1750419-redhat_alt_java.patch | 117 - ...eg_turbo_1_4_compat_for_jdk10_and_up.patch | 19 - SOURCES/rpminspect.yaml | 3 - SPECS/java-21-openjdk.spec | 874 +++-- 33 files changed, 5064 insertions(+), 5688 deletions(-) create mode 100644 SOURCES/0001-Allow-devkit-to-work-with-RHEL.patch create mode 100644 SOURCES/0002-Disable-multilib-on-x86_64.patch create mode 100644 SOURCES/0003-Log-devkit-build-to-stdout.patch create mode 100644 SOURCES/0004-devkit-Remove-.comment-sections-from-sysroot-objects.patch create mode 100644 SOURCES/0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch create mode 100644 SOURCES/0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch create mode 100644 SOURCES/0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch create mode 100644 SOURCES/0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch create mode 100644 SOURCES/NEWS create mode 100644 SOURCES/alt-java.c delete mode 100755 SOURCES/discover_trees.sh rename SOURCES/{fips-17u-bf363eecce3.patch => fips-21u-0a42e29b391.patch} (55%) delete mode 100644 SOURCES/gating.yaml delete mode 100755 SOURCES/generate_source_tarball.sh delete mode 100755 SOURCES/icedtea_sync.sh delete mode 100644 SOURCES/jdk8274864-remove_amman_cairo_hacks.patch delete mode 100644 SOURCES/jdk8305113-tzdata2023c.patch delete mode 100644 SOURCES/nss.cfg.in create mode 100644 SOURCES/openjdk-devkit.specfile delete mode 100755 SOURCES/openjdk_news.sh delete mode 100644 SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch delete mode 100644 SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch delete mode 100644 SOURCES/rh1648644-java_access_bridge_privileged_security.patch delete mode 100644 SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch delete mode 100644 SOURCES/rh1750419-redhat_alt_java.patch delete mode 100644 SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch delete mode 100644 SOURCES/rpminspect.yaml diff --git a/.gitignore b/.gitignore index 1a00041..901853b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-jdk21u-jdk-21+35.tar.xz +SOURCES/openjdk-21.0.6+7.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-21-openjdk.metadata b/.java-21-openjdk.metadata index ae90064..f2574ad 100644 --- a/.java-21-openjdk.metadata +++ b/.java-21-openjdk.metadata @@ -1,2 +1,2 @@ -3b6c7f1bbc1098cf1a54d7aa7394c90da53ae665 SOURCES/openjdk-jdk21u-jdk-21+35.tar.xz +fad71f19631dab375285056d10d08374e869bb35 SOURCES/openjdk-21.0.6+7.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/0001-Allow-devkit-to-work-with-RHEL.patch b/SOURCES/0001-Allow-devkit-to-work-with-RHEL.patch new file mode 100644 index 0000000..2f65815 --- /dev/null +++ b/SOURCES/0001-Allow-devkit-to-work-with-RHEL.patch @@ -0,0 +1,54 @@ +From 7733d625ebdea5a6f323a0c5944fb8ab728d1b2b Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Sat, 25 Nov 2023 17:29:36 +0000 +Subject: [PATCH] Allow devkit to work with RHEL + +--- + make/devkit/Makefile | 2 +- + make/devkit/Tools.gmk | 10 +++++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/make/devkit/Makefile b/make/devkit/Makefile +index c85a7c21d29..8f69d23c325 100644 +--- a/make/devkit/Makefile ++++ b/make/devkit/Makefile +@@ -58,7 +58,7 @@ + COMMA := , + + os := $(shell uname -o) +-cpu := $(shell uname -p) ++cpu := $(shell uname -m) + + # Figure out what platform this is building on. + me := $(cpu)-$(if $(findstring Linux,$(os)),linux-gnu) +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 187320ca26e..001f4b1870c 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -62,6 +62,14 @@ ifeq ($(BASE_OS), OL) + BASE_URL := http://yum.oracle.com/repo/OracleLinux/OL6/4/base/$(ARCH)/ + LINUX_VERSION := OL6.4 + endif ++else ifeq ($(BASE_OS), RHEL) ++ ifeq ($(ARCH), aarch64) ++ BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/RHEL-7/latest-RHEL-ALT-7/compose/Server/$(ARCH)/os/Packages/ ++ LINUX_VERSION := RHEL7.6 ++ else ++ BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/RHEL-7/latest-RHEL-7/compose/Server/$(ARCH)/os/Packages/ ++ LINUX_VERSION := RHEL7.9 ++ endif + else ifeq ($(BASE_OS), Fedora) + ifeq ($(ARCH), riscv64) + DEFAULT_OS_VERSION := rawhide/68692 +@@ -246,7 +254,7 @@ download-rpms: + # Only run this if rpm dir is empty. + ifeq ($(wildcard $(DOWNLOAD_RPMS)/*.rpm), ) + cd $(DOWNLOAD_RPMS) && \ +- wget -r -np -nd $(patsubst %, -A "*%*.rpm", $(RPM_LIST)) $(BASE_URL) ++ wget -r -e robots=off -np -nd $(patsubst %, -A "*%*.rpm", $(RPM_LIST)) $(BASE_URL) + endif + + ########################################################################################## +-- +2.45.2 + diff --git a/SOURCES/0002-Disable-multilib-on-x86_64.patch b/SOURCES/0002-Disable-multilib-on-x86_64.patch new file mode 100644 index 0000000..0459b06 --- /dev/null +++ b/SOURCES/0002-Disable-multilib-on-x86_64.patch @@ -0,0 +1,50 @@ +From e55afc691c0105623e04a6e76369cf1438afb874 Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Fri, 8 Dec 2023 21:22:02 +0000 +Subject: [PATCH] Disable multilib on x86_64 + +--- + make/devkit/Tools.gmk | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 001f4b1870c..9ede781413d 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -225,13 +225,7 @@ RPM_LIST := \ + ########################################################################################## + # Define common directories and files + +-# Ensure we have 32-bit libs also for x64. We enable mixed-mode. +-ifeq (x86_64,$(ARCH)) +- LIBDIRS := lib64 lib +- CFLAGS_lib := -m32 +-else +- LIBDIRS := lib +-endif ++LIBDIRS := lib + + # Define directories + BUILDDIR := $(OUTPUT_ROOT)/$(HOST)/$(TARGET) +@@ -289,8 +283,7 @@ $(foreach p,GCC BINUTILS CCACHE MPFR GMP MPC GDB,$(eval $(call Download,$(p)))) + + RPM_ARCHS := $(ARCH) noarch + ifeq ($(ARCH),x86_64) +- # Enable mixed mode. +- RPM_ARCHS += i386 i686 ++ RPM_ARCHS += i686 + else ifeq ($(ARCH),i686) + RPM_ARCHS += i386 + else ifeq ($(ARCH), armhfp) +@@ -526,7 +519,7 @@ ifeq ($(ARCH), armhfp) + $(BUILDDIR)/$(gcc_ver)/Makefile : CONFIG += --with-float=hard + endif + +-ifneq ($(filter riscv64 ppc64 ppc64le s390x, $(ARCH)), ) ++ifneq ($(filter riscv64 ppc64 ppc64le s390x x86_64, $(ARCH)), ) + # We only support 64-bit on these platforms anyway + CONFIG += --disable-multilib + endif +-- +2.45.2 + diff --git a/SOURCES/0003-Log-devkit-build-to-stdout.patch b/SOURCES/0003-Log-devkit-build-to-stdout.patch new file mode 100644 index 0000000..a508301 --- /dev/null +++ b/SOURCES/0003-Log-devkit-build-to-stdout.patch @@ -0,0 +1,92 @@ +From fbc27183b35df7778cf106450b144474f8e2a35c Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Wed, 30 Oct 2024 00:42:06 +0000 +Subject: [PATCH] Log devkit build to stdout + +Resolves: OPENJDK-3071 +--- + make/devkit/Tools.gmk | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 9ede781413d..b6f895f5a25 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -458,7 +458,7 @@ $(BUILDDIR)/$(binutils_ver)/Makefile \ + --enable-multilib \ + --enable-threads \ + --enable-plugins \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + $(BUILDDIR)/$(mpfr_ver)/Makefile \ +@@ -473,7 +473,7 @@ $(BUILDDIR)/$(mpfr_ver)/Makefile \ + --program-prefix=$(TARGET)- \ + --enable-shared=no \ + --with-gmp=$(PREFIX) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + $(BUILDDIR)/$(gmp_ver)/Makefile \ +@@ -490,7 +490,7 @@ $(BUILDDIR)/$(gmp_ver)/Makefile \ + --program-prefix=$(TARGET)- \ + --enable-shared=no \ + --with-mpfr=$(PREFIX) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + $(BUILDDIR)/$(mpc_ver)/Makefile \ +@@ -506,7 +506,7 @@ $(BUILDDIR)/$(mpc_ver)/Makefile \ + --enable-shared=no \ + --with-mpfr=$(PREFIX) \ + --with-gmp=$(PREFIX) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + # Only valid if glibc target -> linux +@@ -549,7 +549,7 @@ $(BUILDDIR)/$(gcc_ver)/Makefile \ + --with-mpfr=$(PREFIX) \ + --with-gmp=$(PREFIX) \ + --with-mpc=$(PREFIX) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + # need binutils for gcc +@@ -571,7 +571,7 @@ ifeq ($(HOST), $(TARGET)) + $(PATHPRE) $(ENVS) CFLAGS="$(CFLAGS)" $(GDB_CFG) \ + $(CONFIG) \ + --with-sysroot=$(SYSROOT) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + $(gdb): $(gcc) +@@ -593,7 +593,7 @@ $(BUILDDIR)/$(ccache_ver)/Makefile \ + cd $(@D) ; \ + $(PATHPRE) $(ENVS) $(CCACHE_CFG) \ + $(CONFIG) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + gccpatch = $(TARGETDIR)/gcc-patched +@@ -641,9 +641,9 @@ endif + # Always need to build cross tools for build host self. + $(TARGETDIR)/%.done : $(BUILDDIR)/%/Makefile + $(info Building $(basename $@). Log in $( $(&1 ++ $(PATHPRE) $(ENVS) $(MAKE) $(BUILDPAR) -f $< -C $(&1 | tee $( $(&1 ++ $(PATHPRE) $(MAKE) $(INSTALLPAR) -f $< -C $(&1 | tee $( +Date: Wed, 20 Mar 2024 13:01:47 -0400 +Subject: [PATCH] devkit: Remove .comment sections from sysroot objects + +Otherwise the comment sections of C runtime objects, including those +in static libraries like libc_nonshared.a, contribute RPM package +version strings to the .comment section in devkit-produced binaries +and libraries. These RPM package strings change frequently, even +across minor toolchain updates. Their presence interferes when +comparing binaries built with devkits that use different sysroot RPM +package sets. +--- + make/devkit/Tools.gmk | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index b6f895f5a25..37ea1a6a287 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -324,6 +324,9 @@ $(foreach p,$(RPM_FILE_LIST),$(eval $(call unrpm,$(p)))) + # have it anyway, but just to make sure... + # Patch libc.so and libpthread.so to force linking against libraries in sysroot + # and not the ones installed on the build machine. ++# Remove comment sections from static libraries and C runtime objects ++# to prevent leaking RHEL-specific package versions into ++# devkit-produced binaries. + $(libs) : $(rpms) + @echo Patching libc and pthreads + @(for f in `find $(SYSROOT) -name libc.so -o -name libpthread.so`; do \ +@@ -333,6 +336,7 @@ $(libs) : $(rpms) + -e 's|/lib/||g' ) > $$f.tmp ; \ + mv $$f.tmp $$f ; \ + done) ++ @find $(SYSROOT) -name '*.[ao]' -exec objcopy --remove-section .comment '{}' ';' + @mkdir -p $(SYSROOT)/usr/lib + @touch $@ + +-- +2.45.2 + diff --git a/SOURCES/0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch b/SOURCES/0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch new file mode 100644 index 0000000..005c8b6 --- /dev/null +++ b/SOURCES/0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch @@ -0,0 +1,35 @@ +From c370e1194c707f3f6c470e147ec497cc4e76957e Mon Sep 17 00:00:00 2001 +From: Thomas Fitzsimmons +Date: Fri, 22 Mar 2024 16:03:17 -0400 +Subject: [PATCH] Tools.gmk: Configure binutils with + --enable-deterministic-archives + +--- + make/devkit/Tools.gmk | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 37ea1a6a287..22c6007000b 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -445,6 +445,9 @@ endif + + # Makefile creation. Simply run configure in build dir. + # Setting CFLAGS to -O2 generates a much faster ld. ++# Use --enable-deterministic-archives so that make targets that ++# generate "ar" archives, such as "static-libs-image", produce ++# deterministic .a files. + $(bfdmakes) \ + $(BUILDDIR)/$(binutils_ver)/Makefile \ + : $(BINUTILS_CFG) +@@ -459,6 +462,7 @@ $(BUILDDIR)/$(binutils_ver)/Makefile \ + --with-sysroot=$(SYSROOT) \ + --disable-nls \ + --program-prefix=$(TARGET)- \ ++ --enable-deterministic-archives \ + --enable-multilib \ + --enable-threads \ + --enable-plugins \ +-- +2.45.2 + diff --git a/SOURCES/0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch b/SOURCES/0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch new file mode 100644 index 0000000..367c79c --- /dev/null +++ b/SOURCES/0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch @@ -0,0 +1,35 @@ +From 5958274571b957617d0572101a92217fd5b2f312 Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Wed, 27 Nov 2024 17:04:19 +0000 +Subject: [PATCH] Tools.gmk: Add --enable-linker-build-id to gcc build + +This causes --build-id to be passed to the linker, and the +.note.gnu.build-id section is added (OPENJDK-3068) +--- + make/devkit/Tools.gmk | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 22c6007000b..57d48ec5114 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -539,6 +539,8 @@ endif + # skip native language. + # and link and assemble with the binutils we created + # earlier, so --with-gnu* ++# Add --enable-linker-build-id so the .note.gnu.build-id ++# section is added by the linker (OPENJDK-3068) + $(BUILDDIR)/$(gcc_ver)/Makefile \ + : $(GCC_CFG) + $(info Configuring $@. Log in $(@D)/log.config) +@@ -557,6 +559,7 @@ $(BUILDDIR)/$(gcc_ver)/Makefile \ + --with-mpfr=$(PREFIX) \ + --with-gmp=$(PREFIX) \ + --with-mpc=$(PREFIX) \ ++ --enable-linker-build-id \ + ) 2>&1 | tee $(@D)/log.config + @echo 'done' + +-- +2.45.2 + diff --git a/SOURCES/0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch b/SOURCES/0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch new file mode 100644 index 0000000..240dcad --- /dev/null +++ b/SOURCES/0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch @@ -0,0 +1,38 @@ +From 2617c050a909265444b32063b2d271eca42dcaa6 Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Fri, 17 Jan 2025 21:11:01 +0000 +Subject: [PATCH] Tools.gmk: Exclude systemtap-sdt-devel on s390x & ppc64* + +There is no DTrace support on s390x (JDK-8305174) and ppc64 +(JDK-8304867) so we don't need the RPMs. They also cause issues with +static linkage of libstdc++.a on s390x. It fails with 'error: +relocation refers to local symbol "" [9], which is defined in a +discarded section'. + +Resolves: OPENJDK-3070 +--- + make/devkit/Tools.gmk | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 57d48ec5114..07928f69ceb 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -219,9 +219,13 @@ RPM_LIST := \ + zlib zlib-devel \ + libffi libffi-devel \ + fontconfig fontconfig-devel \ +- systemtap-sdt-devel \ + # + ++# Only include SystemTap on supported architectures ++ifeq ($(filter ppc64 ppc64le s390x, $(ARCH)), ) ++ RPM_LIST += systemtap-sdt-devel ++endif ++ + ########################################################################################## + # Define common directories and files + +-- +2.45.2 + diff --git a/SOURCES/0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch b/SOURCES/0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch new file mode 100644 index 0000000..28ba831 --- /dev/null +++ b/SOURCES/0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch @@ -0,0 +1,33 @@ +From 9766818f55726cea630b432f09cce8f9c17c014d Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Fri, 17 Jan 2025 21:27:58 +0000 +Subject: [PATCH] Tools.gmk: Use update repository on RHEL rather than GA + +It looks like we were using 7.6 & 7.9 GA repositories rather than +the latest updates. + +Resolves: OPENJDK-3589 +--- + make/devkit/Tools.gmk | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 07928f69ceb..5b39560ab11 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -64,10 +64,10 @@ ifeq ($(BASE_OS), OL) + endif + else ifeq ($(BASE_OS), RHEL) + ifeq ($(ARCH), aarch64) +- BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/RHEL-7/latest-RHEL-ALT-7/compose/Server/$(ARCH)/os/Packages/ ++ BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/updates/RHEL-ALT-7/latest-RHEL-ALT-7/compose/Server/$(ARCH)/os/Packages/ + LINUX_VERSION := RHEL7.6 + else +- BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/RHEL-7/latest-RHEL-7/compose/Server/$(ARCH)/os/Packages/ ++ BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/updates/RHEL-7/latest-RHEL-7/compose/Server/$(ARCH)/os/Packages/ + LINUX_VERSION := RHEL7.9 + endif + else ifeq ($(BASE_OS), Fedora) +-- +2.45.2 + diff --git a/SOURCES/NEWS b/SOURCES/NEWS new file mode 100644 index 0000000..8fdac2e --- /dev/null +++ b/SOURCES/NEWS @@ -0,0 +1,2641 @@ +Key: + +JDK-X - https://bugs.openjdk.java.net/browse/JDK-X +CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY + +New in release OpenJDK 21.0.6 (2025-01-21): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2106 + +* CVEs + - CVE-2025-21502 +* Changes + - JDK-6942632: Hotspot should be able to use more than 64 logical processors on Windows + - JDK-8028127: Regtest java/security/Security/SynchronizedAccess.java is incorrect + - JDK-8195675: Call to insertText with single character from custom Input Method ignored + - JDK-8207908: JMXStatusTest.java fails assertion intermittently + - JDK-8225220: When the Tab Policy is checked,the scroll button direction displayed incorrectly. + - JDK-8240343: JDI stopListening/stoplis001 "FAILED: listening is successfully stopped without starting listening" + - JDK-8283214: [macos] Screen magnifier does not show the magnified text for JComboBox + - JDK-8296787: Unify debug printing format of X.509 cert serial numbers + - JDK-8296972: [macos13] java/awt/Frame/MaximizedToIconified/MaximizedToIconified.java: getExtendedState() != 6 as expected. + - JDK-8306446: java/lang/management/ThreadMXBean/Locks.java transient failures + - JDK-8308429: jvmti/StopThread/stopthrd007 failed with "NoClassDefFoundError: Could not initialize class jdk.internal.misc.VirtualThreads" + - JDK-8309218: java/util/concurrent/locks/Lock/OOMEInAQS.java still times out with ZGC, Generational ZGC, and SerialGC + - JDK-8311301: MethodExitTest may fail with stack buffer overrun + - JDK-8311656: Shenandoah: Unused ShenandoahSATBAndRemarkThreadsClosure::_claim_token + - JDK-8312518: [macos13] setFullScreenWindow() shows black screen on macOS 13 & above + - JDK-8313374: --enable-ccache's CCACHE_BASEDIR breaks builds + - JDK-8313878: Exclude two compiler/rtm/locking tests on ppc64le + - JDK-8315701: [macos] Regression: KeyEvent has different keycode on different keyboard layouts + - JDK-8316428: G1: Nmethod count statistics only count last code root set iterated + - JDK-8316893: Compile without -fno-delete-null-pointer-checks + - JDK-8316895: SeenThread::print_action_queue called on a null pointer + - JDK-8316907: Fix nonnull-compare warnings + - JDK-8317116: Provide layouts for multiple test UI in PassFailJFrame + - JDK-8317575: AArch64: C2_MacroAssembler::fast_lock uses rscratch1 for cmpxchg result + - JDK-8318105: [jmh] the test java.security.HSS failed with 2 active threads + - JDK-8318442: java/net/httpclient/ManyRequests2.java fails intermittently on Linux + - JDK-8319640: ClassicFormat::parseObject (from DateTimeFormatter) does not conform to the javadoc and may leak DateTimeException + - JDK-8319673: Few security tests ignore VM flags + - JDK-8319678: Several tests from corelibs areas ignore VM flags + - JDK-8319960: RISC-V: compiler/intrinsics/TestInteger/LongUnsignedDivMod.java failed with "counts: Graph contains wrong number of nodes" + - JDK-8319970: AArch64: enable tests compiler/intrinsics/Test(Long|Integer)UnsignedDivMod.java on aarch64 + - JDK-8319973: AArch64: Save and restore FPCR in the call stub + - JDK-8320192: SHAKE256 does not work correctly if n >= 137 + - JDK-8320397: RISC-V: Avoid passing t0 as temp register to MacroAssembler:: cmpxchg_obj_header/cmpxchgptr + - JDK-8320575: generic type information lost on mandated parameters of record's compact constructors + - JDK-8320586: update manual test/jdk/TEST.groups + - JDK-8320665: update jdk_core at open/test/jdk/TEST.groups + - JDK-8320673: PageFormat/CustomPaper.java has no Pass/Fail buttons; multiple instructions + - JDK-8320682: [AArch64] C1 compilation fails with "Field too big for insn" + - JDK-8320892: AArch64: Restore FPU control state after JNI + - JDK-8321299: runtime/logging/ClassLoadUnloadTest.java doesn't reliably trigger class unloading + - JDK-8321470: ThreadLocal.nextHashCode can be static final + - JDK-8321474: TestAutoCreateSharedArchiveUpgrade.java should be updated with JDK 21 + - JDK-8321543: Update NSS to version 3.96 + - JDK-8321550: Update several runtime/cds tests to use vm flags or mark as flagless + - JDK-8321616: Retire binary test vectors in test/jdk/java/util/zip/ZipFile + - JDK-8321940: Improve CDSHeapVerifier in handling of interned strings + - JDK-8322166: Files.isReadable/isWritable/isExecutable expensive when file does not exist + - JDK-8322754: click JComboBox when dialog about to close causes IllegalComponentStateException + - JDK-8322809: SystemModulesMap::classNames and moduleNames arrays do not match the order + - JDK-8322830: Add test case for ZipFile opening a ZIP with no entries + - JDK-8323562: SaslInputStream.read() may return wrong value + - JDK-8323688: C2: Fix UB of jlong overflow in PhaseIdealLoop::is_counted_loop() + - JDK-8324841: PKCS11 tests still skip execution + - JDK-8324861: Exceptions::wrap_dynamic_exception() doesn't have ResourceMark + - JDK-8325038: runtime/cds/appcds/ProhibitedPackage.java can fail with UseLargePages + - JDK-8325399: Add tests for virtual threads doing Selector operations + - JDK-8325506: Ensure randomness is only read from provided SecureRandom object + - JDK-8325525: Create jtreg test case for JDK-8325203 + - JDK-8325610: CTW: Add StressIncrementalInlining to stress options + - JDK-8325762: Use PassFailJFrame.Builder.splitUI() in PrintLatinCJKTest.java + - JDK-8325851: Hide PassFailJFrame.Builder constructor + - JDK-8325906: Problemlist vmTestbase/vm/mlvm/meth/stress/compiler/deoptimize/Test.java#id1 until JDK-8320865 is fixed + - JDK-8326100: DeflaterDictionaryTests should use Deflater.getBytesWritten instead of Deflater.getTotalOut + - JDK-8326121: vmTestbase/gc/g1/unloading/tests/unloading_keepRef_rootClass_inMemoryCompilation_keep_cl failed with Full gc happened. Test was useless. + - JDK-8326611: Clean up vmTestbase/nsk/stress/stack tests + - JDK-8326898: NSK tests should listen on loopback addresses only + - JDK-8327924: Simplify TrayIconScalingTest.java + - JDK-8328021: Convert applet test java/awt/List/SetFontTest/SetFontTest.html to main program + - JDK-8328242: Add a log area to the PassFailJFrame + - JDK-8328303: 3 JDI tests timed out with UT enabled + - JDK-8328379: Convert URLDragTest.html applet test to main + - JDK-8328402: Implement pausing functionality for the PassFailJFrame + - JDK-8328619: sun/management/jmxremote/bootstrap/SSLConfigFilePermissionTest.java failed with BindException: Address already in use + - JDK-8328665: serviceability/jvmti/vthread/PopFrameTest failed with a timeout + - JDK-8328723: IP Address error when client enables HTTPS endpoint check on server socket + - JDK-8329353: ResolvedReferencesNotNullTest.java failed with Incorrect resolved references array, quxString should not be archived + - JDK-8329533: TestCDSVMCrash fails on libgraal + - JDK-8330045: Enhance array handling + - JDK-8330278: Have SSLSocketTemplate.doClientSide use loopback address + - JDK-8330621: Make 5 compiler tests use ProcessTools.executeProcess + - JDK-8331391: Enhance the keytool code by invoking the buildTrustedCerts method for essential options + - JDK-8331393: AArch64: u32 _partial_subtype_ctr loaded/stored as 64 + - JDK-8331864: Update Public Suffix List to 1cbd6e7 + - JDK-8332112: Update nsk.share.Log to don't print summary during VM shutdown hook + - JDK-8332340: Add JavacBench as a test case for CDS + - JDK-8332461: ubsan : dependencies.cpp:906:3: runtime error: load of value 4294967295, which is not a valid value for type 'DepType' + - JDK-8332724: x86 MacroAssembler may over-align code + - JDK-8332777: Update JCStress test suite + - JDK-8332866: Crash in ImageIO JPEG decoding when MEM_STATS in enabled + - JDK-8332901: Select{Current,New}ItemTest.java for Choice don't open popup on macOS + - JDK-8333098: ubsan: bytecodeInfo.cpp:318:59: runtime error: division by zero + - JDK-8333108: Update vmTestbase/nsk/share/DebugeeProcess.java to don't use finalization + - JDK-8333144: docker tests do not work when ubsan is configured + - JDK-8333235: vmTestbase/nsk/jdb/kill/kill001/kill001.java fails with C1 + - JDK-8333248: VectorGatherMaskFoldingTest.java failed when maximum vector bits is 64 + - JDK-8333317: Test sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java failed with: Invalid ECDH ServerKeyExchange signature + - JDK-8333427: langtools/tools/javac/newlines/NewLineTest.java is failing on Japanese Windows + - JDK-8333728: ubsan: shenandoahFreeSet.cpp:1347:24: runtime error: division by zero + - JDK-8333754: Add a Test against ECDSA and ECDH NIST Test vector + - JDK-8333824: Unused ClassValue in VarHandles + - JDK-8334057: JLinkReproducibleTest.java support receive test.tool.vm.opts + - JDK-8334405: java/nio/channels/Selector/SelectWithConsumer.java#id0 failed in testWakeupDuringSelect + - JDK-8334475: UnsafeIntrinsicsTest.java#ZGenerationalDebug assert(!assert_on_failure) failed: Has low-order bits set + - JDK-8334560: [PPC64]: postalloc_expand_java_dynamic_call_sched does not copy all fields + - JDK-8334562: Automate com/sun/security/auth/callback/TextCallbackHandler/Default.java test + - JDK-8334567: [test] runtime/os/TestTracePageSizes move ppc handling + - JDK-8334719: (se) Deferred close of SelectableChannel may result in a Selector doing the final close before concurrent I/O on channel has completed + - JDK-8335142: compiler/c1/TestTraceLinearScanLevel.java occasionally times out with -Xcomp + - JDK-8335172: Add manual steps to run security/auth/callback/TextCallbackHandler/Password.java test + - JDK-8335267: [XWayland] move screencast tokens from .awt to .java folder + - JDK-8335344: test/jdk/sun/security/tools/keytool/NssTest.java fails to compile + - JDK-8335428: Enhanced Building of Processes + - JDK-8335449: runtime/cds/DeterministicDump.java fails with File content different at byte ... + - JDK-8335530: Java file extension missing in AuthenticatorTest + - JDK-8335664: Parsing jsr broken: assert(bci>= 0 && bci < c->method()->code_size()) failed: index out of bounds + - JDK-8335709: C2: assert(!loop->is_member(get_loop(useblock))) failed: must be outside loop + - JDK-8335912, JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files + - JDK-8336240: Test com/sun/crypto/provider/Cipher/DES/PerformanceTest.java fails with java.lang.ArithmeticException + - JDK-8336257: Additional tests in jmxremote/startstop to match on PID not app name + - JDK-8336315: tools/jpackage/windows/WinChildProcessTest.java Failed: Check is calculator process is alive + - JDK-8336413: gtk headers : Fix typedef redeclaration of GMainContext and GdkPixbuf + - JDK-8336564: Enhance mask blit functionality redux + - JDK-8336640: Shenandoah: Parallel worker use in parallel_heap_region_iterate + - JDK-8336854: CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout + - JDK-8336911: ZGC: Division by zero in heuristics after JDK-8332717 + - JDK-8337066: Repeated call of StringBuffer.reverse with double byte string returns wrong result + - JDK-8337067: Test runtime/classFileParserBug/Bad_NCDFE_Msg.java won't compile + - JDK-8337320: Update ProblemList.txt with tests known to fail on XWayland + - JDK-8337331: crash: pinned virtual thread will lead to jvm crash when running with the javaagent option + - JDK-8337410: The makefiles should set problemlist and adjust timeout basing on the given VM flags + - JDK-8337780: RISC-V: C2: Change C calling convention for sp to NS + - JDK-8337810: ProblemList BasicDirectoryModel/LoaderThreadCount.java on Windows + - JDK-8337826: Improve logging in OCSPTimeout and SimpleOCSPResponder to help diagnose JDK-8309754 + - JDK-8337851: Some tests have name which confuse jtreg + - JDK-8337876: [IR Framework] Add support for IR tests with @Stable + - JDK-8337966: (fs) Files.readAttributes fails with Operation not permitted on older docker releases + - JDK-8338058: map_or_reserve_memory_aligned Windows enhance remap assertion + - JDK-8338101: remove old remap assertion in map_or_reserve_memory_aligned after JDK-8338058 + - JDK-8338109: java/awt/Mouse/EnterExitEvents/ResizingFrameTest.java duplicate in ProblemList + - JDK-8338110: Exclude Fingerprinter::do_type from ubsan checks + - JDK-8338112: Test testlibrary_tests/ir_framework/tests/TestPrivilegedMode.java fails with release build + - JDK-8338344: Test TestPrivilegedMode.java intermittent fails java.lang.NoClassDefFoundError: jdk/test/lib/Platform + - JDK-8338380: Update TLSCommon/interop/AbstractServer to specify an interface to listen for connections + - JDK-8338389: [JFR] Long strings should be added to the string pool + - JDK-8338402: GHA: some of bundles may not get removed + - JDK-8338449: ubsan: division by zero in sharedRuntimeTrans.cpp + - JDK-8338550: Do libubsan1 installation in test container only if requested + - JDK-8338748: [17u,21u] Test Disconnect.java compile error: cannot find symbol after JDK-8299813 + - JDK-8338751: ConfigureNotify behavior has changed in KWin 6.2 + - JDK-8338759: Add extra diagnostic to java/net/InetAddress/ptr/Lookup.java + - JDK-8338924: C1: assert(0 <= i && i < _len) failed: illegal index 5 for length 5 + - JDK-8339080: Bump update version for OpenJDK: jdk-21.0.6 + - JDK-8339180: Enhanced Building of Processes: Follow-on Issue + - JDK-8339248: RISC-V: Remove li64 macro assembler routine and related code + - JDK-8339384: Unintentional IOException in jdk.jdi module when JDWP end of stream occurs + - JDK-8339386: Assertion on AIX - original PC must be in the main code section of the compiled method + - JDK-8339416: [s390x] Provide implementation for resolve_global_jobject + - JDK-8339487: ProcessHandleImpl os_getChildren sysctl call - retry in case of ENOMEM and enhance exception message + - JDK-8339548: GHA: RISC-V: Use Debian snapshot archive for bootstrap + - JDK-8339560: Unaddressed comments during code review of JDK-8337664 + - JDK-8339591: Mark jdk/jshell/ExceptionMessageTest.java intermittent + - JDK-8339637: (tz) Update Timezone Data to 2024b + - JDK-8339644: Improve parsing of Day/Month in tzdata rules + - JDK-8339648: ZGC: Division by zero in rule_major_allocation_rate + - JDK-8339725: Concurrent GC crashed due to GetMethodDeclaringClass + - JDK-8339731: java.desktop/share/classes/javax/swing/text/html/default.css typo in margin settings + - JDK-8339741: RISC-V: C ABI breakage for integer on stack + - JDK-8339787: Add some additional diagnostic output to java/net/ipv6tests/UdpTest.java + - JDK-8339803: Acknowledge case insensitive unambiguous keywords in tzdata files + - JDK-8339892: Several security shell tests don't set TESTJAVAOPTS + - JDK-8340007: Refactor KeyEvent/FunctionKeyTest.java + - JDK-8340008: KeyEvent/KeyTyped/Numpad1KeyTyped.java has 15 seconds timeout + - JDK-8340109: Ubsan: ciEnv.cpp:1660:65: runtime error: member call on null pointer of type 'struct CompileTask' + - JDK-8340210: Add positionTestUI() to PassFailJFrame.Builder + - JDK-8340214: C2 compilation asserts with "no node with a side effect" in PhaseIdealLoop::try_sink_out_of_loop + - JDK-8340230: Tests crash: assert(is_in_encoding_range || k->is_interface() || k->is_abstract()) failed: sanity + - JDK-8340306: Add border around instructions in PassFailJFrame + - JDK-8340308: PassFailJFrame: Make rows default to number of lines in instructions + - JDK-8340365: Position the first window of a window list + - JDK-8340383: VM issues warning failure to find kernel32.dll on Windows nanoserver + - JDK-8340387: Update OS detection code to recognize Windows Server 2025 + - JDK-8340398: [JVMCI] Unintuitive behavior of UseJVMCICompiler option + - JDK-8340418: GHA: MacOS AArch64 bundles can be removed prematurely + - JDK-8340461: Amend description for logArea + - JDK-8340466: Add description for PassFailJFrame constructors + - JDK-8340552: Harden TzdbZoneRulesCompiler against missing zone names + - JDK-8340590: RISC-V: C2: Small improvement to vector gather load and scatter store + - JDK-8340632: ProblemList java/nio/channels/DatagramChannel/ for Macos + - JDK-8340657: [PPC64] SA determines wrong unextendedSP + - JDK-8340684: Reading from an input stream backed by a closed ZipFile has no test coverage + - JDK-8340785: Update description of PassFailJFrame and samples + - JDK-8340799: Add border inside instruction frame in PassFailJFrame + - JDK-8340801: Disable ubsan checks in some awt/2d coding + - JDK-8340804: doc/building.md update Xcode instructions to note that full install is required + - JDK-8340812: LambdaForm customization via MethodHandle::updateForm is not thread safe + - JDK-8340815: Add SECURITY.md file + - JDK-8340899: Remove wildcard bound in PositionWindows.positionTestWindows + - JDK-8340923: The class LogSelection copies uninitialized memory + - JDK-8341024: [test] build/AbsPathsInImage.java fails with OOM when using ubsan-enabled binaries + - JDK-8341146: RISC-V: Unnecessary fences used for load-acquire in template interpreter + - JDK-8341235: Improve default instruction frame title in PassFailJFrame + - JDK-8341261: Tests assume UnlockExperimentalVMOptions is disabled by default + - JDK-8341562: RISC-V: Generate comments in -XX:+PrintInterpreter to link to source code + - JDK-8341688: Aarch64: Generate comments in -XX:+PrintInterpreter to link to source code + - JDK-8341722: Fix some warnings as errors when building on Linux with toolchain clang + - JDK-8341806: Gcc version detection failure on Alinux3 + - JDK-8341927: Replace hardcoded security providers with new test.provider.name system property + - JDK-8341997: Tests create files in src tree instead of scratch dir + - JDK-8342014: RISC-V: ZStoreBarrierStubC2 clobbers rflags + - JDK-8342063: [21u][aix] Backport introduced redundant line in ProblemList + - JDK-8342181: Update tests to use stronger Key and Salt size + - JDK-8342183: Update tests to use stronger algorithms and keys + - JDK-8342188: Update tests to use stronger key parameters and certificates + - JDK-8342409: [s390x] C1 unwind_handler fails to unlock synchronized methods with LM_MONITOR + - JDK-8342496: C2/Shenandoah: SEGV in compiled code when running jcstress + - JDK-8342578: GHA: RISC-V: Bootstrap using Debian snapshot is still failing + - JDK-8342607: Enhance register printing on x86_64 platforms + - JDK-8342669: [21u] Fix TestArrayAllocatorMallocLimit after backport of JDK-8315097 + - JDK-8342681: TestLoadBypassesNullCheck.java fails improperly specified VM option + - JDK-8342701: [PPC64] TestOSRLotsOfLocals.java crashes + - JDK-8342765: [21u] RTM tests assume UnlockExperimentalVMOptions is disabled by default + - JDK-8342823: Ubsan: ciEnv.cpp:1614:65: runtime error: member call on null pointer of type 'struct CompileTask' + - JDK-8342905: Thread.setContextClassloader from thread in FJP commonPool task no longer works after JDK-8327501 redux + - JDK-8342962: [s390x] TestOSRLotsOfLocals.java crashes + - JDK-8343285: java.lang.Process is unresponsive and CPU usage spikes to 100% + - JDK-8343474: [updates] Customize README.md to specifics of update project + - JDK-8343506: [s390x] multiple test failures with ubsan + - JDK-8343724: [PPC64] Disallow OptoScheduling + - JDK-8343848: Fix typo of property name in TestOAEPPadding after 8341927 + - JDK-8343877: Test AsyncClose.java intermittent fails - Socket.getInputStream().read() wasn't preempted + - JDK-8343884: [s390x] Disallow OptoScheduling + - JDK-8343923: GHA: Switch to Xcode 15 on MacOS AArch64 runners + - JDK-8344164: [s390x] ProblemList hotspot/jtreg/runtime/NMT/VirtualAllocCommitMerge.java + - JDK-8344628: Test TestEnableJVMCIProduct.java run with virtual thread intermittent fails + - JDK-8344993: [21u] [REDO] Backport JDK-8327501 and JDK-8328366 to JDK 21 + - JDK-8345055: [21u] ProblemList failing rtm tests on ppc platforms + - JDK-8347010: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.6 + +Notes on individual issues: +=========================== + +core-libs/java.util.jar: + +JDK-8335912/JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files +=================================================================================================================== +In previous OpenJDK releases, when the jar tool extracted files from +an archive, it would overwrite any existing files with the same name +in the target directory. With this release, a new option ('-k' or +'--keep-old-files') may be specified so that existing files are not +overwritten. + +The option may be specified in short or long option form, as in the +following examples: + +* jar xkf foo.jar +* jar --extract --keep-old-files --file foo.jar + +By default, the old behaviour remains in place and files will be +overwritten. + +core-libs/java.time: + +JDK-8339637: (tz) Update Timezone Data to 2024b +=============================================== +This OpenJDK release upgrades the in-tree copy of the IANA timezone +database to 2024b. This timezone update is primarily concerned with +improving historical data for Mexico, Monogolia and Portugal. It also +makes Asia/Choibalsan an alias for Asia/Ulaanbaatar and makes the MET +timezone the same as CET. + +The 2024b update also makes a number of legacy timezone IDs equal to +geographical names rather than fixed offsets, as follows: + +* EST => America/Panama instead of -5:00 +* MST => America/Phoenix instead of -7:00 +* HST => Pacific/Honolulu instead of -10:00 + +For long term support releases of OpenJDK, this change is overridden +locally to retain the existing fixed offset mapping. + +New in release OpenJDK 21.0.5 (2024-10-15): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2105 + +* CVEs + - CVE-2024-21208 + - CVE-2024-21210 + - CVE-2024-21217 + - CVE-2024-21235 +* Security fixes + - JDK-8307383: Enhance DTLS connections + - JDK-8311208: Improve CDS Support + - JDK-8328286: Enhance HTTP client + - JDK-8328544: Improve handling of vectorization + - JDK-8328726: Better Kerberos support + - JDK-8331446: Improve deserialization support + - JDK-8332644: Improve graph optimizations + - JDK-8335713: Enhance vectorization analysis +* Other changes + - JDK-6355567: AdobeMarkerSegment causes failure to read valid JPEG + - JDK-6967482: TAB-key does not work in JTables after selecting details-view in JFileChooser + - JDK-7022325: TEST_BUG: test/java/util/zip/ZipFile/ReadLongZipFileName.java leaks files if it fails + - JDK-8051959: Add thread and timestamp options to java.security.debug system property + - JDK-8073061: (fs) Files.copy(foo, bar, REPLACE_EXISTING) deletes bar even if foo is not readable + - JDK-8166352: FilePane.createDetailsView() removes JTable TAB, SHIFT-TAB functionality + - JDK-8170817: G1: Returning MinTLABSize from unsafe_max_tlab_alloc causes TLAB flapping + - JDK-8211847: [aix] java/lang/ProcessHandle/InfoTest.java fails: "reported cputime less than expected" + - JDK-8211854: [aix] java/net/ServerSocket/AcceptInheritHandle.java fails: read times out + - JDK-8222884: ConcurrentClassDescLookup.java times out intermittently + - JDK-8238169: BasicDirectoryModel getDirectories and DoChangeContents.run can deadlock + - JDK-8241550: [macOS] SSLSocketImpl/ReuseAddr.java failed due to "BindException: Address already in use" + - JDK-8242564: javadoc crashes:: class cast exception com.sun.tools.javac.code.Symtab$6 + - JDK-8260633: [macos] java/awt/dnd/MouseEventAfterStartDragTest/MouseEventAfterStartDragTest.html test failed + - JDK-8261433: Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit + - JDK-8269428: java/util/concurrent/ConcurrentHashMap/ToArray.java timed out + - JDK-8269657: Test java/nio/channels/DatagramChannel/Loopback.java failed: Unexpected message + - JDK-8280120: [IR Framework] Add attribute to @IR to enable/disable IR matching based on the architecture + - JDK-8280392: java/awt/Focus/NonFocusableWindowTest/NonfocusableOwnerTest.java failed with "RuntimeException: Test failed." + - JDK-8280988: [XWayland] Click on title to request focus test failures + - JDK-8280990: [XWayland] XTest emulated mouse click does not bring window to front + - JDK-8283223: gc/stringdedup/TestStringDeduplicationFullGC.java#Parallel failed with "RuntimeException: String verification failed" + - JDK-8287325: AArch64: fix virtual threads with -XX:UseBranchProtection=pac-ret + - JDK-8291809: Convert compiler/c2/cr7200264/TestSSE2IntVect.java to IR verification test + - JDK-8294148: Support JSplitPane for instructions and test UI + - JDK-8299058: AssertionError in sun.net.httpserver.ServerImpl when connection is idle + - JDK-8299487: Test java/net/httpclient/whitebox/SSLTubeTestDriver.java timed out + - JDK-8299790: os::print_hex_dump is racy + - JDK-8299813: java/nio/channels/DatagramChannel/Disconnect.java fails with jtreg test timeout due to lost datagram + - JDK-8301686: TLS 1.3 handshake fails if server_name doesn't match resuming session + - JDK-8303920: Avoid calling out to python in DataDescriptorSignatureMissing test + - JDK-8305072: Win32ShellFolder2.compareTo is inconsistent + - JDK-8305825: getBounds API returns wrong value resulting in multiple Regression Test Failures on Ubuntu 23.04 + - JDK-8307193: Several Swing jtreg tests use class.forName on L&F classes + - JDK-8307352: AARCH64: Improve itable_stub + - JDK-8307778: com/sun/jdi/cds tests fail with jtreg's Virtual test thread factory + - JDK-8307788: vmTestbase/gc/gctests/LargeObjects/large003/TestDescription.java timed out + - JDK-8308286: Fix clang warnings in linux code + - JDK-8308660: C2 compilation hits 'node must be dead' assert + - JDK-8309067: gtest/AsyncLogGtest.java fails again in stderrOutput_vm + - JDK-8309621: [XWayland][Screencast] screen capture failure with sun.java2d.uiScale other than 1 + - JDK-8309685: Fix -Wconversion warnings in assembler and register code + - JDK-8309894: compiler/vectorapi/VectorLogicalOpIdentityTest.java fails on SVE system with UseSVE=0 + - JDK-8310072: JComboBox/DisabledComboBoxFontTestAuto: Enabled and disabled ComboBox does not match in these LAFs: GTK+ + - JDK-8310108: Skip ReplaceCriticalClassesForSubgraphs when EnableJVMCI is specified + - JDK-8310201: Reduce verbose locale output in -XshowSettings launcher option + - JDK-8310334: [XWayland][Screencast] screen capture error message in debug + - JDK-8310628: GcInfoBuilder.c missing JNI Exception checks + - JDK-8310683: Refactor StandardCharset/standard.java to use JUnit + - JDK-8310906: Fix -Wconversion warnings in runtime, oops and some code header files. + - JDK-8311306: Test com/sun/management/ThreadMXBean/ThreadCpuTimeArray.java failed: out of expected range + - JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin + - JDK-8311989: Test java/lang/Thread/virtual/Reflection.java timed out + - JDK-8312049: runtime/logging/ClassLoadUnloadTest can be improved + - JDK-8312111: open/test/jdk/java/awt/Robot/ModifierRobotKey/ModifierRobotKeyTest.java fails on ubuntu 23.04 + - JDK-8312140: jdk/jshell tests failed with JDI socket timeouts + - JDK-8312200: Fix Parse::catch_call_exceptions memory leak + - JDK-8312229: Crash involving yield, switch and anonymous classes + - JDK-8313674: (fc) java/nio/channels/FileChannel/BlockDeviceSize.java should test for more block devices + - JDK-8313697: [XWayland][Screencast] consequent getPixelColor calls are slow + - JDK-8313983: jmod create --target-platform should replace existing ModuleTarget attribute + - JDK-8314163: os::print_hex_dump prints incorrectly for big endian platforms and unit sizes larger than 1 + - JDK-8314225: SIGSEGV in JavaThread::is_lock_owned + - JDK-8314515: java/util/concurrent/SynchronousQueue/Fairness.java failed with "Error: fair=false i=8 j=0" + - JDK-8314614: jdk/jshell/ImportTest.java failed with "InternalError: Failed remote listen" + - JDK-8315024: Vector API FP reduction tests should not test for exact equality + - JDK-8315031: YoungPLABSize and OldPLABSize not aligned by ObjectAlignmentInBytes + - JDK-8315422: getSoTimeout() would be in try block in SSLSocketImpl + - JDK-8315505: CompileTask timestamp printed can overflow + - JDK-8315576: compiler/codecache/CodeCacheFullCountTest.java fails after JDK-8314837 + - JDK-8315804: Open source several Swing JTabbedPane JTextArea JTextField tests + - JDK-8315923: pretouch_memory by atomic-add-0 fragments huge pages unexpectedly + - JDK-8315965: Open source various AWT applet tests + - JDK-8315969: compiler/rangechecks/TestRangeCheckHoistingScaledIV.java: make flagless + - JDK-8316104: Open source several Swing SplitPane and RadioButton related tests + - JDK-8316131: runtime/cds/appcds/TestParallelGCWithCDS.java fails with JNI error + - JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java java.lang.Exception: Could not find leak + - JDK-8316211: Open source several manual applet tests + - JDK-8316240: Open source several add/remove MenuBar manual tests + - JDK-8316285: Opensource JButton manual tests + - JDK-8316306: Open source and convert manual Swing test + - JDK-8316328: Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes + - JDK-8316361: C2: assert(!failure) failed: Missed optimization opportunity in PhaseIterGVN with -XX:VerifyIterativeGVN=10 + - JDK-8316389: Open source few AWT applet tests + - JDK-8316756: C2 EA fails with "missing memory path" when encountering unsafe_arraycopy stub call + - JDK-8317112: Add screenshot for Frame/DefaultSizeTest.java + - JDK-8317128: java/nio/file/Files/CopyAndMove.java failed with AccessDeniedException + - JDK-8317240: Promptly free OopMapEntry after fail to insert the entry to OopMapCache + - JDK-8317288: [macos] java/awt/Window/Grab/GrabTest.java: Press on the outside area didn't cause ungrab + - JDK-8317299: safepoint scalarization doesn't keep track of the depth of the JVM state + - JDK-8317360: Missing null checks in JfrCheckpointManager and JfrStringPool initialization routines + - JDK-8317372: Refactor some NumberFormat tests to use JUnit + - JDK-8317446: ProblemList gc/arguments/TestNewSizeFlags.java on macosx-aarch64 in Xcomp + - JDK-8317449: ProblemList serviceability/jvmti/stress/StackTrace/NotSuspended/GetStackTraceNotSuspendedStressTest.java on several platforms + - JDK-8317635: Improve GetClassFields test to verify correctness of field order + - JDK-8317696: Fix compilation with clang-16 + - JDK-8317738: CodeCacheFullCountTest failed with "VirtualMachineError: Out of space in CodeCache for method handle intrinsic" + - JDK-8317831: compiler/codecache/CheckLargePages.java fails on OL 8.8 with unexpected memory string + - JDK-8318071: IgnoreUnrecognizedVMOptions flag still causes failure in ArchiveHeapTestClass + - JDK-8318479: [jmh] the test security.CacheBench failed for multiple threads run + - JDK-8318605: Enable parallelism in vmTestbase/nsk/stress/stack tests + - JDK-8319197: Exclude hb-subset and hb-style from compilation + - JDK-8319406: x86: Shorter movptr(reg, imm) for 32-bit immediates + - JDK-8319773: Avoid inflating monitors when installing hash codes for LM_LIGHTWEIGHT + - JDK-8319793: C2 compilation fails with "Bad graph detected in build_loop_late" after JDK-8279888 + - JDK-8319817: Charset constructor should make defensive copy of aliases + - JDK-8319818: Address GCC 13.2.0 warnings (stringop-overflow and dangling-pointer) + - JDK-8320079: The ArabicBox.java test has no control buttons + - JDK-8320212: Disable GCC stringop-overflow warning for affected files + - JDK-8320379: C2: Sort spilling/unspilling sequence for better ld/st merging into ldp/stp on AArch64 + - JDK-8320602: Lock contention in SchemaDVFactory.getInstance() + - JDK-8320608: Many jtreg printing tests are missing the @printer keyword + - JDK-8320655: awt screencast robot spin and sync issues with native libpipewire api + - JDK-8320675: PrinterJob/SecurityDialogTest.java hangs + - JDK-8320945: problemlist tests failing on latest Windows 11 update + - JDK-8321025: Enable Neoverse N1 optimizations for Neoverse V2 + - JDK-8321176: [Screencast] make a second attempt on screencast failure + - JDK-8321206: Make Locale related system properties `StaticProperty` + - JDK-8321220: JFR: RecordedClass reports incorrect modifiers + - JDK-8321278: C2: Partial peeling fails with assert "last_peel <- first_not_peeled" + - JDK-8321509: False positive in get_trampoline fast path causes crash + - JDK-8321933: TestCDSVMCrash.java spawns two processes + - JDK-8322008: Exclude some CDS tests from running with -Xshare:off + - JDK-8322062: com/sun/jdi/JdwpAllowTest.java does not performs negative testing with prefix length + - JDK-8322330: JavadocHelperTest.java OOMEs with Parallel GC and ZGC + - JDK-8322726: C2: Unloaded signature class kills argument value + - JDK-8322743: C2: prevent lock region elimination in OSR compilation + - JDK-8322766: Micro bench SSLHandshake should use default algorithms + - JDK-8322881: java/nio/file/Files/CopyMoveVariations.java fails with AccessDeniedException due to permissions of files in /tmp + - JDK-8322971: KEM.getInstance() should check if a 3rd-party security provider is signed + - JDK-8322996: BoxLockNode creation fails with assert(reg < CHUNK_SIZE) failed: sanity + - JDK-8323122: AArch64: Increase itable stub size estimate + - JDK-8323196: jdk/jfr/api/consumer/filestream/TestOrdered.java failed with "Events are not ordered! Reuse = false" + - JDK-8323274: C2: array load may float above range check + - JDK-8323552: AbstractMemorySegmentImpl#mismatch returns -1 when comparing distinct areas of the same instance of MemorySegment + - JDK-8323577: C2 SuperWord: remove AlignVector restrictions on IR tests added in JDK-8305055 + - JDK-8323584: AArch64: Unnecessary ResourceMark in NativeCall::set_destination_mt_safe + - JDK-8323670: A few client tests intermittently throw ConcurrentModificationException + - JDK-8323682: C2: guard check is not generated in Arrays.copyOfRange intrinsic when allocation is eliminated by EA + - JDK-8323782: Race: Thread::interrupt vs. AbstractInterruptibleChannel.begin + - JDK-8323801: tag doesn't strikethrough the text + - JDK-8323972: C2 compilation fails with assert(!x->as_Loop()->is_loop_nest_inner_loop()) failed: loop was transformed + - JDK-8324174: assert(m->is_entered(current)) failed: invariant + - JDK-8324577: [REDO] - [IMPROVE] OPEN_MAX is no longer the max limit on macOS >= 10.6 for RLIMIT_NOFILE + - JDK-8324580: SIGFPE on THP initialization on kernels < 4.10 + - JDK-8324641: [IR Framework] Add Setup method to provide custom arguments and set fields + - JDK-8324668: JDWP process management needs more efficient file descriptor handling + - JDK-8324755: Enable parallelism in vmTestbase/gc/gctests/LargeObjects tests + - JDK-8324781: runtime/Thread/TestAlwaysPreTouchStacks.java failed with Expected a higher ratio between stack committed and reserved + - JDK-8324808: Manual printer tests have no Pass/Fail buttons, instructions close set 3 + - JDK-8324969: C2: prevent elimination of unbalanced coarsened locking regions + - JDK-8324983: Race in CompileBroker::possibly_add_compiler_threads + - JDK-8325022: Incorrect error message on client authentication + - JDK-8325037: x86: enable and fix hotspot/jtreg/compiler/vectorization/TestRoundVectFloat.java + - JDK-8325083: jdk/incubator/vector/Double512VectorTests.java crashes in Assembler::vex_prefix_and_encode + - JDK-8325179: Race in BasicDirectoryModel.validateFileCache + - JDK-8325218: gc/parallel/TestAlwaysPreTouchBehavior.java fails + - JDK-8325382: (fc) FileChannel.transferTo throws IOException when position equals size + - JDK-8325384: sun/security/ssl/SSLSessionImpl/ResumptionUpdateBoundValues.java failing intermittently when main thread is a virtual thread + - JDK-8325469: Freeze/Thaw code can crash in the presence of OSR frames + - JDK-8325494: C2: Broken graph after not skipping CastII node anymore for Assertion Predicates after JDK-8309902 + - JDK-8325520: Vector loads and stores with indices and masks incorrectly compiled + - JDK-8325542: CTW: Runner can produce negative StressSeed + - JDK-8325587: Shenandoah: ShenandoahLock should allow blocking in VM + - JDK-8325616: JFR ZGC Allocation Stall events should record stack traces + - JDK-8325620: HTMLReader uses ConvertAction instead of specified CharacterAction for , , + - JDK-8325754: Dead AbstractQueuedSynchronizer$ConditionNodes survive minor garbage collections + - JDK-8325763: Revert properties: vm.opt.x.* + - JDK-8326106: Write and clear stack trace table outside of safepoint + - JDK-8326129: Java Record Pattern Match leads to infinite loop + - JDK-8326332: Unclosed inline tags cause misalignment in summary tables + - JDK-8326717: Disable stringop-overflow in shenandoahLock.cpp + - JDK-8326734: text-decoration applied to lost when mixed with or + - JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails + - JDK-8327040: Problemlist ActionListenerCalledTwiceTest.java test failing in macos14 + - JDK-8327137: Add test for ConcurrentModificationException in BasicDirectoryModel + - JDK-8327401: Some jtreg tests fail on Wayland without any tracking bug + - JDK-8327423: C2 remove_main_post_loops: check if main-loop belongs to pre-loop, not just assert + - JDK-8327424: ProblemList serviceability/sa/TestJmapCore.java on all platforms with ZGC + - JDK-8327501: Common ForkJoinPool prevents class unloading in some cases + - JDK-8327650: Test java/nio/channels/DatagramChannel/StressNativeSignal.java timed out + - JDK-8327787: Convert javax/swing/border/Test4129681.java applet test to main + - JDK-8327840: Automate javax/swing/border/Test4129681.java + - JDK-8327990: [macosx-aarch64] Various tests fail with -XX:+AssertWXAtThreadSync + - JDK-8328011: Convert java/awt/Frame/GetBoundsResizeTest/GetBoundsResizeTest.java applet test to main + - JDK-8328075: Shenandoah: Avoid forwarding when objects don't move in full-GC + - JDK-8328110: Allow simultaneous use of PassFailJFrame with split UI and additional windows + - JDK-8328115: Convert java/awt/font/TextLayout/TestJustification.html applet test to main + - JDK-8328158: Convert java/awt/Choice/NonFocusablePopupMenuTest to automatic main test + - JDK-8328218: Delete test java/awt/Window/FindOwner/FindOwner.html + - JDK-8328234: Remove unused nativeUtils files + - JDK-8328238: Convert few closed manual applet tests to main + - JDK-8328269: NonFocusablePopupMenuTest.java should be marked as headful + - JDK-8328273: sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java failed with java.rmi.server.ExportException: Port already in use + - JDK-8328366: Thread.setContextClassloader from thread in FJP commonPool task no longer works after JDK-8327501 + - JDK-8328560: java/awt/event/MouseEvent/ClickDuringKeypress/ClickDuringKeypress.java imports Applet + - JDK-8328561: test java/awt/Robot/ManualInstructions/ManualInstructions.java isn't used + - JDK-8328642: Convert applet test MouseDraggedOutCauseScrollingTest.html to main + - JDK-8328647: TestGarbageCollectorMXBean.java fails with C1-only and -Xcomp + - JDK-8328697: SubMenuShowTest and SwallowKeyEvents tests stabilization + - JDK-8328785: IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0 + - JDK-8328896: Fontmetrics for large Fonts has zero width + - JDK-8328953: JEditorPane.read throws ChangedCharSetException + - JDK-8328999: Update GIFlib to 5.2.2 + - JDK-8329004: Update Libpng to 1.6.43 + - JDK-8329088: Stack chunk thawing races with concurrent GC stack iteration + - JDK-8329103: assert(!thread->in_asgct()) failed during multi-mode profiling + - JDK-8329126: No native wrappers generated anymore with -XX:-TieredCompilation after JDK-8251462 + - JDK-8329134: Reconsider TLAB zapping + - JDK-8329258: TailCall should not use frame pointer register for jump target + - JDK-8329510: Update ProblemList for JFileChooser/8194044/FileSystemRootTest.java + - JDK-8329559: Test javax/swing/JFrame/bug4419914.java failed because The End and Start buttons are not placed correctly and Tab focus does not move as expected + - JDK-8329665: fatal error: memory leak: allocating without ResourceMark + - JDK-8329667: [macos] Issue with JTree related fix for JDK-8317771 + - JDK-8329995: Restricted access to `/proc` can cause JFR initialization to crash + - JDK-8330027: Identity hashes of archived objects must be based on a reproducible random seed + - JDK-8330063: Upgrade jQuery to 3.7.1 + - JDK-8330133: libj2pkcs11.so crashes on some pkcs#11 v3.0 libraries + - JDK-8330146: assert(!_thread->is_in_any_VTMS_transition()) failed + - JDK-8330520: linux clang build fails in os_linux.cpp with static_assert with no message is a C++17 extension + - JDK-8330576: ZYoungCompactionLimit should have range check + - JDK-8330611: AES-CTR vector intrinsic may read out of bounds (x86_64, AVX-512) + - JDK-8330748: ByteArrayOutputStream.writeTo(OutputStream) pins carrier + - JDK-8330814: Cleanups for KeepAliveCache tests + - JDK-8330819: C2 SuperWord: bad dominance after pre-loop limit adjustment with base that has CastLL after pre-loop + - JDK-8330849: Add test to verify memory usage with recursive locking + - JDK-8330981: ZGC: Should not dedup strings in the finalizer graph + - JDK-8331011: [XWayland] TokenStorage fails under Security Manager + - JDK-8331063: Some HttpClient tests don't report leaks + - JDK-8331077: nroff man page update for jar tool + - JDK-8331142: Add test for number of loader threads in BasicDirectoryModel + - JDK-8331153: JFR: Improve logging of jdk/jfr/api/consumer/filestream/TestOrdered.java + - JDK-8331164: createJMHBundle.sh download jars fail when url needed to be redirected + - JDK-8331266: Bump update version for OpenJDK: jdk-21.0.5 + - JDK-8331405: Shenandoah: Optimize ShenandoahLock with TTAS + - JDK-8331411: Shenandoah: Reconsider spinning duration in ShenandoahLock + - JDK-8331421: ubsan: vmreg.cpp checking error member call on misaligned address + - JDK-8331495: Limit BasicDirectoryModel/LoaderThreadCount.java to Windows only + - JDK-8331518: Tests should not use the "Classpath" exception form of the legal header + - JDK-8331572: Allow using OopMapCache outside of STW GC phases + - JDK-8331573: Rename CollectedHeap::is_gc_active to be explicitly about STW GCs + - JDK-8331575: C2: crash when ConvL2I is split thru phi at LongCountedLoop + - JDK-8331605: jdk/test/lib/TestMutuallyExclusivePlatformPredicates.java test failure + - JDK-8331626: unsafe.cpp:162:38: runtime error in index_oop_from_field_offset_long - applying non-zero offset 4563897424 to null pointer + - JDK-8331714: Make OopMapCache installation lock-free + - JDK-8331731: ubsan: relocInfo.cpp:155:30: runtime error: applying non-zero offset to null pointer + - JDK-8331746: Create a test to verify that the cmm id is not ignored + - JDK-8331771: ZGC: Remove OopMapCacheAlloc_lock ordering workaround + - JDK-8331789: ubsan: deoptimization.cpp:403:29: runtime error: load of value 208, which is not a valid value for type 'bool' + - JDK-8331798: Remove unused arg of checkErgonomics() in TestMaxHeapSizeTools.java + - JDK-8331854: ubsan: copy.hpp:218:10: runtime error: addition of unsigned offset to 0x7fc2b4024518 overflowed to 0x7fc2b4024510 + - JDK-8331863: DUIterator_Fast used before it is constructed + - JDK-8331885: C2: meet between unloaded and speculative types is not symmetric + - JDK-8331931: JFR: Avoid loading regex classes during startup + - JDK-8331999: BasicDirectoryModel/LoaderThreadCount.java frequently fails on Windows in CI + - JDK-8332008: Enable issuestitle check + - JDK-8332113: Update nsk.share.Log to be always verbose + - JDK-8332154: Memory leak in SynchronousQueue + - JDK-8332174: Remove 2 (unpaired) RLO Unicode characters in ff_Adlm.xml + - JDK-8332248: (fc) java/nio/channels/FileChannel/BlockDeviceSize.java failed with RuntimeException + - JDK-8332424: Update IANA Language Subtag Registry to Version 2024-05-16 + - JDK-8332431: NullPointerException in JTable of SwingSet2 + - JDK-8332473: ubsan: growableArray.hpp:290:10: runtime error: null pointer passed as argument 1, which is declared to never be null + - JDK-8332490: JMH org.openjdk.bench.java.util.zip.InflaterInputStreams.inflaterInputStreamRead OOM + - JDK-8332499: Gtest codestrings.validate_vm fail on linux x64 when hsdis is present + - JDK-8332524: Instead of printing "TLSv1.3," it is showing "TLS13" + - JDK-8332589: ubsan: unix/native/libjava/ProcessImpl_md.c:562:5: runtime error: null pointer passed as argument 2, which is declared to never be null + - JDK-8332675: test/hotspot/jtreg/gc/testlibrary/Helpers.java compileClass javadoc does not match after 8321812 + - JDK-8332699: ubsan: jfrEventSetting.inline.hpp:31:43: runtime error: index 163 out of bounds for type 'jfrNativeEventSetting [162]' + - JDK-8332717: ZGC: Division by zero in heuristics + - JDK-8332720: ubsan: instanceKlass.cpp:3550:76: runtime error: member call on null pointer of type 'struct Array' + - JDK-8332818: ubsan: archiveHeapLoader.cpp:70:27: runtime error: applying non-zero offset 18446744073707454464 to null pointer + - JDK-8332825: ubsan: guardedMemory.cpp:35:11: runtime error: null pointer passed as argument 2, which is declared to never be null + - JDK-8332885: Clarify failure_handler self-tests + - JDK-8332894: ubsan: vmError.cpp:2090:26: runtime error: division by zero + - JDK-8332898: failure_handler: log directory of commands + - JDK-8332903: ubsan: opto/output.cpp:1002:18: runtime error: load of value 171, which is not a valid value for type 'bool' + - JDK-8332904: ubsan ppc64le: c1_LIRGenerator_ppc.cpp:581:21: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int' + - JDK-8332905: C2 SuperWord: bad AD file, with RotateRightV and first operand not a pack + - JDK-8332920: C2: Partial Peeling is wrongly applied for CmpU with negative limit + - JDK-8332935: Crash: assert(*lastPtr != 0) failed: Mismatched JNINativeInterface tables, check for new entries + - JDK-8332936: Test vmTestbase/metaspace/gc/watermark_70_80/TestDescription.java fails with no GC's recorded + - JDK-8332959: C2: ZGC fails with 'Incorrect load shift' when invoking Object.clone() reflectively on an array + - JDK-8333088: ubsan: shenandoahAdaptiveHeuristics.cpp:245:44: runtime error: division by zero + - JDK-8333093: Incorrect comment in zAddress_aarch64.cpp + - JDK-8333099: Missing check for is_LoadVector in StoreNode::Identity + - JDK-8333149: ubsan : memset on nullptr target detected in jvmtiEnvBase.cpp get_object_monitor_usage + - JDK-8333178: ubsan: jvmti_tools.cpp:149:16: runtime error: null pointer passed as argument 2, which is declared to never be null + - JDK-8333270: HandlersOnComplexResetUpdate and HandlersOnComplexUpdate tests fail with "Unexpected reference" if timeoutFactor is less than 1/3 + - JDK-8333277: ubsan: mlib_ImageScanPoly.c:292:43: runtime error: division by zero + - JDK-8333353: Delete extra empty line in CodeBlob.java + - JDK-8333354: ubsan: frame.inline.hpp:91:25: and src/hotspot/share/runtime/frame.inline.hpp:88:29: runtime error: member call on null pointer of type 'const struct SmallRegisterMap' + - JDK-8333361: ubsan,test : libHeapMonitorTest.cpp:518:9: runtime error: null pointer passed as argument 2, which is declared to never be null + - JDK-8333363: ubsan: instanceKlass.cpp: runtime error: member call on null pointer of type 'struct AnnotationArray' + - JDK-8333366: C2: CmpU3Nodes are not pushed back to worklist in PhaseCCP leading to non-fixpoint assertion failure + - JDK-8333398: Uncomment the commented test in test/jdk/java/util/jar/JarFile/mrjar/MultiReleaseJarAPI.java + - JDK-8333462: Performance regression of new DecimalFormat() when compare to jdk11 + - JDK-8333477: Delete extra empty spaces in Makefiles + - JDK-8333542: Breakpoint in parallel code does not work + - JDK-8333622: ubsan: relocInfo_x86.cpp:101:56: runtime error: pointer index expression with base (-1) overflowed + - JDK-8333639: ubsan: cppVtables.cpp:81:55: runtime error: index 14 out of bounds for type 'long int [1]' + - JDK-8333652: RISC-V: compiler/vectorapi/VectorGatherMaskFoldingTest.java fails when using RVV + - JDK-8333716: Shenandoah: Check for disarmed method before taking the nmethod lock + - JDK-8333724: Problem list security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1 + - JDK-8333804: java/net/httpclient/ForbiddenHeadTest.java threw an exception with 0 failures + - JDK-8333887: ubsan: unsafe.cpp:247:13: runtime error: store to null pointer of type 'volatile int' + - JDK-8334078: RISC-V: TestIntVect.java fails after JDK-8332153 when running without RVV + - JDK-8334123: log the opening of Type 1 fonts + - JDK-8334166: Enable binary check + - JDK-8334239: Introduce macro for ubsan method/function exclusions + - JDK-8334297: (so) java/nio/channels/SocketChannel/OpenLeak.java should not depend on SecurityManager + - JDK-8334332: TestIOException.java fails if run by root + - JDK-8334333: MissingResourceCauseTestRun.java fails if run by root + - JDK-8334339: Test java/nio/file/attribute/BasicFileAttributeView/CreationTime.java fails on alinux3 + - JDK-8334418: Update IANA Language Subtag Registry to Version 2024-06-14 + - JDK-8334421: assert(!oldbox->is_unbalanced()) failed: this should not be called for unbalanced region + - JDK-8334482: Shenandoah: Deadlock when safepoint is pending during nmethods iteration + - JDK-8334592: ProblemList serviceability/jvmti/stress/StackTrace/NotSuspended/GetStackTraceNotSuspendedStressTest.java in jdk21 on all platforms + - JDK-8334594: Generational ZGC: Deadlock after OopMap rewrites in 8331572 + - JDK-8334600: TEST java/net/MulticastSocket/IPMulticastIF.java fails on linux-aarch64 + - JDK-8334618: ubsan: support setting additional ubsan check options + - JDK-8334653: ISO 4217 Amendment 177 Update + - JDK-8334769: Shenandoah: Move CodeCache_lock close to its use in ShenandoahConcurrentNMethodIterator + - JDK-8334867: Add back assertion from JDK-8325494 + - JDK-8335007: Inline OopMapCache table + - JDK-8335134: Test com/sun/jdi/BreakpointOnClassPrepare.java timeout + - JDK-8335150: Test LogGeneratedClassesTest.java fails on rpmbuild mock enviroment + - JDK-8335237: ubsan: vtableStubs.hpp is_vtable_stub exclude from ubsan checks + - JDK-8335283: Build failure due to 'no_sanitize' attribute directive ignored + - JDK-8335409: Can't allocate and retain memory from resource area in frame::oops_interpreted_do oop closure after 8329665 + - JDK-8335493: check_gc_overhead_limit should reset SoftRefPolicy::_should_clear_all_soft_refs + - JDK-8335536: Fix assertion failure in IdealGraphPrinter when append is true + - JDK-8335743: jhsdb jstack cannot print some information on the waiting thread + - JDK-8335775: Remove extraneous 's' in comment of rawmonitor.cpp test file + - JDK-8335904: Fix invalid comment in ShenandoahLock + - JDK-8335967: "text-decoration: none" does not work with "A" HTML tags + - JDK-8336284: Test TestClhsdbJstackLock.java/TestJhsdbJstackLock.java fails with -Xcomp after JDK-8335743 + - JDK-8336301: test/jdk/java/nio/channels/AsyncCloseAndInterrupt.java leaves around a FIFO file upon test completion + - JDK-8336342: Fix known X11 library locations in sysroot + - JDK-8336343: Add more known sysroot library locations for ALSA + - JDK-8336926: jdk/internal/util/ReferencedKeyTest.java can fail with ConcurrentModificationException + - JDK-8336928: GHA: Bundle artifacts removal broken + - JDK-8337038: Test java/nio/file/attribute/BasicFileAttributeView/CreationTime.java shoud set as /native + - JDK-8337283: configure.log is truncated when build dir is on different filesystem + - JDK-8337622: IllegalArgumentException in java.lang.reflect.Field.get + - JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs + - JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods are inconsistent with their setVerbose methods + - JDK-8338286: GHA: Demote x86_32 to hotspot build only + - JDK-8338696: (fs) BasicFileAttributes.creationTime() falls back to epoch if birth time is unavailable (Linux) + - JDK-8339869: [21u] Test CreationTime.java fails with UnsatisfiedLinkError after 8334339 + - JDK-8341057: Add 2 SSL.com TLS roots + - JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 + - JDK-8341674: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.5 + - JDK-8341989: [21u] Back out JDK-8327501 and JDK-8328366 + +Notes on individual issues: +=========================== + +security-libs/javax.net.ssl: + +JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs +JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 +==================================================================================================== +In accordance with similar plans recently announced by Google and +Mozilla, the JDK will not trust Transport Layer Security (TLS) +certificates issued after the 11th of November 2024 which are anchored +by Entrust root certificates. This includes certificates branded as +AffirmTrust, which are managed by Entrust. + +Certificates issued on or before November 11th, 2024 will continue to +be trusted until they expire. + +If a server's certificate chain is anchored by an affected +certificate, attempts to negotiate a TLS session will fail with an +Exception that indicates the trust anchor is not trusted. For example, + +"TLS server certificate issued after 2024-11-11 and anchored by a +distrusted legacy Entrust root CA: CN=Entrust.net Certification +Authority (2048), OU=(c) 1999 Entrust.net Limited, +OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), +O=Entrust.net" + +To check whether a certificate in a JDK keystore is affected by this +change, you can the `keytool` utility: + +keytool -v -list -alias -keystore + +If any of the certificates in the chain are affected by this change, +then you will need to update the certificate or contact the +organisation responsible for managing the certificate. + +These restrictions apply to the following Entrust root certificates +included in the JDK: + +Alias name: entrustevca [jdk] +CN=Entrust Root Certification Authority +OU=(c) 2006 Entrust, Inc. +OU=www.entrust.net/CPS is incorporated by reference +O=Entrust, Inc. +C=US +SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C + +Alias name: entrustrootcaec1 [jdk] +CN=Entrust Root Certification Authority - EC1 +OU=(c) 2012 Entrust, Inc. - for authorized use only +OU=See www.entrust.net/legal-terms +O=Entrust, Inc. +C=US +SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 + +Alias name: entrustrootcag2 [jdk] +CN=Entrust Root Certification Authority - G2 +OU=(c) 2009 Entrust, Inc. - for authorized use only +OU=See www.entrust.net/legal-terms +O=Entrust, Inc. +C=US +SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 + +Alias name: entrustrootcag4 [jdk] +CN=Entrust Root Certification Authority - G4 +OU=(c) 2015 Entrust, Inc. - for authorized use only +OU=See www.entrust.net/legal-terms +O=Entrust, Inc. +C=US +SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 + +Alias name: entrust2048ca [jdk] +CN=Entrust.net Certification Authority (2048) +OU=(c) 1999 Entrust.net Limited +OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.) +O=Entrust.net +SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77 + +Alias name: affirmtrustcommercialca [jdk] +CN=AffirmTrust Commercial +O=AffirmTrust +C=US +SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 + +Alias name: affirmtrustnetworkingca [jdk] +CN=AffirmTrust Networking +O=AffirmTrust +C=US +SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B + +Alias name: affirmtrustpremiumca [jdk] +CN=AffirmTrust Premium +O=AffirmTrust +C=US +SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A + +Alias name: affirmtrustpremiumeccca [jdk] +CN=AffirmTrust Premium ECC +O=AffirmTrust +C=US +SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 + +Users can, *at their own risk*, remove this restriction by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) so "ENTRUST_TLS" is no +longer listed in the `jdk.security.caDistrustPolicies` security +property. + +security-libs/javax.crypto: + +JDK-8322971: `KEM.getInstance()` Should Check If a Third-Party Security Provider Is Signed +========================================================================================== +The JDK's cryptographic framework authenticates third party security +provider implementations by determining the provider's codebase and +verifying its signature. In previous OpenJDK releases, this +authentication did not take place for Key Encapsulation Mechanism +(KEM) implementations. With this release, KEM implementations are +authenticated in a manner consistent with other JDK service types, +such as Cipher and Mac providers. + +tools/launcher: + +JDK-8310201: Reduce verbose locale output in -XshowSettings launcher option +=========================================================================== + +In previous releases of OpenJDK, the `-XshowSettings` launcher option printed a +long list of available locales which obscured other settings. In this release, +the `-XshowSettings` launcher option no longer prints the list of available +locales by default. To view all settings related to available locales, users +can now use the -XshowSettings:locale option. + +security-libs/java.security: + +JDK-8051959: Add thread and timestamp options to java.security.debug system property +==================================================================================== +This release adds the following additional options to the +`java.security.debug` property which can be applied to any specified +component: + +* `+timestamp`: Print a timestamp with each debug statement. +* `+thread`: Print thread and caller information for each debug statement. + +For example, `-Djava.security.debug=all+timestamp+thread` turns on +debug information for all components with both timestamps and thread +information. + +In contrast, `-Djava.security.debug=properties+timestamp` turns on +debug information only for security properties and includes a +timestamp. + +You can use `-Djava.security.debug=help` to display a complete list of +supported components and options. + +JDK-8341057: Add 2 SSL.com TLS roots +==================================== +The following root certificates have been added to the cacerts +truststore: + +Name: SSL.com +Alias Name: ssltlsrootecc2022 +Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US + +Name: SSL.com +Alias Name: ssltlsrootrsa2022 +Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US + +core-libs/java.net: + +JDK-8328286: Enhance HTTP client +================================ +This OpenJDK release limits the maximum header field size accepted by +the HTTP client within the JDK for all supported versions of the HTTP +protocol. The header field size is computed as the sum of the size of +the uncompressed header name, the size of the uncompressed header +value and a overhead of 32 bytes for each field section line. If a +peer sends a field section that exceeds this limit, a +`java.net.ProtocolException` will be raised. + +This release also introduces a new system property, +`jdk.http.maxHeaderSize`. This property can be used to alter the +maximum header field size (in bytes) or disable it by setting the +value to zero or a negative value. The default value is 393,216 bytes +or 384kB. + +core-svc/java.lang.management: + +JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods are inconsistent with their setVerbose methods +========================================================================================================== +In previous OpenJDK releases, the behaviour of the `isVerbose` and +`setVerbose` methods in `ClassLoadingMXBean` and `MemoryMXBean` was +inconsistent. The `setVerbose` method would only alter the level of +logging to `stdout`, setting it to `info` when passed the argument +`true`, and `off` when passed `false`. However, the `isVerbose` method +would check if logging was enabled on any output, causing it to return +`true` due to the presence of file logging, even when +`setVerbose(false)` had been called to turn off `stdout` logging. +With this release, the `isVerbose` methods only return `true` if +`stdout` logging is enabled. + +New in release OpenJDK 21.0.4 (2024-07-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2104 + +* CVEs + - CVE-2024-21131 + - CVE-2024-21138 + - CVE-2024-21140 + - CVE-2024-21145 + - CVE-2024-21147 +* Security fixes + - JDK-8314794: Improve UTF8 String supports + - JDK-8319859: Better symbol storage + - JDK-8320097: Improve Image transformations + - JDK-8320548: Improved loop handling + - JDK-8323231: Improve array management + - JDK-8323390: Enhance mask blit functionality + - JDK-8324559: Improve 2D image handling + - JDK-8325600: Better symbol storage + - JDK-8327413: Enhance compilation efficiency +* Other changes + - JDK-7001133: OutOfMemoryError by CustomMediaSizeName implementation + - JDK-8159927: Add a test to verify JMOD files created in the images do not have debug symbols + - JDK-8185862: AWT Assertion Failure in ::GetDIBits(hBMDC, hBM, 0, 1, 0, gpBitmapInfo, 0) 'awt_Win32GraphicsDevice.cpp', at line 185 + - JDK-8187759: Background not refreshed when painting over a transparent JFrame + - JDK-8223696: java/net/httpclient/MaxStreams.java failed with didn't finish within the time-out + - JDK-8259866: two java.util tests failed with "IOException: There is not enough space on the disk" + - JDK-8266242: java/awt/GraphicsDevice/CheckDisplayModes.java failing on macOS 11 ARM + - JDK-8278527: java/util/concurrent/tck/JSR166TestCase.java fails nanoTime test + - JDK-8280056: gtest/LargePageGtests.java#use-large-pages failed "os.release_one_mapping_multi_commits_vm" + - JDK-8281658: Add a security category to the java -XshowSettings option + - JDK-8288936: Wrong lock ordering writing G1HeapRegionTypeChange JFR event + - JDK-8288989: Make tests not depend on the source code + - JDK-8293069: Make -XX:+Verbose less verbose + - JDK-8293850: need a largest_committed metric for each category of NMT's output + - JDK-8294699: Launcher causes lingering busy cursor + - JDK-8294985: SSLEngine throws IAE during parsing of X500Principal + - JDK-8295111: dpkg appears to have problems resolving symbolically linked native libraries + - JDK-8299023: TestPLABResize.java and TestPLABPromotion.java are failing intermittently + - JDK-8301183: (zipfs) jdk/jdk/nio/zipfs/TestLocOffsetFromZip64EF.java failing with ZipException:R0 on OL9 + - JDK-8303525: Refactor/cleanup open/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java + - JDK-8303773: Replace "main.wrapper" with "test.thread.factory" property in test code + - JDK-8303891: Speed up Zip64SizeTest using a small ZIP64 file + - JDK-8303959: tools/jpackage/share/RuntimePackageTest.java fails with java.lang.AssertionError missing files + - JDK-8303972: (zipfs) Make test/jdk/jdk/nio/zipfs/TestLocOffsetFromZip64EF.java independent of the zip command line + - JDK-8304839: Move TestScaffold.main() to the separate class DebugeeWrapper + - JDK-8305645: System Tray icons get corrupted when Windows primary monitor changes + - JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none" + - JDK-8306040: HttpResponseInputStream.available() returns 1 on empty stream + - JDK-8308144: Uncontrolled memory consumption in SSLFlowDelegate.Reader + - JDK-8308453: Convert JKS test keystores in test/jdk/javax/net/ssl/etc to PKCS12 + - JDK-8309142: Refactor test/langtools/tools/javac/versions/Versions.java + - JDK-8309752: com/sun/jdi/SetLocalWhileThreadInNative.java fails with virtual test thread factory due to OpaqueFrameException + - JDK-8309757: com/sun/jdi/ReferrersTest.java fails with virtual test thread factory + - JDK-8309763: Move tests in test/jdk/sun/misc/URLClassPath directory to test/jdk/jdk/internal/loader + - JDK-8309871: jdk/jfr/api/consumer/recordingstream/TestSetEndTime.java timed out + - JDK-8309890: TestStringDeduplicationInterned.java waits for the wrong condition + - JDK-8310070: Test: javax/net/ssl/DTLS/DTLSWontNegotiateV10.java timed out + - JDK-8310228: Improve error reporting for uncaught native exceptions on Windows + - JDK-8310234: Refactor Locale tests to use JUnit + - JDK-8310355: Move the stub test from initialize_final_stubs() to test/hotspot/gtest + - JDK-8310513: [s390x] Intrinsify recursive ObjectMonitor locking + - JDK-8310731: Configure a javax.net.ssl.SNIMatcher for the HTTP/1.1 test servers in java/net/httpclient tests + - JDK-8310818: Refactor more Locale tests to use JUnit + - JDK-8310913: Move ReferencedKeyMap to jdk.internal so it may be shared + - JDK-8311792: java/net/httpclient/ResponsePublisher.java fails intermittently with AssertionError: Found some outstanding operations + - JDK-8311823: JFR: Uninitialized EventEmitter::_thread_id field + - JDK-8311881: jdk/javax/swing/ProgressMonitor/ProgressTest.java does not show the ProgressMonitorInputStream all the time + - JDK-8311964: Some jtreg tests failing on x86 with error 'unrecognized VM options' (C2 flags) + - JDK-8312014: [s390x] TestSigInfoInHsErrFile.java Failure + - JDK-8312194: test/hotspot/jtreg/applications/ctw/modules/jdk_crypto_ec.java cannot handle empty modules + - JDK-8312218: Print additional debug information when hitting assert(in_hash) + - JDK-8312320: Remove javax/rmi/ssl/SSLSocketParametersTest.sh from ProblemList + - JDK-8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection + - JDK-8312498: Thread::getState and JVM TI GetThreadState should return TIMED_WAITING virtual thread is timed parked + - JDK-8312777: notifyJvmtiMount before notifyJvmtiUnmount + - JDK-8313394: Array Elements in OldObjectSample event has the incorrect description + - JDK-8313612: Use JUnit in lib-test/jdk tests + - JDK-8313702: Update IANA Language Subtag Registry to Version 2023-08-02 + - JDK-8313710: jcmd: typo in the documentation of JFR.start and JFR.dump + - JDK-8313899: JVMCI exception Translation can fail in TranslatedException. + - JDK-8314573: G1: Heap resizing at Remark does not take existing eden regions into account + - JDK-8314824: Fix serviceability/jvmti/8036666/GetObjectLockCount.java to use vm flags + - JDK-8314828: Mark 3 jcmd command-line options test as vm.flagless + - JDK-8314832: Few runtime/os tests ignore vm flags + - JDK-8314975: JavadocTester should set source path if not specified + - JDK-8315071: Modify TrayIconScalingTest.java, PrintLatinCJKTest.java to use new PassFailJFrame's builder pattern usage + - JDK-8315117: Update Zlib Data Compression Library to Version 1.3 + - JDK-8315373: Change VirtualThread to unmount after freezing, re-mount before thawing + - JDK-8315485: (fs) Move java/nio/file/Path/Misc.java tests into java/nio/file/Path/PathOps.java + - JDK-8315503: G1: Code root scan causes long GC pauses due to imbalanced iteration + - JDK-8315559: Delay TempSymbol cleanup to avoid symbol table churn + - JDK-8315605: G1: Add number of nmethods in code roots scanning statistics + - JDK-8315609: Open source few more swing text/html tests + - JDK-8315652: RISC-V: Features string uses wrong separator for jtreg + - JDK-8315663: Open source misc awt tests + - JDK-8315677: Open source few swing JFileChooser and other tests + - JDK-8315741: Open source few swing JFormattedTextField and JPopupMenu tests + - JDK-8315824: Open source several Swing Text/HTML related tests + - JDK-8315834: Open source several Swing JSpinner related tests + - JDK-8315889: Open source several Swing HTMLDocument related tests + - JDK-8315898: Open source swing JMenu tests + - JDK-8315998: Remove dead ClassLoaderDataGraphKlassIteratorStatic + - JDK-8316002: Remove unnecessary seen_dead_loader in ClassLoaderDataGraph::do_unloading + - JDK-8316053: Open some swing tests 3 + - JDK-8316138: Add GlobalSign 2 TLS root certificates + - JDK-8316154: Opensource JTextArea manual tests + - JDK-8316164: Opensource JMenuBar manual test + - JDK-8316186: RISC-V: Remove PlatformCmpxchg<4> + - JDK-8316228: jcmd tests are broken by 8314828 + - JDK-8316242: Opensource SwingGraphics manual test + - JDK-8316451: 6 java/lang/instrument/PremainClass tests ignore VM flags + - JDK-8316460: 4 javax/management tests ignore VM flags + - JDK-8316559: Refactor some util/Calendar tests to JUnit + - JDK-8316563: test tools/jpackage/linux/LinuxResourceTest.java fails on CentOS Linux release 8.5.2111 and Fedora 27 + - JDK-8316608: Enable parallelism in vmTestbase/gc/vector tests + - JDK-8316669: ImmutableOopMapSet destructor not called + - JDK-8316670: Remove effectively unused nmethodBucket::_count + - JDK-8316696: Remove the testing base classes: IntlTest and CollatorTest + - JDK-8316924: java/lang/Thread/virtual/stress/ParkALot.java times out + - JDK-8316959: Improve InlineCacheBuffer pending queue management + - JDK-8317007: Add bulk removal of dead nmethods during class unloading + - JDK-8317235: Remove Access API use in nmethod class + - JDK-8317287: [macos14] InterJVMGetDropSuccessTest.java: Child VM: abnormal termination + - JDK-8317350: Move code cache purging out of CodeCache::UnloadingScope + - JDK-8317440: Lock rank checking fails when code root set is modified with the Servicelock held after JDK-8315503 + - JDK-8317600: VtableStubs::stub_containing() table load not ordered wrt to stores + - JDK-8317631: Refactor ChoiceFormat tests to use JUnit + - JDK-8317677: Specialize Vtablestubs::entry_for() for VtableBlob + - JDK-8317809: Insertion of free code blobs into code cache can be very slow during class unloading + - JDK-8317965: TestLoadLibraryDeadlock.java fails with "Unable to load native library.: expected true, was false" + - JDK-8318109: Writing JFR records while a CHT has taken its lock asserts in rank checking + - JDK-8318322: Update IANA Language Subtag Registry to Version 2023-10-16 + - JDK-8318455: Fix the compiler/sharedstubs/SharedTrampolineTest.java and SharedStubToInterpTest.java + - JDK-8318580: "javax/swing/MultiMonitor/MultimonVImage.java failing with Error. Can't find library: /open/test/jdk/java/awt/regtesthelpers" after JDK-8316053 + - JDK-8318585: Rename CodeCache::UnloadingScope to UnlinkingScope + - JDK-8318599: HttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809 + - JDK-8318720: G1: Memory leak in G1CodeRootSet after JDK-8315503 + - JDK-8318727: Enable parallelism in vmTestbase/vm/gc/concurrent tests + - JDK-8318757: VM_ThreadDump asserts in interleaved ObjectMonitor::deflate_monitor calls + - JDK-8318854: [macos14] Running any AWT app prints Secure coding warning + - JDK-8318962: Update ProcessTools javadoc with suggestions in 8315097 + - JDK-8318986: Improve GenericWaitBarrier performance + - JDK-8319048: Monitor deflation unlink phase prolongs time to safepoint + - JDK-8319153: Fix: Class is a raw type in ProcessTools + - JDK-8319265: TestLoadLibraryDeadlock.java fails on windows-x64 "Unable to load b.jar" + - JDK-8319338: tools/jpackage/share/RuntimeImageTest.java fails with -XX:+UseZGC + - JDK-8319376: ParallelGC: Forwarded objects found during heap inspection + - JDK-8319437: NMT should show library names in call stacks + - JDK-8319567: Update java/lang/invoke tests to support vm flags + - JDK-8319568: Update java/lang/reflect/exeCallerAccessTest/CallerAccessTest.java to accept vm flags + - JDK-8319571: Update jni/nullCaller/NullCallerTest.java to accept flags or mark as flagless + - JDK-8319574: Exec/process tests should be marked as flagless + - JDK-8319578: Few java/lang/instrument ignore test.java.opts and accept test.vm.opts only + - JDK-8319647: Few java/lang/System/LoggerFinder/modules tests ignore vm flags + - JDK-8319648: java/lang/SecurityManager tests ignore vm flags + - JDK-8319650: Improve heap dump performance with class metadata caching + - JDK-8319651: Several network tests ignore vm flags when start java process + - JDK-8319672: Several classloader tests ignore VM flags + - JDK-8319676: A couple of jdk/modules/incubator/ tests ignore VM flags + - JDK-8319677: Test jdk/internal/misc/VM/RuntimeArguments.java should be marked as flagless + - JDK-8319713: Parallel: Remove PSAdaptiveSizePolicy::should_full_GC + - JDK-8319757: java/nio/channels/DatagramChannel/InterruptibleOrNot.java failed: wrong exception thrown + - JDK-8319876: Reduce memory consumption of VM_ThreadDump::doit + - JDK-8319896: Remove monitor deflation from final audit + - JDK-8319955: Improve dependencies removal during class unloading + - JDK-8320005: Allow loading of shared objects with .a extension on AIX + - JDK-8320061: [nmt] Multiple issues with peak accounting + - JDK-8320113: [macos14] : ShapeNotSetSometimes.java fails intermittently on macOS 14 + - JDK-8320129: "top" command during jtreg failure handler does not display CPU usage on OSX + - JDK-8320275: assert(_chunk->bitmap().at(index)) failed: Bit not set at index + - JDK-8320331: G1 Full GC Heap verification relies on metadata not reset before verification + - JDK-8320342: Use PassFailJFrame for TruncatedPopupMenuTest.java + - JDK-8320343: Generate GIF images for AbstractButton/5049549/bug5049549.java + - JDK-8320349: Simplify FileChooserSymLinkTest.java by using single-window testUI + - JDK-8320365: IPPPrintService.getAttributes() causes blanket re-initialisation + - JDK-8320370: NMT: Change MallocMemorySnapshot to simplify code. + - JDK-8320515: assert(monitor->object_peek() != nullptr) failed: Owned monitors should not have a dead object + - JDK-8320525: G1: G1UpdateRemSetTrackingBeforeRebuild::distribute_marked_bytes accesses partially unloaded klass + - JDK-8320570: NegativeArraySizeException decoding >1G UTF8 bytes with non-ascii characters + - JDK-8320681: [macos] Test tools/jpackage/macosx/MacAppStoreJlinkOptionsTest.java timed out on macOS + - JDK-8320692: Null icon returned for .exe without custom icon + - JDK-8320707: Virtual thread test updates + - JDK-8320712: Rewrite BadFactoryTest in pure Java + - JDK-8320714: java/util/Locale/LocaleProvidersRun.java and java/util/ResourceBundle/modules/visibility/VisibilityTest.java timeout after passing + - JDK-8320715: Improve the tests of test/hotspot/jtreg/compiler/intrinsics/float16 + - JDK-8320924: Improve heap dump performance by optimizing archived object checks + - JDK-8321075: RISC-V: UseSystemMemoryBarrier lacking proper OS support + - JDK-8321107: Add more test cases for JDK-8319372 + - JDK-8321163: [test] OutputAnalyzer.getExitValue() unnecessarily logs even when process has already completed + - JDK-8321182: SourceExample.SOURCE_14 comment should refer to 'switch expressions' instead of 'text blocks' + - JDK-8321270: Virtual Thread.yield consumes parking permit + - JDK-8321276: runtime/cds/appcds/dynamicArchive/DynamicSharedSymbols.java failed with "'17 2: jdk/test/lib/apps ' missing from stdout/stderr" + - JDK-8321489: Update LCMS to 2.16 + - JDK-8321713: Harmonize executeTestJvm with create[Limited]TestJavaProcessBuilder + - JDK-8321718: ProcessTools.executeProcess calls waitFor before logging + - JDK-8321812: Update GC tests to use execute[Limited]TestJava + - JDK-8321815: Shenandoah: gc state should be synchronized to java threads only once per safepoint + - JDK-8321925: sun/security/mscapi/KeytoolChangeAlias.java fails with "Alias <246810> does not exist" + - JDK-8322239: [macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane + - JDK-8322477: order of subclasses in the permits clause can differ between compilations + - JDK-8322503: Shenandoah: Clarify gc state usage + - JDK-8322818: Thread::getStackTrace can fail with InternalError if virtual thread is timed-parked when pinned + - JDK-8322846: Running with -Djdk.tracePinnedThreads set can hang + - JDK-8322858: compiler/c2/aarch64/TestFarJump.java fails on AArch64 due to unexpected PrintAssembly output + - JDK-8322920: Some ProcessTools.execute* functions are declared to throw Throwable + - JDK-8322962: Upcall stub might go undetected when freezing frames + - JDK-8323002: test/jdk/java/lang/Thread/virtual/stress/GetStackTraceALotWhenPinned.java times out on macosx-x64 + - JDK-8323170: j2dbench is using outdated javac source/target to be able to build by itself + - JDK-8323210: Update the usage of cmsFLAGS_COPY_ALPHA + - JDK-8323276: StressDirListings.java fails on AIX + - JDK-8323296: java/lang/Thread/virtual/stress/GetStackTraceALotWhenPinned.java#id1 timed out + - JDK-8323519: Add applications/ctw/modules to Hotspot tiered testing + - JDK-8323595: is_aligned(p, alignof(OopT))) assertion fails in Jetty without compressed OOPs + - JDK-8323635: Test gc/g1/TestHumongousAllocConcurrentStart.java fails with -XX:TieredStopAtLevel=3 + - JDK-8323685: PrintSystemDictionaryAtExit has mutex rank assert + - JDK-8323994: gtest runner repeats test name for every single gtest assertion + - JDK-8324121: SIGFPE in PhaseIdealLoop::extract_long_range_checks + - JDK-8324123: aarch64: fix prfm literal encoding in assembler + - JDK-8324236: compiler/ciReplay/TestInliningProtectionDomain.java failed with RuntimeException: should only dump inline information for ... expected true, was false + - JDK-8324238: [macOS] java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails with the shape has not been applied msg + - JDK-8324243: Compilation failures in java.desktop module with gcc 14 + - JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1 + - JDK-8324646: Avoid Class.forName in SecureRandom constructor + - JDK-8324648: Avoid NoSuchMethodError when instantiating NativePRNG + - JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16 + - JDK-8324733: [macos14] Problem list tests which fail due to macOS bug described in JDK-8322653 + - JDK-8324817: Parallel GC does not pre-touch all heap pages when AlwaysPreTouch enabled and large page disabled + - JDK-8324824: AArch64: Detect Ampere-1B core and update default options for Ampere CPUs + - JDK-8324834: Use _LARGE_FILES on AIX + - JDK-8324933: ConcurrentHashTable::statistics_calculate synchronization is expensive + - JDK-8324998: Add test cases for String.regionMatches comparing Turkic dotted/dotless I with uppercase latin I + - JDK-8325024: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java incorrect comment information + - JDK-8325028: (ch) Pipe channels should lazily set socket to non-blocking mode on first use by virtual thread + - JDK-8325095: C2: bailout message broken: ResourceArea allocated string used after free + - JDK-8325137: com/sun/management/ThreadMXBean/ThreadCpuTimeArray.java can fail in Xcomp with out of expected range + - JDK-8325203: System.exit(0) kills the launched 3rd party application + - JDK-8325213: Flags introduced by configure script are not passed to ADLC build + - JDK-8325255: jdk.internal.util.ReferencedKeySet::add using wrong test + - JDK-8325326: [PPC64] Don't relocate in case of allocation failure + - JDK-8325372: Shenandoah: SIGSEGV crash in unnecessary_acquire due to LoadStore split through phi + - JDK-8325432: enhance assert message "relocation addr must be in this section" + - JDK-8325437: Safepoint polling in monitor deflation can cause massive logs + - JDK-8325567: jspawnhelper without args fails with segfault + - JDK-8325579: Inconsistent behavior in com.sun.jndi.ldap.Connection::createSocket + - JDK-8325613: CTW: Stale method cleanup requires GC after Sweeper removal + - JDK-8325621: Improve jspawnhelper version checks + - JDK-8325743: test/jdk/java/nio/channels/unixdomain/SocketOptions.java enhance user name output in error case + - JDK-8325862: set -XX:+ErrorFileToStderr when executing java in containers for some container related jtreg tests + - JDK-8325908: Finish removal of IntlTest and CollatorTest + - JDK-8325972: Add -x to bash for building with LOG=debug + - JDK-8326006: Allow TEST_VM_FLAGLESS to set flagless mode + - JDK-8326101: [PPC64] Need to bailout cleanly if creation of stubs fails when code cache is out of space + - JDK-8326140: src/jdk.accessibility/windows/native/libjavaaccessbridge/AccessBridgeJavaEntryPoints.cpp ReleaseStringChars might be missing in early returns + - JDK-8326201: [S390] Need to bailout cleanly if creation of stubs fails when code cache is out of space + - JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1 + - JDK-8326446: The User and System of jdk.CPULoad on Apple M1 are inaccurate + - JDK-8326496: [test] checkHsErrFileContent support printing hserr in error case + - JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit + - JDK-8326529: JFR: Test for CompilerCompile events fails due to time out + - JDK-8326591: New test JmodExcludedFiles.java fails on Windows when --with-external-symbols-in-bundles=public is used + - JDK-8326638: Crash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop + - JDK-8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message + - JDK-8326661: sun/java2d/cmm/ColorConvertOp/ColConvTest.java assumes profiles were generated by LCMS + - JDK-8326685: Linux builds not reproducible if two builds configured in different build folders + - JDK-8326718: Test java/util/Formatter/Padding.java should timeout on large inputs before fix in JDK-8299677 + - JDK-8326773: Bump update version for OpenJDK: jdk-21.0.4 + - JDK-8326824: Test: remove redundant test in compiler/vectorapi/reshape/utils/TestCastMethods.java + - JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in internal JDK binaries + - JDK-8326936: RISC-V: Shenandoah GC crashes due to incorrect atomic memory operations + - JDK-8326948: Force English locale for timeout formatting + - JDK-8326960: GHA: RISC-V sysroot cannot be debootstrapped due to ongoing Debian t64 transition + - JDK-8326974: ODR violation in macroAssembler_aarch64.cpp + - JDK-8327036: [macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0 + - JDK-8327059: os::Linux::print_proc_sys_info add swappiness information + - JDK-8327096: (fc) java/nio/channels/FileChannel/Size.java fails on partition incapable of creating large files + - JDK-8327136: javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java fails on libgraal + - JDK-8327180: Failed: java/io/ObjectStreamClass/ObjectStreamClassCaching.java#G1 + - JDK-8327261: Parsing test for Double/Float succeeds w/o testing all bad cases + - JDK-8327468: Do not restart close if errno is EINTR [macOS/linux] + - JDK-8327474: Review use of java.io.tmpdir in jdk tests + - JDK-8327486: java/util/Properties/PropertiesStoreTest.java fails "Text 'xxx' could not be parsed at index 20" after 8174269 + - JDK-8327631: Update IANA Language Subtag Registry to Version 2024-03-07 + - JDK-8327799: JFR view: the "Park Until" field of jdk.ThreadPark is invalid if the parking method is not absolute + - JDK-8327971: Multiple ASAN errors reported for metaspace + - JDK-8327988: When running ASAN, disable dangerous NMT test + - JDK-8327989: java/net/httpclient/ManyRequest.java should not use "localhost" in URIs + - JDK-8327998: Enable java/lang/ProcessBuilder/JspawnhelperProtocol.java on Mac + - JDK-8328037: Test java/util/Formatter/Padding.java has unnecessary high heap requirement after JDK-8326718 + - JDK-8328066: WhiteBoxResizeTest failure on linux-x86: Could not reserve enough space for 2097152KB object heap + - JDK-8328165: improve assert(idx < _maxlrg) failed: oob + - JDK-8328166: Epsilon: 'EpsilonHeap::allocate_work' misuses the parameter 'size' as size in bytes + - JDK-8328168: Epsilon: Premature OOM when allocating object larger than uncommitted heap size + - JDK-8328194: Add a test to check default rendering engine + - JDK-8328524: [x86] StringRepeat.java failure on linux-x86: Could not reserve enough space for 2097152KB object heap + - JDK-8328540: test javax/swing/JSplitPane/4885629/bug4885629.java fails on windows hidpi + - JDK-8328555: hidpi problems for test java/awt/Dialog/DialogAnotherThread/JaWSTest.java + - JDK-8328589: unify os::breakpoint among posix platforms + - JDK-8328592: hprof tests fail with -XX:-CompactStrings + - JDK-8328604: remove on_aix() function + - JDK-8328638: Fallback option for POST-only OCSP requests + - JDK-8328702: C2: Crash during parsing because sub type check is not folded + - JDK-8328703: Illegal accesses in Java_jdk_internal_org_jline_terminal_impl_jna_linux_CLibraryImpl_ioctl0 + - JDK-8328705: GHA: Cross-compilation jobs do not require build JDK + - JDK-8328709: AIX os::get_summary_cpu_info support Power 10 + - JDK-8328744: Parallel: Parallel GC throws OOM before heap is fully expanded + - JDK-8328776: [AIX] remove checked_vmgetinfo, use vmgetinfo directly + - JDK-8328812: Update and move siphash license + - JDK-8328822: C2: "negative trip count?" assert failure in profile predicate code + - JDK-8328825: Google CAInterop test failures + - JDK-8328938: C2 SuperWord: disable vectorization for large stride and scale + - JDK-8328948: GHA: Restoring sysroot from cache skips the build after JDK-8326960 + - JDK-8328957: Update PKCS11Test.java to not use hardcoded path + - JDK-8328988: [macos14] Problem list LightweightEventTest.java which fails due to macOS bug described in JDK-8322653 + - JDK-8328997: Remove unnecessary template parameter lists in GrowableArray + - JDK-8329013: StackOverflowError when starting Apache Tomcat with signed jar + - JDK-8329109: Threads::print_on() tries to print CPU time for terminated GC threads + - JDK-8329163: C2: possible overflow in PhaseIdealLoop::extract_long_range_checks() + - JDK-8329213: Better validation for com.sun.security.ocsp.useget option + - JDK-8329223: Parallel: Parallel GC resizes heap even if -Xms = -Xmx + - JDK-8329545: [s390x] Fix garbage value being passed in Argument Register + - JDK-8329570: G1: Excessive is_obj_dead_cond calls in verification + - JDK-8329605: hs errfile generic events - move memory protections and nmethod flushes to separate sections + - JDK-8329663: hs_err file event log entry for thread adding/removing should print current thread + - JDK-8329823: RISC-V: Need to sync CPU features with related JVM flags + - JDK-8329840: Fix ZPhysicalMemorySegment::_end type + - JDK-8329850: [AIX] Allow loading of different members of same shared library archive + - JDK-8329862: libjli GetApplicationHome cleanups and enhance jli tracing + - JDK-8329961: Buffer overflow in os::Linux::kernel_version + - JDK-8330011: [s390x] update block-comments to make code consistent + - JDK-8330094: RISC-V: Save and restore FRM in the call stub + - JDK-8330156: RISC-V: Range check auipc + signed 12 imm instruction + - JDK-8330242: RISC-V: Simplify and remove CORRECT_COMPILER_ATOMIC_SUPPORT in atomic_linux_riscv.hpp + - JDK-8330275: Crash in XMark::follow_array + - JDK-8330464: hserr generic events - add entry for the before_exit calls + - JDK-8330523: Reduce runtime and improve efficiency of KeepAliveTest + - JDK-8330524: Linux ppc64le compile warning with clang in os_linux_ppc.cpp + - JDK-8330615: avoid signed integer overflows in zip_util.c readCen / hashN + - JDK-8330815: Use pattern matching for instanceof in KeepAliveCache + - JDK-8331031: unify os::dont_yield and os::naked_yield across Posix platforms + - JDK-8331113: createJMHBundle.sh support configurable maven repo mirror + - JDK-8331167: UBSan enabled build fails in adlc on macOS + - JDK-8331298: avoid alignment checks in UBSAN enabled build + - JDK-8331331: :tier1 target explanation in doc/testing.md is incorrect + - JDK-8331352: error: template-id not allowed for constructor/destructor in C++20 + - JDK-8331466: Problemlist serviceability/dcmd/gc/RunFinalizationTest.java on generic-all + - JDK-8331639: [21u]: Bump GHA bootstrap JDK to 21.0.3 + - JDK-8331942: On Linux aarch64, CDS archives should be using 64K alignment by default + - JDK-8332253: Linux arm32 build fails after 8292591 + - JDK-8334441: Mark tests in jdk_security_infra group as manual + - JDK-8335960: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.4 + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8281658: Add a security category to the java -XshowSettings option +====================================================================== + +The `-XshowSettings` launcher option now has a 'security' category, allowing +the following arguments to be passed: + +* -XshowSettings:security or -XshowSettings:security:all: show all security settings and continue +* -XshowSettings:security:properties - show security properties and continue +* -XshowSettings:security:providers - show static security provider settings and continue +* -XshowSettings:security:tls - show TLS related security settings and continue + +The output will include third-party security providers if they are +included in the application class path or module path, and configured +in the java.security file. + +JDK-8316138: Add GlobalSign 2 TLS root certificates +=================================================== +The following root certificates have been added to the cacerts +truststore: + +Name: GlobalSign +Alias Name: globalsignr46 +Distinguished Name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE + +Name: GlobalSign +Alias Name: globalsigne46 +Distinguished Name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE + +security-libs/javax.security: + +JDK-8328638: Fallback Option For POST-only OCSP Requests +======================================================== +JDK-8179503, introduced in OpenJDK 17, added support for using the +HTTP GET method for OCSP requests. This was turned on unconditionally +for small requests. + +RFC 5019 and RFC 6960 explicitly allow and recommend the use of HTTP +GET requests. However, some OCSP responders have been observed to not +work well with such requests. + +With this release, the JDK system property +`com.sun.security.ocsp.useget` is introduced. The default setting is +'true' which retains the current behaviour of using GET requests for +small requests. If the property is instead set to 'false', only HTTP +POST requests will be used, regardless of size. + +This option is non-standard and may be removed again if problematic +OCSP responders are no longer an issue. + +infrastructure/build: + +JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in internal JDK binaries +================================================================================== +Native executables and libraries in the JDK use embedded runtime +search paths to locate required internal JDK native libraries. On +Linux systems, there are two ways of specifying these search paths; +DT_RPATH and DT_RUNPATH. + +The main difference between the two options is that paths specified by +DT_RPATH are searched before those in the LD_LIBRARY_PATH environment +variable, whereas DT_RUNPATH paths are considered afterwards. This +means the use of DT_RUNPATH can allow JDK internal libraries to be +overridden by libraries of the same name found on the LD_LIBRARY_PATH. + +Builds of earlier OpenJDK releases left the choice of which type of +runtime search path to use down to the default of the linker. With +this release, the option `--disable-new-dtags` is explicitly passed to +the linker to avoid setting DT_RUNPATH. + +tools/jpackage: + +JDK-8295111: dpkg appears to have problems resolving symbolically linked native libraries +========================================================================================= +The jpackage tool uses `dpkg -S` to lookup which package provides a +particular file on Debian and Ubuntu systems. However, on newer Debian +and Ubuntu systems, `dpkg -S` does not resolve symlinks. In this +OpenJDK release, jpackage now resolves symlinks before passing the +real path of the file to dpkg. + +hotspot/gc: + +JDK-8314573: G1: Heap resizing at Remark does not take existing eden regions into account +========================================================================================= +To comply with the settings of `-XX:MinHeapFreeRatio` and +`-XX:MaxHeapFreeRatio`, the G1 garbage collector adjusts the Java heap +size during the Remark phase, keeping the number of free regions +within these bounds. + +In earlier OpenJDK releases, Eden regions were considered to be +occupied or full for this calculation. This made the heap size +dependent on the Eden occupancy at the time the Remark phase was +run. However, after the next garbage collection, these Eden regions +would be empty. + +With this OpenJDK release, Eden regions are now considered empty or +free during the Remark phase calculation. The overall effect is that +G1 now expands the Java heap less aggressively and more +determinstically, as the number of free regions does not vary as much. +It also aligns Java heap sizing with the full GC heap sizing. +However, this may potentially lead to more garbage collections. + +JDK-8315503: G1: Code root scan causes long GC pauses due to imbalanced iteration +================================================================================= +The Code Root Scan phase of garbage collection finds references to +Java objects within compiled code. To speed up this process, a cache +is maintained within each region of the compiled code that contains +references into the Java heap. + +On the assumption that the set of references was small, previous +releases used a single thread per region to iterate through these +references. This introduced a scalability bottleneck, where +performance could be reduced if a particular region contained a large +number of references. + +In this release, multiple threads are used, removing this bottleneck. + +New in release OpenJDK 21.0.3 (2024-04-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2103 + +* CVEs + - CVE-2024-21012 + - CVE-2024-21011 + - CVE-2024-21068 +* Security fixes + - JDK-8315708: Enhance HTTP/2 client usage + - JDK-8318340: Improve RSA key implementations + - JDK-8319851: Improve exception logging + - JDK-8322122: Enhance generation of addresses +* Other changes + - JDK-6928542: Chinese characters in RTF are not decoded + - JDK-8009550: PlatformPCSC should load versioned so + - JDK-8077371: Binary files in JAXP test should be removed + - JDK-8169475: WheelModifier.java fails by timeout + - JDK-8209595: MonitorVmStartTerminate.java timed out + - JDK-8210410: Refactor java.util.Currency:i18n shell tests to plain java tests + - JDK-8261837: SIGSEGV in ciVirtualCallTypeData::translate_from + - JDK-8263256: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails due to dynamic reconfigurations of network interface during test + - JDK-8264899: C1: -XX:AbortVMOnException does not work if all methods in the call stack are compiled with C1 and there are no exception handlers + - JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java fails in Windows 11 + - JDK-8295343: sun/security/pkcs11 tests fail on Linux RHEL 8.6 and newer + - JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts + - JDK-8301310: The SendRawSysexMessage test may cause a JVM crash + - JDK-8304020: Speed up test/jdk/java/util/zip/ZipFile/TestTooManyEntries.java and clarify its purpose + - JDK-8304292: Memory leak related to ClassLoader::update_class_path_entry_list + - JDK-8305962: update jcstress to 0.16 + - JDK-8305971: NPE in JavacProcessingEnvironment for missing enum constructor body + - JDK-8306922: IR verification fails because IR dump is chopped up + - JDK-8307408: Some jdk/sun/tools/jhsdb tests don't pass test JVM args to the debuggee JVM + - JDK-8309109: AArch64: [TESTBUG] compiler/intrinsics/sha/cli/TestUseSHA3IntrinsicsOptionOnSupportedCPU.java fails on Neoverse N2 and V1 + - JDK-8309203: C2: remove copy-by-value of GrowableArray for InterfaceSet + - JDK-8309302: java/net/Socket/Timeouts.java fails with AssertionError on test temporal post condition + - JDK-8309697: [TESTBUG] Remove "@requires vm.flagless" from jtreg vectorization tests + - JDK-8310031: Parallel: Implement better work distribution for large object arrays in old gen + - JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/bug6889007.java fails + - JDK-8310308: IR Framework: check for type and size of vector nodes + - JDK-8310629: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java fails with RuntimeException Server not ready + - JDK-8310631: test/jdk/sun/nio/cs/TestCharsetMapping.java is spuriously passing + - JDK-8310807: java/nio/channels/DatagramChannel/Connect.java timed out + - JDK-8310844: [AArch64] C1 compilation fails because monitor offset in OSR buffer is too large for immediate + - JDK-8310919: runtime/ErrorHandling/TestAbortVmOnException.java times out due to core dumps taking a long time on OSX + - JDK-8310923: Refactor Currency tests to use JUnit + - JDK-8311081: KeytoolReaderP12Test.java fail on localized Windows platform + - JDK-8311279: TestStressIGVNAndCCP.java failed with different IGVN traces for the same seed + - JDK-8311581: Remove obsolete code and comments in TestLVT.java + - JDK-8311588: C2: RepeatCompilation compiler directive does not choose stress seed randomly + - JDK-8311663: Additional refactoring of Locale tests to JUnit + - JDK-8311893: Interactive component with ARIA role 'tabpanel' does not have a programmatically associated name + - JDK-8311986: Disable runtime/os/TestTracePageSizes.java for ShenandoahGC + - JDK-8311992: Test java/lang/Thread/virtual/JfrEvents::testVirtualThreadPinned failed + - JDK-8312136: Modify runtime/ErrorHandling/TestDwarf.java to split dwarf and decoder testing + - JDK-8312416: Tests in Locale should have more descriptive names + - JDK-8312428: PKCS11 tests fail with NSS 3.91 + - JDK-8312916: Remove remaining usages of -Xdebug from test/hotspot/jtreg + - JDK-8313082: Enable CreateCoredumpOnCrash for testing in makefiles + - JDK-8313229: DHEKeySizing.java should be modified to use TLS versions TLSv1, TLSv1.1, TLSv1.2 + - JDK-8313507: Remove pkcs11/Cipher/TestKATForGCM.java from ProblemList + - JDK-8313621: test/jdk/jdk/internal/math/FloatingDecimal/TestFloatingDecimal should use RandomFactory + - JDK-8313638: Add test for dump of resolved references + - JDK-8313670: Simplify shared lib name handling code in some tests + - JDK-8313720: C2 SuperWord: wrong result with -XX:+UseVectorCmov -XX:+UseCMoveUnconditionally + - JDK-8313816: Accessing jmethodID might lead to spurious crashes + - JDK-8313854: Some tests in serviceability area fail on localized Windows platform + - JDK-8314164: java/net/HttpURLConnection/HttpURLConnectionExpectContinueTest.java fails intermittently in timeout + - JDK-8314220: Configurable InlineCacheBuffer size + - JDK-8314283: Support for NSS tests on aarch64 platforms + - JDK-8314320: Mark runtime/CommandLine/ tests as flagless + - JDK-8314333: Update com/sun/jdi/ProcessAttachTest.java to use ProcessTools.createTestJvm(..) + - JDK-8314513: [IR Framework] Some internal IR Framework tests are failing after JDK-8310308 on PPC and Cascade Lake + - JDK-8314578: Non-verifiable code is emitted when two guards declare pattern variables in colon-switch + - JDK-8314610: hotspot can't compile with the latest of gtest because of + - JDK-8314612: TestUnorderedReduction.java fails with -XX:MaxVectorSize=32 and -XX:+AlignVector + - JDK-8314629: Generational ZGC: Clearing All SoftReferences log line lacks GCId + - JDK-8314829: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java ignores vm flags + - JDK-8314830: runtime/ErrorHandling/ tests ignore external VM flags + - JDK-8314831: NMT tests ignore vm flags + - JDK-8314835: gtest wrappers should be marked as flagless + - JDK-8314837: 5 compiled/codecache tests ignore VM flags + - JDK-8314838: 3 compiler tests ignore vm flags + - JDK-8314990: Generational ZGC: Strong OopStorage stats reported as weak roots + - JDK-8315034: File.mkdirs() occasionally fails to create folders on Windows shared folder + - JDK-8315042: NPE in PKCS7.parseOldSignedData + - JDK-8315097: Rename createJavaProcessBuilder + - JDK-8315241: (fs) Move toRealPath tests in java/nio/file/Path/Misc.java to separate JUnit 5 test + - JDK-8315406: [REDO] serviceability/jdwp/AllModulesCommandTest.java ignores VM flags + - JDK-8315594: Open source few headless Swing misc tests + - JDK-8315600: Open source few more headless Swing misc tests + - JDK-8315602: Open source swing security manager test + - JDK-8315611: Open source swing text/html and tree test + - JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should run with -Xbatch + - JDK-8315721: CloseRace.java#id0 fails transiently on libgraal + - JDK-8315726: Open source several AWT applet tests + - JDK-8315731: Open source several Swing Text related tests + - JDK-8315761: Open source few swing JList and JMenuBar tests + - JDK-8315891: java/foreign/TestLinker.java failed with "error occurred while instantiating class TestLinker: null" + - JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/bug4654927.java: component must be showing on the screen to determine its location + - JDK-8315988: Parallel: Make TestAggressiveHeap use createTestJvm + - JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use createTestJvm + - JDK-8316028: Update FreeType to 2.13.2 + - JDK-8316106: Open source few swing JInternalFrame and JMenuBar tests + - JDK-8316132: CDSProtectionDomain::get_shared_protection_domain should check for exception + - JDK-8316229: Enhance class initialization logging + - JDK-8316309: AArch64: VMError::print_native_stack() crashes on Java native method frame + - JDK-8316319: Generational ZGC: The SoftMaxHeapSize might be wrong when CDS decreases the MaxHeapSize + - JDK-8316392: compiler/interpreter/TestVerifyStackAfterDeopt.java failed with SIGBUS in PcDescContainer::find_pc_desc_internal + - JDK-8316410: GC: Make TestCompressedClassFlags use createTestJvm + - JDK-8316445: Mark com/sun/management/HotSpotDiagnosticMXBean/CheckOrigin.java as vm.flagless + - JDK-8316446: 4 sun/management/jdp tests ignore VM flags + - JDK-8316447: 8 sun/management/jmxremote tests ignore VM flags + - JDK-8316462: sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.java ignores VM flags + - JDK-8316464: 3 sun/tools tests ignore VM flags + - JDK-8316562: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java times out after JDK-8314829 + - JDK-8316594: C2 SuperWord: wrong result with hand unrolled loops + - JDK-8316661: CompilerThread leaks CodeBlob memory when dynamically stopping compiler thread in non-product + - JDK-8316693: Simplify at-requires checkDockerSupport() + - JDK-8316947: Write a test to check textArea triggers MouseEntered/MouseExited events properly + - JDK-8316961: Fallback implementations for 64-bit Atomic::{add,xchg} on 32-bit platforms + - JDK-8316973: GC: Make TestDisableDefaultGC use createTestJvm + - JDK-8317042: G1: Make TestG1ConcMarkStepDurationMillis use createTestJvm + - JDK-8317144: Exclude sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java on Linux ppc64le + - JDK-8317188: G1: Make TestG1ConcRefinementThreads use createTestJvm + - JDK-8317218: G1: Make TestG1HeapRegionSize use createTestJvm + - JDK-8317228: GC: Make TestXXXHeapSizeFlags use createTestJvm + - JDK-8317300: javac erroneously allows "final" in front of a record pattern + - JDK-8317307: test/jdk/com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails with ConnectException: Connection timed out: no further information + - JDK-8317316: G1: Make TestG1PercentageOptions use createTestJvm + - JDK-8317317: G1: Make TestG1RemSetFlags use createTestJvm + - JDK-8317343: GC: Make TestHeapFreeRatio use createTestJvm + - JDK-8317347: Parallel: Make TestInitialTenuringThreshold use createTestJvm + - JDK-8317358: G1: Make TestMaxNewSize use createTestJvm + - JDK-8317522: Test logic for BODY_CF in AbstractThrowingSubscribers.java is wrong + - JDK-8317535: Shenandoah: Remove unused code + - JDK-8317771: [macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma + - JDK-8317804: com/sun/jdi/JdwpAllowTest.java fails on Alpine 3.17 / 3.18 + - JDK-8318039: GHA: Bump macOS and Xcode versions + - JDK-8318082: ConcurrentModificationException from IndexWriter + - JDK-8318154: Improve stability of WheelModifier.java test + - JDK-8318157: RISC-V: implement ensureMaterializedForStackWalk intrinsic + - JDK-8318158: RISC-V: implement roundD/roundF intrinsics + - JDK-8318410: jdk/java/lang/instrument/BootClassPath/BootClassPathTest.sh fails on Japanese Windows + - JDK-8318468: compiler/tiered/LevelTransitionTest.java fails with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1 + - JDK-8318490: Increase timeout for JDK tests that are close to the limit when run with libgraal + - JDK-8318590: JButton ignores margin when painting HTML text + - JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java + - JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni tests + - JDK-8318608: Enable parallelism in vmTestbase/nsk/stress/threads tests + - JDK-8318613: ChoiceFormat patterns are not well tested + - JDK-8318689: jtreg is confused when folder name is the same as the test name + - JDK-8318696: Do not use LFS64 symbols on Linux + - JDK-8318737: Fallback linker passes bad JNI handle + - JDK-8318809: java/util/concurrent/ConcurrentLinkedQueue/WhiteBox.java shows intermittent failures on linux ppc64le and aarch64 + - JDK-8318964: Fix build failures caused by 8315097 + - JDK-8318971: Better Error Handling for Jar Tool When Processing Non-existent Files + - JDK-8318983: Fix comment typo in PKCS12Passwd.java + - JDK-8319103: Popups that request focus are not shown on Linux with Wayland + - JDK-8319124: Update XML Security for Java to 3.0.3 + - JDK-8319128: sun/security/pkcs11 tests fail on OL 7.9 aarch64 + - JDK-8319136: Skip pkcs11 tests on linux-aarch64 + - JDK-8319137: release _object in ObjectMonitor dtor to avoid races + - JDK-8319213: Compatibility.java reads both stdout and stderr of JdkUtils + - JDK-8319314: NMT detail report slow or hangs for large number of mappings + - JDK-8319372: C2 compilation fails with "Bad immediate dominator info" + - JDK-8319382: com/sun/jdi/JdwpAllowTest.java shows failures on AIX if prefixLen of mask is larger than 32 in IPv6 case + - JDK-8319456: jdk/jfr/event/gc/collection/TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker Initiated GC' not in the valid causes + - JDK-8319548: Unexpected internal name for Filler array klass causes error in VisualVM + - JDK-8319569: Several java/util tests should be updated to accept VM flags + - JDK-8319633: runtime/posixSig/TestPosixSig.java intermittent timeouts on UNIX + - JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh + - JDK-8319777: Zero: Support 8-byte cmpxchg + - JDK-8319879: Stress mode to randomize incremental inlining decision + - JDK-8319883: Zero: Use atomic built-ins for 64-bit accesses + - JDK-8319897: Move StackWatermark handling out of LockStack::contains + - JDK-8319938: TestFileChooserSingleDirectorySelection.java fails with "getSelectedFiles returned empty array" + - JDK-8320052: Zero: Use __atomic built-ins for atomic RMW operations + - JDK-8320145: Compiler should accept final variable in Record Pattern + - JDK-8320168: handle setsocktopt return values + - JDK-8320206: Some intrinsics/stubs missing vzeroupper on x86_64 + - JDK-8320208: Update Public Suffix List to b5bf572 + - JDK-8320300: Adjust hs_err output in malloc/mmap error cases + - JDK-8320303: Allow PassFailJFrame to accept single window creator + - JDK-8320309: AIX: pthreads created by foreign test library don't work as expected + - JDK-8320383: refresh libraries cache on AIX in VMError::report + - JDK-8320582: Zero: Misplaced CX8 enablement flag + - JDK-8320798: Console read line with zero out should zero out underlying buffer + - JDK-8320807: [PPC64][ZGC] C1 generates wrong code for atomics + - JDK-8320830: [AIX] Dont mix os::dll_load() with direct dlclose() calls + - JDK-8320877: Shenandoah: Remove ShenandoahUnloadClassesFrequency support + - JDK-8320888: Shenandoah: Enable ShenandoahVerifyOptoBarriers in debug builds + - JDK-8320890: [AIX] Find a better way to mimic dl handle equality + - JDK-8320898: exclude compiler/vectorapi/reshape/TestVectorReinterpret.java on ppc64(le) platforms + - JDK-8320907: Shenandoah: Remove ShenandoahSelfFixing flag + - JDK-8320921: GHA: Parallelize hotspot_compiler test jobs + - JDK-8320937: support latest VS2022 MSC_VER in abstract_vm_version.cpp + - JDK-8320943: Files/probeContentType/Basic.java fails on latest Windows 11 - content type mismatch + - JDK-8321120: Shenandoah: Remove ShenandoahElasticTLAB flag + - JDK-8321122: Shenandoah: Remove ShenandoahLoopOptsAfterExpansion flag + - JDK-8321131: Console read line with zero out should zero out underlying buffer in JLine + - JDK-8321151: JDK-8294427 breaks Windows L&F on all older Windows versions + - JDK-8321164: javac with annotation processor throws AssertionError: Filling jrt:/... during JarFileObject[/...] + - JDK-8321215: Incorrect x86 instruction encoding for VSIB addressing mode + - JDK-8321269: Require platforms to define DEFAULT_CACHE_LINE_SIZE + - JDK-8321374: Add a configure option to explicitly set CompanyName property in VersionInfo resource for Windows exe/dll + - JDK-8321408: Add Certainly roots R1 and E1 + - JDK-8321409: Console read line with zero out should zero out underlying buffer in JLine (redux) + - JDK-8321410: Shenandoah: Remove ShenandoahSuspendibleWorkers flag + - JDK-8321480: ISO 4217 Amendment 176 Update + - JDK-8321542: C2: Missing ChaCha20 stub for x86_32 leads to crashes + - JDK-8321582: yield .class not parsed correctly. + - JDK-8321599: Data loss in AVX3 Base64 decoding + - JDK-8321619: Generational ZGC: ZColorStoreGoodOopClosure is only valid for young objects + - JDK-8321894: Bump update version for OpenJDK: 21.0.3 + - JDK-8321972: test runtime/Unsafe/InternalErrorTest.java timeout on linux-riscv64 platform + - JDK-8321974: Crash in ciKlass::is_subtype_of because TypeAryPtr::_klass is not initialized + - JDK-8322040: Missing array bounds check in ClassReader.parameter + - JDK-8322098: os::Linux::print_system_memory_info enhance the THP output with /sys/kernel/mm/transparent_hugepage/hpage_pmd_size + - JDK-8322142: JFR: Periodic tasks aren't orphaned between recordings + - JDK-8322159: ThisEscapeAnalyzer crashes for erroneous code + - JDK-8322255: Generational ZGC: ZPageSizeMedium should be set before MaxTenuringThreshold + - JDK-8322279: Generational ZGC: Use ZFragmentationLimit and ZYoungCompactionLimit as percentage instead of multiples + - JDK-8322282: Incorrect LoaderConstraintTable::add_entry after JDK-8298468 + - JDK-8322321: Add man page doc for -XX:+VerifySharedSpaces + - JDK-8322417: Console read line with zero out should zero out when throwing exception + - JDK-8322418: Problem list gc/TestAllocHumongousFragment.java subtests for 8298781 + - JDK-8322512: StringBuffer.repeat does not work correctly after toString() was called + - JDK-8322583: RISC-V: Enable fast class initialization checks + - JDK-8322725: (tz) Update Timezone Data to 2023d + - JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray + - JDK-8322772: Clean up code after JDK-8322417 + - JDK-8322783: prioritize /etc/os-release over /etc/SuSE-release in hs_err/info output + - JDK-8322790: RISC-V: Tune costs for shuffles with no conversion + - JDK-8322957: Generational ZGC: Relocation selection must join the STS + - JDK-8323008: filter out harmful -std* flags added by autoconf from CXX + - JDK-8323021: Shenandoah: Encountered reference count always attributed to first worker thread + - JDK-8323065: Unneccesary CodeBlob lookup in CompiledIC::internal_set_ic_destination + - JDK-8323086: Shenandoah: Heap could be corrupted by oom during evacuation + - JDK-8323101: C2: assert(n->in(0) == nullptr) failed: divisions with zero check should already have bailed out earlier in split-if + - JDK-8323154: C2: assert(cmp != nullptr && cmp->Opcode() == Op_Cmp(bt)) failed: no exit test + - JDK-8323243: JNI invocation of an abstract instance method corrupts the stack + - JDK-8323331: fix typo hpage_pdm_size + - JDK-8323428: Shenandoah: Unused memory in regions compacted during a full GC should be mangled + - JDK-8323515: Create test alias "all" for all test roots + - JDK-8323637: Capture hotspot replay files in GHA + - JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed + - JDK-8323659: LinkedTransferQueue add and put methods call overridable offer + - JDK-8323664: java/awt/font/JNICheck/FreeTypeScalerJNICheck.java still fails with JNI warning on some Windows configurations + - JDK-8323667: Library debug files contain non-reproducible full gcc include paths + - JDK-8323671: DevKit build gcc libraries contain full paths to source location + - JDK-8323717: Introduce test keyword for tests that need external dependencies + - JDK-8323964: runtime/Thread/ThreadCountLimit.java fails intermittently on AIX + - JDK-8324050: Issue store-store barrier after re-materializing objects during deoptimization + - JDK-8324280: RISC-V: Incorrect implementation in VM_Version::parse_satp_mode + - JDK-8324347: Enable "maybe-uninitialized" warning for FreeType 2.13.1 + - JDK-8324514: ClassLoaderData::print_on should print address of class loader + - JDK-8324598: use mem_unit when working with sysinfo memory and swap related information + - JDK-8324637: [aix] Implement support for reporting swap space in jdk.management + - JDK-8324647: Invalid test group of lib-test after JDK-8323515 + - JDK-8324659: GHA: Generic jtreg errors are not reported + - JDK-8324753: [AIX] adjust os_posix after JDK-8318696 + - JDK-8324858: [vectorapi] Bounds checking issues when accessing memory segments + - JDK-8324874: AArch64: crypto pmull based CRC32/CRC32C intrinsics clobber V8-V15 registers + - JDK-8324937: GHA: Avoid multiple test suites per job + - JDK-8325074: ZGC fails assert(index == 0 || is_power_of_2(index)) failed: Incorrect load shift: 11 + - JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java is failing + - JDK-8325150: (tz) Update Timezone Data to 2024a + - JDK-8325194: GHA: Add macOS M1 testing + - JDK-8325254: CKA_TOKEN private and secret keys are not necessarily sensitive + - JDK-8325444: GHA: JDK-8325194 causes a regression + - JDK-8325470: [AIX] use fclose after fopen in read_psinfo + - JDK-8325496: Make TrimNativeHeapInterval a product switch + - JDK-8325672: C2: allocate PhaseIdealLoop::_loop_or_ctrl from C->comp_arena() + - JDK-8325876: crashes in docker container tests on Linuxppc64le Power8 machines + - JDK-8326000: Remove obsolete comments for class sun.security.ssl.SunJSSE + - JDK-8327391: Add SipHash attribution file + - JDK-8329838: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.3 + +Notes on individual issues: +=========================== + +tools/javac: + +JDK-8317300: Align `javac` with the Java Language Specification by Rejecting `final` in Record Patterns +======================================================================================================= +Java 21 enhanced the language with pattern matching for switch +statements. However, the javac compiler released with OpenJDK 21 +allowed the 'final' keyword to be used in front of a record pattern +(e.g. `case final R(...) ->`), which is a violation of the Java +Language specification. + +With this release of OpenJDK 21, programs using `final` within a +switch statement will now fail to compile. The erroneous keyword will +need to be removed to allow the program to be compiled. + +security-libs/javax.xml.crypto: + +JDK-8319124: Update XML Security for Java to 3.0.3 +================================================== +The XML signature implementation in OpenJDK 21 has been updated to +Apache Santuario 3.0.3. This update introduces four new SHA-3 based +RSA-MGF1 SignatureMethod algorithms. + +However, the API of javax.xml.crypto.dsig.SignatureMethod can not be +changed in update releases to provide constants for these new +algorithms. The equivalent string literals should be used as below: + +* SHA3_224_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-224-rsa-MGF1" +* SHA3_256_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-256-rsa-MGF1" +* SHA3_384_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-384-rsa-MGF1" +* SHA3_512_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-512-rsa-MGF1" + +hotspot/runtime: + +JDK-8325496: Make TrimNativeHeapInterval a product switch +========================================================= +The option '-XX:TrimNativeHeapInterval=ms', where 'ms' is the interval +in milliseconds, is now an official product switch. It allows the +virtual machine to trim the native heap at the specified interval on +supported platforms (currently only Linux with glibc). A value of +zero (the default) disables trimming. + +client-libs/java.awt: + +JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops +======================================================================= +The java.awt.SystemTray API is used to interact with the system's +desktop taskbar to provide notifications and may include an icon +representing an application. The GNOME desktop's support for taskbar +icons has not worked properly for several years, due to a platform +bug. This bug, in turn, affects the JDK's SystemTray support on GNOME +desktops. + +Therefore, in accordance with the SystemTray API specification, +java.awt.SystemTray.isSupported() will now return false on systems +that exhibit this bug, which is assumed to be those running a version +of GNOME Shell below 45. + +The impact of this change is likely to be minimal, as users of the +SystemTray API should already be able to handle isSupported() +returning false and the system tray on such platforms has already been +unsupported for a number of years for all applications. + +security-libs/java.security: + +JDK-8321408: Added Certainly R1 and E1 Root Certificates +======================================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Certainly +Alias Name: certainlyrootr1 +Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US + +Name: Certainly +Alias Name: certainlyroote1 +Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US + +hotspot/gc: + +JDK-8310031: Parallel: Precise Parallel Scanning of Large Object Arrays for Young Collection Roots +================================================================================================== +During the collection of young generation objects, the ParallelGC +collector partitions the old generation into 64kB stripes to scan for +references to the young generation. The stripes are assigned to worker +threads to do the scanning in parallel. + +However, previous releases of OpenJDK 21 did not constrain these +worker threads to their own stripe. Parallelism was limited as a +single thread could end up scanning a large object with thousands of +references across multiple stripes, if it happened to start in its +allocated stripe. This also resulted in bad scaling, due to the +subsequent memory sharing associated with multiple threads working on +the same stripe. + +In this release, workers are limited to their stripe and only process +interesting parts of large object arrays. Pauses for the ParallelGC +collector are now on par with the G1 collector when large object +arrays are present, reducing pause times by four to five times in some +cases. + +JDK-8325074: ZGC fails assert(index == 0 || is_power_of_2(index)) failed: Incorrect load shift: 11 +================================================================================================== +Running the virtual machine with `-XX:+UseZGC` and a non-default value +of `-XX:ObjectAlignmentInBytes` had the potential to crash or perform +incorrect execution. This was due to `ZBarrierSet::clone_obj_array` +not taking into account padding words at the end of an ObjArray. This +has now been rectified in this release. + +New in release OpenJDK 21.0.2 (2024-01-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2102 + +* CVEs + - CVE-2024-20918 + - CVE-2024-20919 + - CVE-2024-20921 + - CVE-2024-20945 + - CVE-2024-20952 +* Security fixes + - JDK-8308204: Enhanced certificate processing + - JDK-8314295: Enhance verification of verifier + - JDK-8314307: Improve loop handling + - JDK-8314468: Improve Compiler loops + - JDK-8316976: Improve signature handling + - JDK-8317547: Enhance TLS connection support +* Other changes + - JDK-8038244: (fs) Check return value of malloc in Java_sun_nio_fs_AixNativeDispatcher_getmntctl() + - JDK-8161536: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with ProviderException + - JDK-8219652: [aix] Tests failing with JNI attach problems. + - JDK-8225377: type annotations are not visible to javac plugins across compilation boundaries + - JDK-8232839: JDI AfterThreadDeathTest.java failed due to "FAILED: Did not get expected IllegalThreadStateException on a StepRequest.enable()" + - JDK-8267502: JDK-8246677 caused 16x performance regression in SynchronousQueue + - JDK-8267509: Improve IllegalAccessException message to include the cause of the exception + - JDK-8268916: Tests for AffirmTrust roots + - JDK-8286757: adlc tries to build with /pathmap but without /experimental:deterministic + - JDK-8294156: Allow PassFailJFrame.Builder to create test UI + - JDK-8294158: HTML formatting for PassFailJFrame instructions + - JDK-8294427: Check boxes and radio buttons have rendering issues on Windows in High DPI env + - JDK-8294535: Add screen capture functionality to PassFailJFrame + - JDK-8295068: SSLEngine throws NPE parsing CertificateRequests + - JDK-8295555: Primitive wrapper caches could be `@Stable` + - JDK-8299614: Shenandoah: STW mark should keep nmethod/oops referenced from stack chunk alive + - JDK-8300663: java/util/concurrent/SynchronousQueue/Fairness.java failed with "Error: fair=true i=0 j=1" + - JDK-8301247: JPackage app-image exe launches multiple exe's in JDK 17+ + - JDK-8301341: LinkedTransferQueue does not respect timeout for poll() + - JDK-8301457: Code in SendPortZero.java is uncommented even after JDK-8236852 was fixed + - JDK-8301489: C1: ShortLoopOptimizer might lift instructions before their inputs + - JDK-8301846: Invalid TargetDataLine after screen lock when using JFileChooser or COM library + - JDK-8303737: C2: Load can bypass subtype check that enforces it's from the right object type + - JDK-8306561: Possible out of bounds access in print_pointer_information + - JDK-8308103: Massive (up to ~30x) increase in C2 compilation time since JDK 17 + - JDK-8308452: Extend internal Architecture enum with byte order and address size + - JDK-8308479: [s390x] Implement alternative fast-locking scheme + - JDK-8308592: Framework for CA interoperability testing + - JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows + - JDK-8309209: C2 failed "assert(_stack_guard_state == stack_guard_reserved_disabled) failed: inconsistent state" + - JDK-8309305: sun/security/ssl/SSLSocketImpl/BlockedAsyncClose.java fails with jtreg test timeout + - JDK-8309545: Thread.interrupted from virtual thread needlessly resets interrupt status + - JDK-8309663: test fails "assert(check_alignment(result)) failed: address not aligned: 0x00000008baadbabe" + - JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when using second test directory + - JDK-8309974: some JVMCI tests fail when VM options include -XX:+EnableJVMCI + - JDK-8310239: Add missing cross modifying fence in nmethod entry barriers + - JDK-8310512: Cleanup indentation in jfc files + - JDK-8310596: Utilize existing method frame::interpreter_frame_monitor_size_in_bytes() + - JDK-8310982: jdk/internal/util/ArchTest.java fails after JDK-8308452 failed with Method isARM() + - JDK-8311261: [AIX] TestAlwaysPreTouchStacks.java fails due to java.lang.RuntimeException: Did not find expected NMT output + - JDK-8311514: Incorrect regex in TestMetaSpaceLog.java + - JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java + - JDK-8311591: Add SystemModulesPlugin test case that splits module descriptors with new local variables defined by DedupSetBuilder + - JDK-8311630: [s390] Implementation of Foreign Function & Memory API (Preview) + - JDK-8311631: When multiple users run tools/jpackage/share/LicenseTest.java, Permission denied for writing /var/tmp/*.files + - JDK-8311680: Update the release version after forking Oct CPU23_10 + - JDK-8311681: Update the Jan CPU24_01 release date in master branch after forking Oct CPU23_10 + - JDK-8311813: C1: Uninitialized PhiResolver::_loop field + - JDK-8311938: Add default cups include location for configure on AIX + - JDK-8312078: [PPC] JcmdScale.java Failing on AIX + - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955 + - JDK-8312166: (dc) DatagramChannel's socket adaptor does not release carrier thread when blocking in receive + - JDK-8312174: missing JVMTI events from vthreads parked during JVMTI attach + - JDK-8312191: ColorConvertOp.filter for the default destination is too slow + - JDK-8312433: HttpClient request fails due to connection being considered idle and closed + - JDK-8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom" + - JDK-8312440: assert(cast != nullptr) failed: must have added a cast to pin the node + - JDK-8312466: /bin/nm usage in AIX makes needs -X64 flag + - JDK-8312467: relax the builddir check in make/autoconf/basic.m4 + - JDK-8312592: New parentheses warnings after HarfBuzz 7.2.0 update + - JDK-8312612: handle WideCharToMultiByte return values + - JDK-8313164: src/java.desktop/windows/native/libawt/windows/awt_Robot.cpp GetRGBPixels adjust releasing of resources + - JDK-8313167: Update to use jtreg 7.3 + - JDK-8313206: PKCS11 tests silently skip execution + - JDK-8313244: NM flags handling in configure process + - JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground release resources in early returns + - JDK-8313322: RISC-V: implement MD5 intrinsic + - JDK-8313368: (fc) FileChannel.size returns 0 on block special files + - JDK-8313575: Refactor PKCS11Test tests + - JDK-8313616: support loading library members on AIX in os::dll_load + - JDK-8313643: Update HarfBuzz to 8.2.2 + - JDK-8313656: assert(!JvmtiExport::can_support_virtual_threads()) with -XX:-DoJVMTIVirtualThreadTransitions + - JDK-8313756: [BACKOUT] 8308682: Enhance AES performance + - JDK-8313760: [REDO] Enhance AES performance + - JDK-8313779: RISC-V: use andn / orn in the MD5 instrinsic + - JDK-8313781: Add regression tests for large page logging and user-facing error messages + - JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used + - JDK-8313792: Verify 4th party information in src/jdk.internal.le/share/legal/jline.md + - JDK-8313873: java/nio/channels/DatagramChannel/SendReceiveMaxSize.java fails on AIX due to small default RCVBUF size and different IPv6 Header interpretation + - JDK-8314045: ArithmeticException in GaloisCounterMode + - JDK-8314094: java/lang/ProcessHandle/InfoTest.java fails on Windows when run as user with Administrator privileges + - JDK-8314120: Add tests for FileDescriptor.sync + - JDK-8314121: test tools/jpackage/share/RuntimePackageTest.java#id0 fails on RHEL8 + - JDK-8314191: C2 compilation fails with "bad AD file" + - JDK-8314226: Series of colon-style fallthrough switch cases with guards compiled incorrectly + - JDK-8314242: Update applications/scimark/Scimark.java to accept VM flags + - JDK-8314246: javax/swing/JToolBar/4529206/bug4529206.java fails intermittently on Linux + - JDK-8314263: Signed jars triggering Logger finder recursion and StackOverflowError + - JDK-8314330: java/foreign tests should respect vm flags when start new processes + - JDK-8314476: TestJstatdPortAndServer.java failed with "java.rmi.NoSuchObjectException: no such object in table" + - JDK-8314495: Update to use jtreg 7.3.1 + - JDK-8314551: More generic way to handshake GC threads with monitor deflation + - JDK-8314580: PhaseIdealLoop::transform_long_range_checks fails with assert "was tested before" + - JDK-8314632: Intra-case dominance check fails in the presence of a guard + - JDK-8314759: VirtualThread.parkNanos timeout adjustment when pinned should be replaced + - JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0 write result errno in missing case + - JDK-8314935: Shenandoah: Unable to throw OOME on back-to-back Full GCs + - JDK-8315026: ProcessHandle implementation listing processes on AIX should use getprocs64 + - JDK-8315062: [GHA] get-bootjdk action should return the abolute path + - JDK-8315082: [REDO] Generational ZGC: Tests crash with assert(index == 0 || is_power_of_2(index)) + - JDK-8315088: C2: assert(wq.size() - before == EMPTY_LOOP_SIZE) failed: expect the EMPTY_LOOP_SIZE nodes of this body if empty + - JDK-8315195: RISC-V: Update hwprobe query for new extensions + - JDK-8315206: RISC-V: hwprobe query is_set return wrong value + - JDK-8315213: java/lang/ProcessHandle/TreeTest.java test enhance output of children + - JDK-8315214: Do not run sun/tools/jhsdb tests concurrently + - JDK-8315362: NMT: summary diff reports threads count incorrectly + - JDK-8315377: C2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes? + - JDK-8315383: jlink SystemModulesPlugin incorrectly parses the options + - JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some cases + - JDK-8315437: Enable parallelism in vmTestbase/nsk/monitoring/stress/classload tests + - JDK-8315442: Enable parallelism in vmTestbase/nsk/monitoring/stress/thread tests + - JDK-8315452: Erroneous AST missing modifiers for partial input + - JDK-8315499: build using devkit on Linux ppc64le RHEL puts path to devkit into libsplashscreen + - JDK-8315545: C1: x86 cmove can use short branches + - JDK-8315549: CITime misreports code/total nmethod sizes + - JDK-8315554: C1: Replace "cmp reg, 0" with "test reg, reg" on x86 + - JDK-8315578: PPC builds are broken after JDK-8304913 + - JDK-8315579: SPARC64 builds are broken after JDK-8304913 + - JDK-8315606: Open source few swing text/html tests + - JDK-8315612: RISC-V: intrinsic for unsignedMultiplyHigh + - JDK-8315644: increase timeout of sun/security/tools/jarsigner/Warning.java + - JDK-8315651: Stop hiding AIX specific multicast socket errors via NetworkConfiguration (aix) + - JDK-8315683: Parallelize java/util/concurrent/tck/JSR166TestCase.java + - JDK-8315684: Parallelize sun/security/util/math/TestIntegerModuloP.java + - JDK-8315688: Update jdk21u fix version to 21.0.2 + - JDK-8315692: Parallelize gc/stress/TestStressRSetCoarsening.java test + - JDK-8315696: SignedLoggerFinderTest.java test failed + - JDK-8315702: jcmd Thread.dump_to_file slow with millions of virtual threads + - JDK-8315706: com/sun/tools/attach/warnings/DynamicLoadWarningTest.java real fix for failure on AIX + - JDK-8315735: VerifyError when switch statement used with synchronized block + - JDK-8315751: RandomTestBsi1999 fails often with timeouts on Linux ppc64le + - JDK-8315766: Parallelize gc/stress/TestStressIHOPMultiThread.java test + - JDK-8315770: serviceability/sa/TestJmapCoreMetaspace.java should run with -XX:-VerifyDependencies + - JDK-8315774: Enable parallelism in vmTestbase/gc/g1/unloading tests + - JDK-8315863: [GHA] Update checkout action to use v4 + - JDK-8315869: UseHeavyMonitors not used + - JDK-8315920: C2: "control input must dominate current control" assert failure + - JDK-8315931: RISC-V: xxxMaxVectorTestsSmokeTest fails when using RVV + - JDK-8315936: Parallelize gc/stress/TestStressG1Humongous.java test + - JDK-8315937: Enable parallelism in vmTestbase/nsk/stress/numeric tests + - JDK-8315942: Sort platform enums and definitions after JDK-8304913 follow-ups + - JDK-8315960: test/jdk/java/io/File/TempDirDoesNotExist.java leaves test files behind + - JDK-8315971: ProblemList containers/docker/TestMemoryAwareness.java on linux-all + - JDK-8316003: Update FileChooserSymLinkTest.java to HTML instructions + - JDK-8316017: Refactor timeout handler in PassFailJFrame + - JDK-8316025: Use testUI() method of PassFailJFrame.Builder in FileChooserSymLinkTest.java + - JDK-8316030: Update Libpng to 1.6.40 + - JDK-8316031: SSLFlowDelegate should not log from synchronized block + - JDK-8316060: test/hotspot/jtreg/runtime/reflect/ReflectOutOfMemoryError.java may fail if heap is huge + - JDK-8316087: Test SignedLoggerFinderTest.java is still failing + - JDK-8316113: Infinite permission checking loop in java/net/spi/InetAddressResolverProvider/RuntimePermissionTest + - JDK-8316123: ProblemList serviceability/dcmd/gc/RunFinalizationTest.java on AIX + - JDK-8316130: Incorrect control in LibraryCallKit::inline_native_notify_jvmti_funcs + - JDK-8316142: Enable parallelism in vmTestbase/nsk/monitoring/stress/lowmem tests + - JDK-8316156: ByteArrayInputStream.transferTo causes MaxDirectMemorySize overflow + - JDK-8316178: Better diagnostic header for CodeBlobs + - JDK-8316179: Use consistent naming for lightweight locking in MacroAssembler + - JDK-8316181: Move the fast locking implementation out of the .ad files + - JDK-8316199: Remove sun/tools/jstatd/TestJstatd* tests from problemlist for Windows. + - JDK-8316206: Test StretchedFontTest.java fails for Baekmuk font + - JDK-8316304: (fs) Add support for BasicFileAttributes.creationTime() for Linux + - JDK-8316337: (bf) Concurrency issue in DirectByteBuffer.Deallocator + - JDK-8316341: sun/security/pkcs11/PKCS11Test.java needs adjustment on Linux ppc64le Ubuntu 22 + - JDK-8316387: Exclude more failing multicast tests on AIX after JDK-8315651 + - JDK-8316396: Endless loop in C2 compilation triggered by AddNode::IdealIL + - JDK-8316399: Exclude java/net/MulticastSocket/Promiscuous.java on AIX + - JDK-8316400: Exclude jdk/jfr/event/runtime/TestResidentSetSizeEvent.java on AIX + - JDK-8316401: sun/tools/jhsdb/JStackStressTest.java failed with "InternalError: We should have found a thread that owns the anonymous lock" + - JDK-8316411: compiler/compilercontrol/TestConflictInlineCommands.java fails intermittent with force inline by CompileCommand missing + - JDK-8316414: C2: large byte array clone triggers "failed: malformed control flow" assertion failure on linux-x86 + - JDK-8316415: Parallelize sun/security/rsa/SignedObjectChain.java subtests + - JDK-8316418: containers/docker/TestMemoryWithCgroupV1.java get OOM killed with Parallel GC + - JDK-8316436: ContinuationWrapper uses unhandled nullptr oop + - JDK-8316461: Fix: make test outputs TEST SUCCESS after unsuccessful exit + - JDK-8316468: os::write incorrectly handles partial write + - JDK-8316514: Better diagnostic header for VtableStub + - JDK-8316540: StoreReproducibilityTest fails on some locales + - JDK-8316566: RISC-V: Zero extended narrow oop passed to Atomic::cmpxchg + - JDK-8316581: Improve performance of Symbol::print_value_on() + - JDK-8316585: [REDO] runtime/InvocationTests spend a lot of time on dependency verification + - JDK-8316645: RISC-V: Remove dependency on libatomic by adding cmpxchg 1b + - JDK-8316648: jrt-fs.jar classes not reproducible between standard and bootcycle builds + - JDK-8316659: assert(LockingMode != LM_LIGHTWEIGHT || flag == CCR0) failed: bad condition register + - JDK-8316671: sun/security/ssl/SSLSocketImpl/SSLSocketCloseHang.java test fails intermittent with Read timed out + - JDK-8316679: C2 SuperWord: wrong result, load should not be moved before store if not comparable + - JDK-8316710: Exclude java/awt/font/Rotate/RotatedTextTest.java + - JDK-8316719: C2 compilation still fails with "bad AD file" + - JDK-8316735: Print LockStack in hs_err files + - JDK-8316741: BasicStroke.createStrokedShape miter-limits failing on small shapes + - JDK-8316743: RISC-V: Change UseVectorizedMismatchIntrinsic option result to warning + - JDK-8316746: Top of lock-stack does not match the unlocked object + - JDK-8316778: test hprof lib: invalid array element type from JavaValueArray.elementSize + - JDK-8316859: RISC-V: Disable detection of V through HWCAP + - JDK-8316879: RegionMatches1Tests fails if CompactStrings are disabled after JDK-8302163 + - JDK-8316880: AArch64: "stop: Header is not fast-locked" with -XX:-UseLSE since JDK-8315880 + - JDK-8316894: make test TEST="jtreg:test/jdk/..." fails on AIX + - JDK-8316906: Clarify TLABWasteTargetPercent flag + - JDK-8316929: Shenandoah: Shenandoah degenerated GC and full GC need to cleanup old OopMapCache entries + - JDK-8316933: RISC-V: compiler/vectorapi/VectorCastShape128Test.java fails when using RVV + - JDK-8316935: [s390x] Use consistent naming for lightweight locking in MacroAssembler + - JDK-8316958: Add test for unstructured locking + - JDK-8316967: Correct the scope of vmtimer in UnregisteredClasses::load_class + - JDK-8317039: Enable specifying the JDK used to run jtreg + - JDK-8317136: [AIX] Problem List runtime/jni/terminatedThread/TestTerminatedThread.java + - JDK-8317257: RISC-V: llvm build broken + - JDK-8317262: LockStack::contains(oop) fails "assert(t->is_Java_thread()) failed: incorrect cast to JavaThread" + - JDK-8317294: Classloading throws exceptions over already pending exceptions + - JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js + - JDK-8317331: Solaris build failed with "declaration can not follow a statement (E_DECLARATION_IN_CODE)" + - JDK-8317335: Build on windows fails after 8316645 + - JDK-8317336: Assertion error thrown during 'this' escape analysis + - JDK-8317340: Windows builds are not reproducible if MS VS compiler install path differs + - JDK-8317373: Add Telia Root CA v2 + - JDK-8317374: Add Let's Encrypt ISRG Root X2 + - JDK-8317439: Updating RE Configs for BUILD REQUEST 21.0.2+1 + - JDK-8317507: C2 compilation fails with "Exceeded _node_regs array" + - JDK-8317510: Change Windows debug symbol files naming to avoid losing info when an executable and a library share the same name + - JDK-8317581: [s390x] Multiple test failure with LockingMode=2 + - JDK-8317601: Windows build on WSL broken after JDK-8317340 + - JDK-8317603: Improve exception messages thrown by sun.nio.ch.Net native methods (win) + - JDK-8317692: jcmd GC.heap_dump performance regression after JDK-8292818 + - JDK-8317705: ProblemList sun/tools/jstat/jstatLineCountsX.sh on linux-ppc64le and aix due to JDK-8248691 + - JDK-8317706: Exclude java/awt/Graphics2D/DrawString/RotTransText.java on linux + - JDK-8317711: Exclude gtest/GTestWrapper.java on AIX + - JDK-8317736: Stream::handleReset locks twice + - JDK-8317751: ProblemList ConsumeForModalDialogTest.java, MenuItemActivatedTest.java & MouseModifiersUnitTest_Standard.java for windows + - JDK-8317772: NMT: Make peak values available in release builds + - JDK-8317790: Fix Bug entry for exclusion of runtime/jni/terminatedThread/TestTerminatedThread.java on AIX + - JDK-8317803: Exclude java/net/Socket/asyncClose/Race.java on AIX + - JDK-8317807: JAVA_FLAGS removed from jtreg running in JDK-8317039 + - JDK-8317818: Combinatorial explosion during 'this' escape analysis + - JDK-8317834: java/lang/Thread/IsAlive.java timed out + - JDK-8317839: Exclude java/nio/channels/Channels/SocketChannelStreams.java on AIX + - JDK-8317920: JDWP-agent sends broken exception event with onthrow option + - JDK-8317959: Check return values of malloc in native java.base coding + - JDK-8317964: java/awt/Mouse/MouseModifiersUnitTest/MouseModifiersUnitTest_Standard.java fails on macosx-all after JDK-8317751 + - JDK-8317967: Enhance test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java to handle default cases + - JDK-8317987: C2 recompilations cause high memory footprint + - JDK-8318078: ADLC: pass ASSERT and PRODUCT flags + - JDK-8318089: Class space not marked as such with NMT when CDS is off + - JDK-8318137: Change milestone to fcs for all releases + - JDK-8318144: Match on enum constants with body compiles but fails with MatchException + - JDK-8318183: C2: VM may crash after hitting node limit + - JDK-8318240: [AIX] Cleaners.java test failure + - JDK-8318415: Adjust describing comment of os_getChildren after 8315026 + - JDK-8318474: Fix memory reporter for thread_count + - JDK-8318525: Atomic gtest should run as TEST_VM to access VM capabilities + - JDK-8318528: Rename TestUnstructuredLocking test + - JDK-8318540: make test cannot run .jasm tests directly + - JDK-8318562: Computational test more than 2x slower when AVX instructions are used + - JDK-8318587: refresh libraries cache on AIX in print_vm_info + - JDK-8318591: avoid leaks in loadlib_aix.cpp reload_table() + - JDK-8318669: Target OS detection in 'test-prebuilt' makefile target is incorrect when running on MSYS2 + - JDK-8318705: [macos] ProblemList java/rmi/registry/multipleRegistries/MultipleRegistries.java + - JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with "transport error 202: bind failed: Address already in use" + - JDK-8318759: Add four DigiCert root certificates + - JDK-8318889: C2: add bailout after assert Bad graph detected in build_loop_late + - JDK-8318895: Deoptimization results in incorrect lightweight locking stack + - JDK-8318951: Additional negative value check in JPEG decoding + - JDK-8318953: RISC-V: Small refactoring for MacroAssembler::test_bit + - JDK-8318955: Add ReleaseIntArrayElements in Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to early return + - JDK-8318957: enhance agentlib:jdwp help output by info about allow option + - JDK-8318961: increase javacserver connection timeout values and max retry attempts + - JDK-8318981: compiler/compilercontrol/TestConflictInlineCommands.java fails intermittent with 'disallowed by CompileCommand' missing from stdout/stderr + - JDK-8319104: GtestWrapper crashes with SIGILL in AsyncLogTest::test_asynclog_raw on AIX opt + - JDK-8319120: Unbound ScopedValue.get() throws the wrong exception + - JDK-8319184: RISC-V: improve MD5 intrinsic + - JDK-8319187: Add three eMudhra emSign roots + - JDK-8319195: Move most tier 1 vector API regression tests to tier 3 + - JDK-8319268: Build failure with GCC8.3.1 after 8313643 + - JDK-8319339: Internal error on spurious markup in a hybrid snippet + - JDK-8319436: Proxy.newProxyInstance throws NPE if loader is null and interface not visible from class loader + - JDK-8319525: RISC-V: Rename *_riscv64.ad files to *_riscv.ad under riscv/gc + - JDK-8319532: jshell - Non-sealed declarations sometimes break a snippet evaluation + - JDK-8319542: Fix boundaries of region to be tested with os::is_readable_range + - JDK-8319700: [AArch64] C2 compilation fails with "Field too big for insn" + - JDK-8319828: runtime/NMT/VirtualAllocCommitMerge.java may fail if mixing interpreted and compiled native invocations + - JDK-8319922: libCreationTimeHelper.so fails to link in JDK 21 + - JDK-8319958: test/jdk/java/io/File/libGetXSpace.c does not compile on Windows 32-bit + - JDK-8319961: JvmtiEnvBase doesn't zero _ext_event_callbacks + - JDK-8320001: javac crashes while adding type annotations to the return type of a constructor + - JDK-8320053: GHA: Cross-compile gtest code + - JDK-8320209: VectorMaskGen clobbers rflags on x86_64 + - JDK-8320280: RISC-V: Avoid passing t0 as temp register to MacroAssembler::lightweight_lock/unlock + - JDK-8320363: ppc64 TypeEntries::type_unknown logic looks wrong, missed optimization opportunity + - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + - JDK-8320601: ProblemList java/lang/invoke/lambda/LambdaFileEncodingSerialization.java on linux-all + - JDK-8321067: Unlock experimental options in EATests.java + - JDK-8322883: [BACKOUT] 8225377: type annotations are not visible to javac plugins across compilation boundaries + - JDK-8322985: [BACKOUT] 8318562: Computational test more than 2x slower when AVX instructions are used + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows +====================================================================== +On Windows 10 version 1709 and above, TCP_KEEPIDLE and +TCP_KEEPINTERVAL are now supported in the +java.net.ExtendedSocketOptions class. Similarly, on Windows 10 +version 1703 and above, TCP_KEEPCOUNT is now supported. + +hotspot/compiler: + +JDK-8315082: [REDO] Generational ZGC: Tests crash with assert(index == 0 || is_power_of_2(index)) +================================================================================================= +In the initial release of JDK 21, running the JVM with -XX:+UseZGC and +a non-default value of -XX:ObjectAlignmentInBytes could lead to JVM +crashes or incorrect execution. This issue should now be resolved and +it should be possible to use these options again. + +hotspot/runtime: + +JDK-8317772: NMT: Make peak values available in release builds +============================================================== +The peak value is the highest value for committed memory in a given +Native Memory Tracking (NMT) category over the lifetime of the JVM +process. NMT reports will now show the peak value for all categories. + +If the committed memory for a category is at its peak, NMT will +print "at peak". Otherwise, it prints the peak value. + +For example, "Compiler (arena=196KB #4) (peak=6126KB #16)" shows that +compiler arena memory peaked above 6 MB, but now hovers around 200KB. + +JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used +=========================================================================== +On Linux, the JVM will now print the following message to standard +output if Transparent Huge Pages (THPs) are requested, but are not +supported on the operating system: + +"UseTransparentHugePages disabled; transparent huge pages are not +supported by the operating system." + +security-libs/java.security: + +JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt +================================================================= +The following root certificate has been added to the cacerts +truststore: + +Name: Let's Encrypt +Alias Name: letsencryptisrgx2 +Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US + +JDK-8318759: Added Four Root Certificates from DigiCert, Inc. +============================================================= +The following root certificates have been added to the cacerts +truststore: + +Name: DigiCert, Inc. +Alias Name: digicertcseccrootg5 +Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicertcsrsarootg5 +Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlseccrootg5 +Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlsrsarootg5 +Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited +============================================================================ +The following root certificates have been added to the cacerts +truststore: + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag1 +Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsigneccrootcag3 +Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag2 +Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +JDK-8317373: Added Telia Root CA v2 Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Telia Root CA v2 +Alias Name: teliarootcav2 +Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ``` + +New in release OpenJDK 21.0.1 (2023-10-17): +=========================================== + +* CVEs + - CVE-2023-22081 + - CVE-2023-22025 +* Security fixes + - JDK-8286503, JDK-8312367: Enhance security classes + - JDK-8296581: Better system proxy support + - JDK-8297856: Improve handling of Bidi characters + - JDK-8309966: Enhanced TLS connections + - JDK-8312248: Enhanced archival support redux + - JDK-8314649: Enhanced archival support redux + - JDK-8317121: vector_masked_load instruction is moved too early after JDK-8286941 +* Other changes + - JDK-8240567: MethodTooLargeException thrown while creating a jlink image + - JDK-8284772: GHA: Use GCC Major Version Dependencies Only + - JDK-8293114: JVM should trim the native heap + - JDK-8299658: C1 compilation crashes in LinearScan::resolve_exception_edge + - JDK-8302017: Allocate BadPaddingException only if it will be thrown + - JDK-8303815: Improve Metaspace test speed + - JDK-8304954: SegmentedCodeCache fails when using large pages + - JDK-8307766: Linux: Provide the option to override the timer slack + - JDK-8308042: [macos] Developer ID Application Certificate not picked up by jpackage if it contains UNICODE characters + - JDK-8308047: java/util/concurrent/ScheduledThreadPoolExecutor/BasicCancelTest.java timed out and also had jcmd pipe errors + - JDK-8308184: Launching java with large number of jars in classpath with java.protocol.handler.pkgs system property set can lead to StackOverflowError + - JDK-8308474: DSA does not reset SecureRandom when initSign is called again + - JDK-8308609: java/lang/ScopedValue/StressStackOverflow.java fails with "-XX:-VMContinuations" + - JDK-8309032: jpackage does not work for module projects unless --module-path is specified + - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails + - JDK-8309214: sun/security/pkcs11/KeyStore/CertChainRemoval.java fails after 8301154 + - JDK-8309475: Test java/foreign/TestByteBuffer.java fails: a problem with msync (aix) + - JDK-8309502: RISC-V: String.indexOf intrinsic may produce misaligned memory loads + - JDK-8309591: Socket.setOption(TCP_QUICKACK) uses wrong level + - JDK-8309746: Reconfigure check should include make/conf/version-numbers.conf + - JDK-8309889: [s390] Missing return statement after calling jump_to_native_invoker method in generate_method_handle_dispatch. + - JDK-8310106: sun.security.ssl.SSLHandshake.getHandshakeProducer() incorrectly checks handshakeConsumers + - JDK-8310171: Bump version numbers for 21.0.1 + - JDK-8310211: serviceability/jvmti/thread/GetStackTrace/getstacktr03/getstacktr03.java failing + - JDK-8310233: Fix THP detection on Linux + - JDK-8310268: RISC-V: misaligned memory access in String.Compare intrinsic + - JDK-8310321: make JDKOPT_CHECK_CODESIGN_PARAMS more verbose + - JDK-8310586: ProblemList java/lang/ScopedValue/StressStackOverflow.java#default with virtual threads on linux-all + - JDK-8310687: JDK-8303215 is incomplete + - JDK-8310873: Re-enable locked_create_entry symbol check in runtime/NMT/CheckForProperDetailStackTrace.java for RISC-V + - JDK-8311026: Some G1 specific tests do not set -XX:+UseG1GC + - JDK-8311033: [macos] PrinterJob does not take into account Sides attribute + - JDK-8311160: [macOS, Accessibility] VoiceOver: No announcements on JRadioButtonMenuItem and JCheckBoxMenuItem + - JDK-8311249: Remove unused MemAllocator::obj_memory_range + - JDK-8311285: report some fontconfig related environment variables in hs_err file + - JDK-8311511: Improve description of NativeLibrary JFR event + - JDK-8311592: ECKeySizeParameterSpec causes too many exceptions on third party providers + - JDK-8311682: Change milestone to fcs for all releases + - JDK-8311862: RISC-V: small improvements to shift immediate instructions + - JDK-8311917: MAP_FAILED definition seems to be obsolete in src/java.desktop/unix/native/common/awt/fontpath.c + - JDK-8311921: Inform about MaxExpectedDataSegmentSize in case of pthread_create failures on AIX + - JDK-8311923: TestIRMatching.java fails on RISC-V + - JDK-8311926: java/lang/ScopedValue/StressStackOverflow.java takes 9mins in tier1 + - JDK-8311955: c++filt is now ibm-llvm-cxxfilt when using xlc17 / clang on AIX + - JDK-8311981: Test gc/stringdedup/TestStringDeduplicationAgeThreshold.java#ZGenerational timed out + - JDK-8312127: FileDescriptor.sync should temporarily increase parallelism + - JDK-8312180: (bf) MappedMemoryUtils passes incorrect arguments to msync (aix) + - JDK-8312182: THPs cause huge RSS due to thread start timing issue + - JDK-8312394: [linux] SIGSEGV if kernel was built without hugepage support + - JDK-8312395: Improve assertions in growableArray + - JDK-8312401: SymbolTable::do_add_if_needed hangs when called in InstanceKlass::add_initialization_error path with requesting length exceeds max_symbol_length + - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar + - JDK-8312525: New test runtime/os/TestTrimNative.java#trimNative is failing: did not see the expected RSS reduction + - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException + - JDK-8312555: Ideographic characters aren't stretched by AffineTransform.scale(2, 1) + - JDK-8312573: Failure during CompileOnly parsing leads to ShouldNotReachHere + - JDK-8312585: Rename DisableTHPStackMitigation flag to THPStackMitigation + - JDK-8312591: GCC 6 build failure after JDK-8280982 + - JDK-8312619: Strange error message when switching over long + - JDK-8312620: WSL Linux build crashes after JDK-8310233 + - JDK-8312625: Test serviceability/dcmd/vm/TrimLibcHeapTest.java failed: RSS use increased + - JDK-8312909: C1 should not inline through interface calls with non-subtype receiver + - JDK-8312976: MatchResult produces StringIndexOutOfBoundsException for groups outside match + - JDK-8312984: javac may crash on a record pattern with too few components + - JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074 + - JDK-8313248: C2: setScopedValueCache intrinsic exposes nullptr pre-values to store barriers + - JDK-8313262: C2: Sinking node may cause required cast to be dropped + - JDK-8313307: java/util/Formatter/Padding.java fails on some Locales + - JDK-8313312: Add missing classpath exception copyright header + - JDK-8313323: javac -g on a java file which uses unnamed variable leads to ClassFormatError when launching that class + - JDK-8313402: C1: Incorrect LoadIndexed value numbering + - JDK-8313428: GHA: Bump GCC versions for July 2023 updates + - JDK-8313576: GCC 7 reports compiler warning in bundled freetype 2.13.0 + - JDK-8313602: increase timeout for jdk/classfile/CorpusTest.java + - JDK-8313626: C2 crash due to unexpected exception control flow + - JDK-8313657: com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors + - JDK-8313676: Amend TestLoadIndexedMismatch test to target intrinsic directly + - JDK-8313678: SymbolTable can leak Symbols during cleanup + - JDK-8313691: use close after failing os::fdopen in vmError and ciEnv + - JDK-8313701: GHA: RISC-V should use the official repository for bootstrap + - JDK-8313707: GHA: Bootstrap sysroots with --variant=minbase + - JDK-8313752: InstanceKlassFlags::print_on doesn't print the flag names + - JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) + - JDK-8313796: AsyncGetCallTrace crash on unreadable interpreter method pointer + - JDK-8313874: JNI NewWeakGlobalRef throws exception for null arg + - JDK-8313901: [TESTBUG] test/hotspot/jtreg/compiler/codecache/CodeCacheFullCountTest.java fails with java.lang.VirtualMachineError + - JDK-8313904: [macos] All signing tests which verifies unsigned app images are failing + - JDK-8314020: Print instruction blocks in byte units + - JDK-8314024: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info + - JDK-8314063: The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection + - JDK-8314117: RISC-V: Incorrect VMReg encoding in RISCV64Frame.java + - JDK-8314118: Update JMH devkit to 1.37 + - JDK-8314139: TEST_BUG: runtime/os/THPsInThreadStackPreventionTest.java could fail on machine with large number of cores + - JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to extra concurrent mark with -Xcomp + - JDK-8314216: Case enumConstant, pattern compilation fails + - JDK-8314262: GHA: Cut down cross-compilation sysroots deeper + - JDK-8314423: Multiple patterns without unnamed variables + - JDK-8314426: runtime/os/TestTrimNative.java is failing on slow machines + - JDK-8314501: Shenandoah: sun/tools/jhsdb/heapconfig/JMapHeapConfigTest.java fails + - JDK-8314517: some tests fail in case ipv6 is disabled on the machine + - JDK-8314618: RISC-V: -XX:MaxVectorSize does not work as expected + - JDK-8314656: GHA: No need for Debian ports keyring installation after JDK-8313701 + - JDK-8314679: SA fails to properly attach to JVM after having just detached from a different JVM + - JDK-8314730: GHA: Drop libfreetype6-dev transitional package in favor of libfreetype-dev + - JDK-8314850: SharedRuntime::handle_wrong_method() gets called too often when resolving Continuation.enter + - JDK-8314960: Add Certigna Root CA - 2 + - JDK-8315020: The macro definition for LoongArch64 zero build is not accurate. + - JDK-8315051: jdk/jfr/jvm/TestGetEventWriter.java fails with non-JVMCI GCs + - JDK-8315534: Incorrect warnings about implicit annotation processing + +Notes on individual issues: +=========================== + +core-libs/java.util.jar: + +JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) +===================================================================== +Additional validity checks in the handling of Zip64 files, +JDK-8302483, introduced in 21.0.0, caused the use of some valid zip +files to now fail with the error, `Invalid CEN header (invalid zip64 +extra data field size)` + +This release, 21.0.1, allows for zero length headers and additional +padding produced by some Zip64 creation tools. + +The following third party tools have also released patches to better +adhere to the ZIP File Format Specification: + +* Apache Commons Compress fix for Empty CEN Zip64 Extra Headers fixed in Commons Compress release 1.11 +* Apache Ant fix for Empty CEN Zip64 Extra Headers fixed in Ant 1.10.14 +* BND issue with writing invalid Extra Headers fixed in BND 5.3 + +The maven-bundle-plugin 5.1.5 includes the BND 5.3 patch. + +If these improved validation checks cause issues for deployed zip or +jar files, check how the file was created and whether patches are +available from the generating software to resolve the issue. With +both JDK releases, the checks can be disabled by setting the new +system property, `jdk.util.zip.disableZip64ExtraFieldValidation` to +`true`. + +hotspot/runtime: + +JDK-8311981: JVM May Hang When Using Generational ZGC if a VM Handshake Stalls on Memory +======================================================================================== +The JVM can hang under an uncommon condition that involves the JVM +running out of heap memory, the GC just starting a relocation phase to +reclaim memory, and a JVM thread-local Handshake asking to relocate an +object. This potential deadlock should now be avoided in this +release. + +core-libs/java.util.regex: + +JDK-8312976: `java.util.regex.MatchResult` Might Throw `StringIndexOutOfBoundsException` on Regex Patterns Containing Lookaheads and Lookbehinds +================================================================================================================================================ +JDK-8132995 introduced an unintended regression when using instances +returned by `java.util.regex.Matcher.toMatchResult()`. + +This regression happens with a `java.util.regex.Pattern`s containing +lookaheads and lookbehinds that, in turn, contain groups. If these are +located outside the match, a `StringIndexOutOfBoundsException` is +thrown when accessing these groups. See JDK-8312976 for an example. + +The issue is resolved in this release by calculating a minimum start +location as part of the match result and using this in constructing +String objects, rather than the location of the first match. + +JDK-8314960: Added Certigna Root CA Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Certigna (Dhimyotis) +Alias Name: certignarootca +Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR + +JDK-8312489: Increase Default Value of the System Property `jdk.jar.maxSignatureFileSize` +========================================================================================= +A maximum signature file size property, jdk.jar.maxSignatureFileSize, +was introduced in the 21.0.0 release of OpenJDK by JDK-8300596 to +control the maximum size of signature files in a signed JAR. The +default value of 8MB proved to be too small for some JAR files. This +release, 21.0.1, increases it to 16MB. + +New in release OpenJDK 21.0.0 (2023-09-XX): +=========================================== +Major changes are listed below. Some changes may have been backported +to earlier releases following their first appearance in OpenJDK 18 +through to 21. + +NEW FEATURES +============ + +Language Features +================= + +Pattern Matching for switch +=========================== +https://openjdk.org/jeps/406 +https://openjdk.org/jeps/420 +https://openjdk.org/jeps/427 +https://openjdk.org/jeps/433 +https://openjdk.org/jeps/441 + +Enhance the Java programming language with pattern matching for +`switch` expressions and statements, along with extensions to the +language of patterns. Extending pattern matching to `switch` allows an +expression to be tested against a number of patterns, each with a +specific action, so that complex data-oriented queries can be +expressed concisely and safely. + +This was a preview feature (http://openjdk.java.net/jeps/12) +introduced in OpenJDK 17 (JEP 406), which saw a second preview in +OpenJDK 18 (JEP 420), a third in OpenJDK 19 (JEP 427) and a fourth +(JEP 427) in OpenJDK 20. It became final with OpenJDK 21 (JEP 441). + +Record Patterns +=============== +https://openjdk.org/jeps/405 +https://openjdk.org/jeps/432 +https://openjdk.org/jeps/440 + +Enhance the Java programming language with record patterns to +deconstruct record values. Record patterns and type patterns can be +nested to enable a powerful, declarative, and composable form of data +navigation and processing. + +This was a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 19 (JEP 405) with a second preview (JEP 432) in OpenJDK 20. +It became final with OpenJDK 21 (JEP 440). + +String Templates +================ +https://openjdk.org/jeps/430 + +Enhance the Java programming language with string templates. String +templates complement Java's existing string literals and text blocks +by coupling literal text with embedded expressions and template +processors to produce specialized results. + +This is a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 21 (JEP 430). + +Unnamed Patterns and Variables +============================== +https://openjdk.org/jeps/443 + +Enhance the Java language with unnamed patterns, which match a record +component without stating the component's name or type, and unnamed +variables, which can be initialized but not used. Both are denoted by +an underscore character, _. + +This is a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 21 (JEP 443). + +Unnamed Classes and Instance Main Methods (Preview) +=================================================== +https://openjdk.org/jeps/445 + +Evolve the Java language so that students can write their first +programs without needing to understand language features designed for +large programs. Far from using a separate dialect of Java, students +can write streamlined declarations for single-class programs and then +seamlessly expand their programs to use more advanced features as +their skills grow. + +This is a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 21 (JEP 445). + +Library Features +================ + +UTF-8 by Default +================ +https://openjdk.org/jeps/400 + +Specify UTF-8 as the default charset of the standard Java APIs. With +this change, APIs that depend upon the default charset will behave +consistently across all implementations, operating systems, locales, +and configurations. + +Reimplement Core Reflection with Method Handles +=============================================== +https://openjdk.org/jeps/416 + +Reimplement java.lang.reflect.Method, Constructor, and Field on top of +java.lang.invoke method handles. Making method handles the underlying +mechanism for reflection will reduce the maintenance and development +cost of both the java.lang.reflect and java.lang.invoke APIs. + +Vector API +========== +https://openjdk.org/jeps/338 +https://openjdk.org/jeps/414 +https://openjdk.org/jeps/417 +https://openjdk.org/jeps/426 +https://openjdk.org/jeps/438 +https://openjdk.org/jeps/448 + +Introduce an API to express vector computations that reliably compile +at runtime to optimal vector hardware instructions on supported CPU +architectures and thus achieve superior performance to equivalent +scalar computations. + +This is an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 16 (JEP 338). A second round of incubation took +place in OpenJDK 17 (JEP 414), OpenJDK 18 (JEP 417) saw a third, +OpenJDK 19 a fourth (JEP 426), OpenJDK 20 (JEP 438) a fifth and +OpenJDK 21 a sixth (JEP 448). + +Internet-Address Resolution SPI +=============================== +https://openjdk.org/jeps/418 + +Define a service-provider interface (SPI) for host name and address +resolution, so that java.net.InetAddress can make use of resolvers +other than the platform's built-in resolver. + +Foreign Function & Memory API +============================= +https://openjdk.org/jeps/412 +https://openjdk.org/jeps/419 +https://openjdk.org/jeps/424 +https://openjdk.org/jeps/434 +https://openjdk.org/jeps/442 + +Introduce an API by which Java programs can interoperate with code and +data outside of the Java runtime. By efficiently invoking foreign +functions (i.e., code outside the JVM), and by safely accessing +foreign memory (i.e., memory not managed by the JVM), the API enables +Java programs to call native libraries and process native data without +the brittleness and danger of JNI. + +This API is now a preview feature (http://openjdk.java.net/jeps/12). +It was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 17 (JEP 412), and is an +evolution of the Foreign Memory Access API (OpenJDK 14 through 16) and +Foreign Linker API (OpenJDK 16) (see release notes for +java-17-openjdk). OpenJDK 18 saw a second round of incubation (JEP +419) before its inclusion as a preview in OpenJDK 19 (JEP 424) and a +second in OpenJDK 20 (JEP 434). It reaches a third preview in OpenJDK +21 (JEP 442). + +Virtual Threads +=============== +https://openjdk.org/jeps/425 +https://openjdk.org/jeps/436 +https://openjdk.org/jeps/444 + +Introduce virtual threads to the Java Platform. Virtual threads are +lightweight threads that dramatically reduce the effort of writing, +maintaining, and observing high-throughput concurrent applications. + +This was a preview feature (http://openjdk.java.net/jeps/12) +introduced in OpenJDK 19 (JEP 425) and reaching its second preview in +OpenJDK 20 (JEP 436). It became final with OpenJDK 21 (JEP 444). + +Structured Concurrency +====================== +https://openjdk.org/jeps/428 +https://openjdk.org/jeps/437 +https://openjdk.org/jeps/453 + +Simplify multithreaded programming by introducing an API for +structured concurrency. Structured concurrency treats multiple tasks +running in different threads as a single unit of work, thereby +streamlining error handling and cancellation, improving reliability, +and enhancing observability. + +This API is now a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 21 (JEP 453). It was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 19 (JEP 428) and had a +second round of incubation in OpenJDK 20 (JEP 437). + +Scoped Values +============= +https://openjdk.org/jeps/429 + +Introduce scoped values, which enable the sharing of immutable data +within and across threads. They are preferred to thread-local +variables, especially when using large numbers of virtual threads. + +This API is now a preview feature (http://openjdk.java.net/jeps/12) +in OpenJDK 21 (JEP 429). It was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 20 (JEP 429). + +Sequenced Collections +===================== +https://openjdk.org/jeps/431 + +Introduce new interfaces to represent collections with a defined +encounter order. Each such collection has a well-defined first +element, second element, and so forth, up to the last element. It also +provides uniform APIs for accessing its first and last elements, and +for processing its elements in reverse order. + +Key Encapsulation Mechanism API +=============================== +https://openjdk.org/jeps/452 + +Introduce an API for key encapsulation mechanisms (KEMs), an +encryption technique for securing symmetric keys using public key +cryptography. + +Virtual Machine Enhancements +============================ + +Generational ZGC +================ +https://openjdk.org/jeps/439 + +Improve application performance by extending the Z Garbage Collector +(ZGC) to maintain separate generations for young and old objects. This +will allow ZGC to collect young objects — which tend to die young — +more frequently. + +Tools +===== + +Simple Web Server +================= +https://openjdk.org/jeps/408 + +Provide a command-line tool, `jwebserver`, to start a minimal web +server that serves static files only. No CGI or servlet-like +functionality is available. This tool will be useful for prototyping, +ad-hoc coding, and testing purposes, particularly in educational +contexts. + +Code Snippets in Java API Documentation +======================================= +https://openjdk.org/jeps/413 + +Introduce an @snippet tag for JavaDoc's Standard Doclet, to simplify +the inclusion of example source code in API documentation. + +Ports +===== + +Linux/RISC-V Port +================= +https://openjdk.org/jeps/422 + +RISC-V is a free and open-source RISC instruction set architecture +(ISA) designed originally at the University of California, Berkeley, +and now developed collaboratively under the sponsorship of RISC-V +International. It is already supported by a wide range of language +toolchains. With the increasing availability of RISC-V hardware, a +port of the JDK would be valuable. + +DEPRECATIONS +============ + +Deprecate Finalization for Removal +================================== +https://openjdk.org/jeps/421 + +Deprecate finalization for removal in a future release. Finalization +remains enabled by default for now, but can be disabled to facilitate +early testing. In a future release it will be disabled by default, and +in a later release it will be removed. Maintainers of libraries and +applications that rely upon finalization should consider migrating to +other resource management techniques such as the try-with-resources +statement and cleaners. + +Deprecate the Windows 32-bit x86 Port for Removal +================================================= +https://openjdk.org/jeps/449 + +Deprecate the Windows 32-bit x86 port, with the intent to remove it in +a future release. + +Prepare to Disallow the Dynamic Loading of Agents +================================================= +https://openjdk.org/jeps/451 + +Issue warnings when agents are loaded dynamically into a running +JVM. These warnings aim to prepare users for a future release which +disallows the dynamic loading of agents by default in order to improve +integrity by default. Serviceability tools that load agents at startup +will not cause warnings to be issued in any release. diff --git a/SOURCES/README.md b/SOURCES/README.md index 8a2724b..aad5941 100644 --- a/SOURCES/README.md +++ b/SOURCES/README.md @@ -1,14 +1,12 @@ -OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform. +OpenJDK 21 is the latest Long-Term Support (LTS) release of the Java platform. -For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream -release page for OpenJDK 17 and the preceding interim releases: +For a list of major changes from OpenJDK 17 (java-17-openjdk), see the upstream +release page for OpenJDK 21 and the preceding interim releases: -* 12: https://openjdk.java.net/projects/jdk/12/ -* 13: https://openjdk.java.net/projects/jdk/13/ -* 14: https://openjdk.java.net/projects/jdk/14/ -* 15: https://openjdk.java.net/projects/jdk/15/ -* 16: https://openjdk.java.net/projects/jdk/16/ -* 17: https://openjdk.java.net/projects/jdk/17/ +* 18: https://openjdk.java.net/projects/jdk/18/ +* 19: https://openjdk.java.net/projects/jdk/19/ +* 20: https://openjdk.java.net/projects/jdk/20/ +* 21: https://openjdk.java.net/projects/jdk/21/ # Rebuilding the OpenJDK package @@ -20,22 +18,29 @@ multiple builds which only differ by the platform they were built on. This does make rebuilding the package slightly more complicated than a normal package. Modifications should be made to the -`java-17-openjdk-portable.specfile` file, which can be found with this +`java-21-openjdk-portable.specfile` file, which can be found with this README file in the source RPM or installed in the documentation tree -by the `java-17-openjdk-headless` RPM. +by the `java-21-openjdk-headless` RPM. -Once the modified `java-17-openjdk-portable` RPMs are built, they +Once the modified `java-21-openjdk-portable` RPMs are built, they should be installed and will produce a number of tarballs in the -`/usr/lib/jvm` directory. The `java-17-openjdk` RPMs can then be +`/usr/lib/jvm` directory. The `java-21-openjdk` RPMs can then be built, which will use these tarballs to create the usual RPMs found in -RHEL. The `java-17-openjdk-portable` RPMs can be uninstalled once the +RHEL. The `java-21-openjdk-portable` RPMs can be uninstalled once the desired final RPMs are produced. -Note that the `java-17-openjdk.spec` file has a hard requirement on -the exact version of java-17-openjdk-portable to use, so this will +Note that the `java-21-openjdk.spec` file has a hard requirement on +the exact version of java-21-openjdk-portable to use, so this will need to be modified if the version or rpmrelease values are changed in -`java-17-openjdk-portable.specfile`. +`java-21-openjdk-portable.specfile`. To reduce the number of RPMs involved, the `fastdebug` and `slowdebug` builds may be disabled using `--without fastdebug` and `--without slowdebug`. + +By default, the portable build on RHEL also uses a "devkit" (a +toolchain and system libraries) to build. This aids reproducibility +by removing build differences caused by differing system toolchains +and libraries. This dependency can be dropped by defining 'centos' to +a non-zero value (e.g. --define='centos 1') or a devkit can be built +using the `openjdk-devkit.specfile` and associated patches. diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java index d87647a..f6a4fe2 100644 --- a/SOURCES/TestTranslations.java +++ b/SOURCES/TestTranslations.java @@ -52,7 +52,7 @@ public class TestTranslations { map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST", "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT", "heure des Rocheuses", "UTC\u221207:00", "MT"}); - map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST", + map.put(Locale.GERMANY, new String[] { "Rocky-Mountain-Normalzeit", "GMT-07:00", "MST", "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT", "Rocky-Mountain-Zeit", "GMT-07:00", "MT"}); CIUDAD_JUAREZ = Collections.unmodifiableMap(map); diff --git a/SOURCES/alt-java.c b/SOURCES/alt-java.c new file mode 100644 index 0000000..644d002 --- /dev/null +++ b/SOURCES/alt-java.c @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2023 Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Red Hat designates this + * particular file as subject to the "Classpath" exception as provided + * by Red Hat in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* Per task speculation control */ +#ifndef PR_GET_SPECULATION_CTRL +# define PR_GET_SPECULATION_CTRL 52 +#endif +#ifndef PR_SET_SPECULATION_CTRL +# define PR_SET_SPECULATION_CTRL 53 +#endif +/* Speculation control variants */ +#ifndef PR_SPEC_STORE_BYPASS +# define PR_SPEC_STORE_BYPASS 0 +#endif +/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ + +#ifndef PR_SPEC_NOT_AFFECTED +# define PR_SPEC_NOT_AFFECTED 0 +#endif +#ifndef PR_SPEC_PRCTL +# define PR_SPEC_PRCTL (1UL << 0) +#endif +#ifndef PR_SPEC_ENABLE +# define PR_SPEC_ENABLE (1UL << 1) +#endif +#ifndef PR_SPEC_DISABLE +# define PR_SPEC_DISABLE (1UL << 2) +#endif +#ifndef PR_SPEC_FORCE_DISABLE +# define PR_SPEC_FORCE_DISABLE (1UL << 3) +#endif +#ifndef PR_SPEC_DISABLE_NOEXEC +# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) +#endif + +static void set_speculation() { +#if defined(__linux__) && defined(__x86_64__) + // PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it + // if ( prctl(PR_SET_SPECULATION_CTRL, + // PR_SPEC_STORE_BYPASS, + // PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { + // return; + // } + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); +#else +#warning alt-java requested but SSB mitigation not available on this platform. +#endif +} + +int main(int argc, char **argv) { + set_speculation(); + + char our_name[PATH_MAX], java_name[PATH_MAX]; + ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1); + if (len < 0) { + perror("I can't find myself"); + exit(2); + } + + our_name[len] = '\0'; // readlink(2) doesn't append a null byte + char *path = dirname(our_name); + strncpy(java_name, path, PATH_MAX - 1); + + size_t remaining_bytes = PATH_MAX - strlen(path) - 1; + strncat(java_name, "/java", remaining_bytes); + + execv(java_name, argv); + fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno)); + + exit(1); +} + diff --git a/SOURCES/discover_trees.sh b/SOURCES/discover_trees.sh deleted file mode 100755 index 8c31278..0000000 --- a/SOURCES/discover_trees.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh - -# Copyright (C) 2020 Red Hat, Inc. -# Written by Andrew John Hughes . -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -TREE=${1} - -if test "x${TREE}" = "x"; then - TREE=${PWD} -fi - -if [ -e ${TREE}/nashorn/.hg -o -e ${TREE}/nashorn/merge.changeset ] ; then - NASHORN="nashorn" ; -fi - -if [ -e ${TREE}/corba/.hg -o -e ${TREE}/corba/merge.changeset ] ; then - CORBA="corba"; -fi - -if [ -e ${TREE}/jaxp/.hg -o -e ${TREE}/jaxp/merge.changeset ] ; then - JAXP="jaxp"; -fi - -if [ -e ${TREE}/jaxws/.hg -o -e ${TREE}/jaxws/merge.changeset ] ; then - JAXWS="jaxws"; -fi - -if [ -e ${TREE}/langtools/.hg -o -e ${TREE}/langtools/merge.changeset ] ; then - LANGTOOLS="langtools"; -fi - -if [ -e ${TREE}/jdk/.hg -o -e ${TREE}/jdk/merge.changeset ] ; then - JDK="jdk"; -fi - -if [ -e ${TREE}/hotspot/.hg -o -e ${TREE}/hotspot/merge.changeset ] ; then - HOTSPOT="hotspot"; -fi - -SUBTREES="${CORBA} ${JAXP} ${JAXWS} ${LANGTOOLS} ${NASHORN} ${JDK} ${HOTSPOT}"; -echo ${SUBTREES} diff --git a/SOURCES/fips-17u-bf363eecce3.patch b/SOURCES/fips-21u-0a42e29b391.patch similarity index 55% rename from SOURCES/fips-17u-bf363eecce3.patch rename to SOURCES/fips-21u-0a42e29b391.patch index cd8565c..54e8da0 100644 --- a/SOURCES/fips-17u-bf363eecce3.patch +++ b/SOURCES/fips-21u-0a42e29b391.patch @@ -116,30 +116,30 @@ index 00000000000..f48fc7f7e80 + AC_SUBST(NSS_LIBDIR) +]) diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index a65d91ee974..a8f054c1397 100644 +index 51d4f724c33..feb0bcf3e75 100644 --- a/make/autoconf/libraries.m4 +++ b/make/autoconf/libraries.m4 -@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) +@@ -35,6 +35,7 @@ m4_include([lib-std.m4]) m4_include([lib-x11.m4]) - m4_include([lib-fontconfig.m4]) + m4_include([lib-tests.m4]) +m4_include([lib-sysconf.m4]) ################################################################################ # Determine which libraries are needed for this configuration -@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], - LIB_SETUP_BUNDLED_LIBS - LIB_SETUP_MISC_LIBS +@@ -128,6 +129,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_X11 + LIB_TESTS_SETUP_GTEST + LIB_SETUP_SYSCONF_LIBS BASIC_JDKLIB_LIBS="" - if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then + BASIC_JDKLIB_LIBS_TARGET="" diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index 537c3e3043c..16ad3df6f09 100644 +index f6def153c82..4d7abc33427 100644 --- a/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in -@@ -841,6 +841,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ +@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ # Libraries # @@ -152,7 +152,7 @@ index 537c3e3043c..16ad3df6f09 100644 LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_LIBS:=@LCMS_LIBS@ diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk -index 4b894eeae4a..51567071aa8 100644 +index 9e5cfe2d0fc..434ade8e182 100644 --- a/make/modules/java.base/Gendata.gmk +++ b/make/modules/java.base/Gendata.gmk @@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST @@ -174,10 +174,10 @@ index 4b894eeae4a..51567071aa8 100644 + +################################################################################ diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk -index 5658ff342e5..c8bc5bde1e1 100644 +index 1e0f66726d0..59fe923f2c5 100644 --- a/make/modules/java.base/Lib.gmk +++ b/make/modules/java.base/Lib.gmk -@@ -167,6 +167,29 @@ ifeq ($(call isTargetOsType, unix), true) +@@ -163,6 +163,29 @@ ifeq ($(call isTargetOsType, unix), true) endif endif @@ -207,312 +207,8 @@ index 5658ff342e5..c8bc5bde1e1 100644 ################################################################################ # Create the symbols file for static builds. -diff --git a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java -index 1fd6230d83b..683e3dd3a8d 100644 ---- a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java -+++ b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java -@@ -25,13 +25,12 @@ - - package com.sun.crypto.provider; - --import java.util.Arrays; -- - import javax.crypto.SecretKey; - import javax.crypto.spec.SecretKeySpec; --import javax.crypto.spec.PBEParameterSpec; -+import javax.crypto.spec.PBEKeySpec; - import java.security.*; - import java.security.spec.*; -+import sun.security.util.PBEUtil; - - /** - * This is an implementation of the HMAC algorithms as defined -@@ -108,79 +107,15 @@ abstract class HmacPKCS12PBECore extends HmacCore { - */ - protected void engineInit(Key key, AlgorithmParameterSpec params) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- char[] passwdChars; -- byte[] salt = null; -- int iCount = 0; -- if (key instanceof javax.crypto.interfaces.PBEKey) { -- javax.crypto.interfaces.PBEKey pbeKey = -- (javax.crypto.interfaces.PBEKey) key; -- passwdChars = pbeKey.getPassword(); -- salt = pbeKey.getSalt(); // maybe null if unspecified -- iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified -- } else if (key instanceof SecretKey) { -- byte[] passwdBytes; -- if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || -- (passwdBytes = key.getEncoded()) == null) { -- throw new InvalidKeyException("Missing password"); -- } -- passwdChars = new char[passwdBytes.length]; -- for (int i=0; i attrs = new HashMap<>(3); @@ -742,6 +438,13 @@ index a020e1c15d8..3c064965e82 100644 - ps("Cipher", "PBEWithHmacSHA512AndAES_128", - "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); - +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); +- +- - ps("Cipher", "PBEWithHmacSHA1AndAES_256", - "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); - @@ -757,6 +460,12 @@ index a020e1c15d8..3c064965e82 100644 - ps("Cipher", "PBEWithHmacSHA512AndAES_256", - "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); - +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); +- - /* - * Key(pair) Generator engines - */ @@ -1022,6 +731,12 @@ index a020e1c15d8..3c064965e82 100644 + ps("Cipher", "PBEWithHmacSHA512AndAES_128", + "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); + ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); ++ + ps("Cipher", "PBEWithHmacSHA1AndAES_256", + "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); + @@ -1037,6 +752,12 @@ index a020e1c15d8..3c064965e82 100644 + ps("Cipher", "PBEWithHmacSHA512AndAES_256", + "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); + ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); ++ + /* + * Key(pair) Generator engines + */ @@ -1101,7 +822,7 @@ index a020e1c15d8..3c064965e82 100644 /* * Algorithm parameter generation engines -@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { +@@ -447,15 +453,17 @@ public final class SunJCE extends Provider { "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", null); @@ -1128,9 +849,22 @@ index a020e1c15d8..3c064965e82 100644 /* * Algorithm Parameter engines -@@ -610,118 +619,120 @@ public final class SunJCE extends Provider { - ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", - "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); +@@ -625,10 +633,10 @@ public final class SunJCE extends Provider { + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); +@@ -651,136 +659,137 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256"); - // PBKDF2 - psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", @@ -1144,6 +878,10 @@ index a020e1c15d8..3c064965e82 100644 - "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); - ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", - "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); - - /* - * MAC @@ -1208,6 +946,11 @@ index a020e1c15d8..3c064965e82 100644 - "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); - ps("Mac", "PBEWithHmacSHA512", - "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); +- - ps("Mac", "SslMacMD5", - "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); - ps("Mac", "SslMacSHA1", @@ -1220,6 +963,15 @@ index a020e1c15d8..3c064965e82 100644 - "com.sun.crypto.provider.JceKeyStore"); - - /* +- * KEMs +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + +- "|java.security.interfaces.XECKey"); +- ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); +- +- /* - * SSL/TLS mechanisms - * - * These are strictly internal implementations and may @@ -1257,6 +1009,10 @@ index a020e1c15d8..3c064965e82 100644 + "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); + ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", + "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); + + /* + * MAC @@ -1309,7 +1065,6 @@ index a020e1c15d8..3c064965e82 100644 + "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", + null, attrs); + -+ + // PBMAC1 + ps("Mac", "PBEWithHmacSHA1", + "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); @@ -1321,6 +1076,11 @@ index a020e1c15d8..3c064965e82 100644 + "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); + ps("Mac", "PBEWithHmacSHA512", + "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); ++ + ps("Mac", "SslMacMD5", + "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); + ps("Mac", "SslMacSHA1", @@ -1333,6 +1093,15 @@ index a020e1c15d8..3c064965e82 100644 + "com.sun.crypto.provider.JceKeyStore"); + + /* ++ * KEMs ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + ++ "|java.security.interfaces.XECKey"); ++ ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); ++ ++ /* + * SSL/TLS mechanisms + * + * These are strictly internal implementations and may @@ -1362,10 +1131,10 @@ index a020e1c15d8..3c064965e82 100644 // Return the instance of this class or create one if needed. diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index 2477027969c..06b1b6c671c 100644 +index 671529f71a1..af632936921 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java -@@ -33,6 +33,7 @@ import java.net.URL; +@@ -34,6 +34,7 @@ import java.net.URL; import jdk.internal.access.JavaSecurityPropertiesAccess; import jdk.internal.event.EventHelper; import jdk.internal.event.SecurityPropertyModificationEvent; @@ -1373,7 +1142,7 @@ index 2477027969c..06b1b6c671c 100644 import jdk.internal.access.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; -@@ -57,6 +58,11 @@ import sun.security.jca.*; +@@ -58,6 +59,11 @@ import sun.security.jca.*; public final class Security { @@ -1385,7 +1154,7 @@ index 2477027969c..06b1b6c671c 100644 /* Are we debugging? -- for developers */ private static final Debug sdebug = Debug.getInstance("properties"); -@@ -74,6 +80,19 @@ public final class Security { +@@ -75,6 +81,19 @@ public final class Security { } static { @@ -1405,7 +1174,7 @@ index 2477027969c..06b1b6c671c 100644 // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, -@@ -97,6 +116,7 @@ public final class Security { +@@ -96,6 +115,7 @@ public final class Security { private static void initialize() { props = new Properties(); boolean overrideAll = false; @@ -1413,7 +1182,7 @@ index 2477027969c..06b1b6c671c 100644 // first load the system properties file // to determine the value of security.overridePropertiesFile -@@ -117,6 +137,60 @@ public final class Security { +@@ -116,6 +136,61 @@ public final class Security { } loadProps(null, extraPropFile, overrideAll); } @@ -1471,14 +1240,12 @@ index 2477027969c..06b1b6c671c 100644 + "system security properties being enabled."); + } + } ++ initialSecurityProperties = (Properties) props.clone(); if (sdebug != null) { for (String key : props.stringPropertyNames()) { -@@ -124,10 +198,9 @@ public final class Security { - props.getProperty(key)); - } - } -- +@@ -126,7 +201,7 @@ public final class Security { + } - private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { @@ -1762,26 +1529,26 @@ index 00000000000..3f3caac64dc + boolean isPlainKeySupportEnabled(); +} diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index ea28bb8747e..77161eb3844 100644 +index 919d758a6e3..b1e5fbaf84a 100644 --- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -40,6 +40,7 @@ import java.io.FilePermission; - import java.io.ObjectInputStream; +@@ -43,6 +43,7 @@ import java.io.PrintStream; + import java.io.PrintWriter; import java.io.RandomAccessFile; import java.security.ProtectionDomain; +import java.security.Security; import java.security.Signature; /** A repository of "shared secrets", which are a mechanism for -@@ -83,6 +84,7 @@ public class SharedSecrets { - private static JavaSecuritySpecAccess javaSecuritySpecAccess; +@@ -90,6 +91,7 @@ public class SharedSecrets { private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; + private static JavaTemplateAccess javaTemplateAccess; + private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { javaUtilCollectionAccess = juca; -@@ -457,4 +459,15 @@ public class SharedSecrets { +@@ -537,4 +539,15 @@ public class SharedSecrets { MethodHandles.lookup().ensureInitialized(c); } catch (IllegalAccessException e) {} } @@ -1798,31 +1565,30 @@ index ea28bb8747e..77161eb3844 100644 + } } diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java -index fad70bdc058..29a813a485f 100644 +index 06b141dcf22..e8cbf7f15d7 100644 --- a/src/java.base/share/classes/module-info.java +++ b/src/java.base/share/classes/module-info.java -@@ -152,6 +152,8 @@ module java.base { +@@ -158,6 +158,7 @@ module java.base { java.naming, java.rmi, jdk.charsets, -+ jdk.crypto.cryptoki, + jdk.crypto.ec, jdk.jartool, jdk.jlink, jdk.jfr, diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 912cad59714..7803e97f7ef 100644 +index f036a411f1d..1e9de933bd9 100644 --- a/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java -@@ -30,6 +30,7 @@ import java.net.*; - import java.util.*; - import java.security.*; +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.LinkedHashSet; +import jdk.internal.access.SharedSecrets; import jdk.internal.util.StaticProperty; - import sun.security.action.GetPropertyAction; - import sun.security.util.SecurityProviderConstants; -@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + import sun.security.action.GetBooleanAction; + +@@ -91,6 +92,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; public final class SunEntries { @@ -1833,7 +1599,7 @@ index 912cad59714..7803e97f7ef 100644 // the default algo used by SecureRandom class for new SecureRandom() calls public static final String DEF_SECURE_RANDOM_ALGO; -@@ -94,89 +99,92 @@ public final class SunEntries { +@@ -102,89 +107,92 @@ public final class SunEntries { // common attribute map HashMap attrs = new HashMap<>(3); @@ -1982,7 +1748,6 @@ index 912cad59714..7803e97f7ef 100644 + "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); + add(p, "Signature", "SHA3-512withDSAinP1363Format", + "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ } - add(p, "Signature", "SHA1withDSAinP1363Format", - "sun.security.provider.DSA$SHA1withDSAinP1363Format"); @@ -2004,10 +1769,11 @@ index 912cad59714..7803e97f7ef 100644 - "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); - add(p, "Signature", "SHA3-512withDSAinP1363Format", - "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); - /* - * Key Pair Generator engines - */ -@@ -184,9 +192,11 @@ public final class SunEntries { ++ } + + attrs.clear(); + attrs.put("ImplementedIn", "Software"); +@@ -196,9 +204,11 @@ public final class SunEntries { attrs.put("ImplementedIn", "Software"); attrs.put("KeySize", "2048"); // for DSA KPG and APG only @@ -2022,7 +1788,7 @@ index 912cad59714..7803e97f7ef 100644 /* * Algorithm Parameter Generator engines -@@ -201,40 +211,42 @@ public final class SunEntries { +@@ -213,44 +223,46 @@ public final class SunEntries { addWithAlias(p, "AlgorithmParameters", "DSA", "sun.security.provider.DSAParameters", attrs); @@ -2031,12 +1797,16 @@ index 912cad59714..7803e97f7ef 100644 - */ - addWithAlias(p, "KeyFactory", "DSA", - "sun.security.provider.DSAKeyFactory", attrs); +- addWithAlias(p, "KeyFactory", "HSS/LMS", +- "sun.security.provider.HSS$KeyFactoryImpl", attrs); - - /* - * Digest engines - */ -- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); +- addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", +- attrs); +- addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", +- attrs); - addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", - attrs); + if (!systemFipsEnabled) { @@ -2045,6 +1815,8 @@ index 912cad59714..7803e97f7ef 100644 + */ + addWithAlias(p, "KeyFactory", "DSA", + "sun.security.provider.DSAKeyFactory", attrs); ++ addWithAlias(p, "KeyFactory", "HSS/LMS", ++ "sun.security.provider.HSS$KeyFactoryImpl", attrs); - addWithAlias(p, "MessageDigest", "SHA-224", - "sun.security.provider.SHA2$SHA224", attrs); @@ -2069,10 +1841,12 @@ index 912cad59714..7803e97f7ef 100644 + /* + * Digest engines + */ -+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); ++ addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", ++ attrs); ++ addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", ++ attrs); + addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -+ attrs); ++ attrs); + + addWithAlias(p, "MessageDigest", "SHA-224", + "sun.security.provider.SHA2$SHA224", attrs); @@ -2099,7 +1873,7 @@ index 912cad59714..7803e97f7ef 100644 /* * Certificates diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index ca79f25cc44..a12fcbbd6e7 100644 +index 539ef1e8ee8..435f57e3ff2 100644 --- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java @@ -27,6 +27,7 @@ package sun.security.rsa; @@ -2204,314 +1978,11 @@ index ca79f25cc44..a12fcbbd6e7 100644 addA(p, "AlgorithmParameters", "RSASSA-PSS", "sun.security.rsa.PSSParameters", null); } -diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java -new file mode 100644 -index 00000000000..dc8bc72fccb ---- /dev/null -+++ b/src/java.base/share/classes/sun/security/util/PBEUtil.java -@@ -0,0 +1,297 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.util; -+ -+import java.security.AlgorithmParameters; -+import java.security.InvalidAlgorithmParameterException; -+import java.security.InvalidKeyException; -+import java.security.Key; -+import java.security.NoSuchAlgorithmException; -+import java.security.Provider; -+import java.security.SecureRandom; -+import java.security.spec.AlgorithmParameterSpec; -+import java.security.spec.InvalidParameterSpecException; -+import java.util.Arrays; -+import javax.crypto.Cipher; -+import javax.crypto.SecretKey; -+import javax.crypto.spec.IvParameterSpec; -+import javax.crypto.spec.PBEKeySpec; -+import javax.crypto.spec.PBEParameterSpec; -+ -+public final class PBEUtil { -+ -+ // Used by SunJCE and SunPKCS11 -+ public final static class PBES2Helper { -+ private int iCount; -+ private byte[] salt; -+ private IvParameterSpec ivSpec; -+ private final int defaultSaltLength; -+ private final int defaultCount; -+ -+ public PBES2Helper(int defaultSaltLength, int defaultCount) { -+ this.defaultSaltLength = defaultSaltLength; -+ this.defaultCount = defaultCount; -+ } -+ -+ public IvParameterSpec getIvSpec() { -+ return ivSpec; -+ } -+ -+ public AlgorithmParameters getAlgorithmParameters( -+ int blkSize, String pbeAlgo, Provider p, SecureRandom random) { -+ AlgorithmParameters params = null; -+ if (salt == null) { -+ // generate random salt and use default iteration count -+ salt = new byte[defaultSaltLength]; -+ random.nextBytes(salt); -+ iCount = defaultCount; -+ } -+ if (ivSpec == null) { -+ // generate random IV -+ byte[] ivBytes = new byte[blkSize]; -+ random.nextBytes(ivBytes); -+ ivSpec = new IvParameterSpec(ivBytes); -+ } -+ PBEParameterSpec pbeSpec = new PBEParameterSpec( -+ salt, iCount, ivSpec); -+ try { -+ params = (p == null) ? -+ AlgorithmParameters.getInstance(pbeAlgo) : -+ AlgorithmParameters.getInstance(pbeAlgo, p); -+ params.init(pbeSpec); -+ } catch (NoSuchAlgorithmException nsae) { -+ // should never happen -+ throw new RuntimeException("AlgorithmParameters for " -+ + pbeAlgo + " not configured"); -+ } catch (InvalidParameterSpecException ipse) { -+ // should never happen -+ throw new RuntimeException("PBEParameterSpec not supported"); -+ } -+ return params; -+ } -+ -+ public PBEKeySpec getPBEKeySpec( -+ int blkSize, int keyLength, int opmode, Key key, -+ AlgorithmParameterSpec params, SecureRandom random) -+ throws InvalidKeyException, InvalidAlgorithmParameterException { -+ -+ if (key == null) { -+ throw new InvalidKeyException("Null key"); -+ } -+ -+ byte[] passwdBytes = key.getEncoded(); -+ char[] passwdChars = null; -+ PBEKeySpec pbeSpec; -+ try { -+ if ((passwdBytes == null) || !(key.getAlgorithm().regionMatches( -+ true, 0, "PBE", 0, 3))) { -+ throw new InvalidKeyException("Missing password"); -+ } -+ -+ // TBD: consolidate the salt, ic and IV parameter checks below -+ -+ // Extract salt and iteration count from the key, if present -+ if (key instanceof javax.crypto.interfaces.PBEKey) { -+ salt = ((javax.crypto.interfaces.PBEKey)key).getSalt(); -+ if (salt != null && salt.length < 8) { -+ throw new InvalidAlgorithmParameterException( -+ "Salt must be at least 8 bytes long"); -+ } -+ iCount = ((javax.crypto.interfaces.PBEKey)key) -+ .getIterationCount(); -+ if (iCount == 0) { -+ iCount = defaultCount; -+ } else if (iCount < 0) { -+ throw new InvalidAlgorithmParameterException( -+ "Iteration count must be a positive number"); -+ } -+ } -+ -+ // Extract salt, iteration count and IV from the params, -+ // if present -+ if (params == null) { -+ if (salt == null) { -+ // generate random salt and use default iteration count -+ salt = new byte[defaultSaltLength]; -+ random.nextBytes(salt); -+ iCount = defaultCount; -+ } -+ if ((opmode == Cipher.ENCRYPT_MODE) || -+ (opmode == Cipher.WRAP_MODE)) { -+ // generate random IV -+ byte[] ivBytes = new byte[blkSize]; -+ random.nextBytes(ivBytes); -+ ivSpec = new IvParameterSpec(ivBytes); -+ } -+ } else { -+ if (!(params instanceof PBEParameterSpec)) { -+ throw new InvalidAlgorithmParameterException -+ ("Wrong parameter type: PBE expected"); -+ } -+ // salt and iteration count from the params take precedence -+ byte[] specSalt = ((PBEParameterSpec) params).getSalt(); -+ if (specSalt != null && specSalt.length < 8) { -+ throw new InvalidAlgorithmParameterException( -+ "Salt must be at least 8 bytes long"); -+ } -+ salt = specSalt; -+ int specICount = ((PBEParameterSpec) params) -+ .getIterationCount(); -+ if (specICount == 0) { -+ specICount = defaultCount; -+ } else if (specICount < 0) { -+ throw new InvalidAlgorithmParameterException( -+ "Iteration count must be a positive number"); -+ } -+ iCount = specICount; -+ -+ AlgorithmParameterSpec specParams = -+ ((PBEParameterSpec) params).getParameterSpec(); -+ if (specParams != null) { -+ if (specParams instanceof IvParameterSpec) { -+ ivSpec = (IvParameterSpec)specParams; -+ } else { -+ throw new InvalidAlgorithmParameterException( -+ "Wrong parameter type: IV expected"); -+ } -+ } else if ((opmode == Cipher.ENCRYPT_MODE) || -+ (opmode == Cipher.WRAP_MODE)) { -+ // generate random IV -+ byte[] ivBytes = new byte[blkSize]; -+ random.nextBytes(ivBytes); -+ ivSpec = new IvParameterSpec(ivBytes); -+ } else { -+ throw new InvalidAlgorithmParameterException( -+ "Missing parameter type: IV expected"); -+ } -+ } -+ -+ passwdChars = new char[passwdBytes.length]; -+ for (int i = 0; i < passwdChars.length; i++) -+ passwdChars[i] = (char) (passwdBytes[i] & 0x7f); -+ -+ pbeSpec = new PBEKeySpec(passwdChars, salt, iCount, keyLength); -+ // password char[] was cloned in PBEKeySpec constructor, -+ // so we can zero it out here -+ } finally { -+ if (passwdChars != null) Arrays.fill(passwdChars, '\0'); -+ if (passwdBytes != null) Arrays.fill(passwdBytes, (byte)0x00); -+ } -+ return pbeSpec; -+ } -+ -+ public static AlgorithmParameterSpec getParameterSpec( -+ AlgorithmParameters params) -+ throws InvalidAlgorithmParameterException { -+ AlgorithmParameterSpec pbeSpec = null; -+ if (params != null) { -+ try { -+ pbeSpec = params.getParameterSpec(PBEParameterSpec.class); -+ } catch (InvalidParameterSpecException ipse) { -+ throw new InvalidAlgorithmParameterException( -+ "Wrong parameter type: PBE expected"); -+ } -+ } -+ return pbeSpec; -+ } -+ } -+ -+ // Used by SunJCE and SunPKCS11 -+ public static PBEKeySpec getPBAKeySpec(Key key, AlgorithmParameterSpec params) -+ throws InvalidKeyException, InvalidAlgorithmParameterException { -+ char[] passwdChars; -+ byte[] salt = null; -+ int iCount = 0; -+ if (key instanceof javax.crypto.interfaces.PBEKey) { -+ javax.crypto.interfaces.PBEKey pbeKey = -+ (javax.crypto.interfaces.PBEKey) key; -+ passwdChars = pbeKey.getPassword(); -+ salt = pbeKey.getSalt(); // maybe null if unspecified -+ iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified -+ } else if (key instanceof SecretKey) { -+ byte[] passwdBytes; -+ if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || -+ (passwdBytes = key.getEncoded()) == null) { -+ throw new InvalidKeyException("Missing password"); -+ } -+ passwdChars = new char[passwdBytes.length]; -+ for (int i=0; i P11RSAPrivateKeyInternal.of(session, keyID, algorithm, +@@ -455,7 +461,8 @@ abstract class P11Key implements Key, Length { + public String getFormat() { token.ensureValid(); -- if (sensitive || (extractable == false)) { +- if (sensitive || !extractable || (isNSS && tokenObject)) { + if (!plainKeySupportEnabled && -+ (sensitive || (extractable == false))) { ++ (sensitive || !extractable || (isNSS && tokenObject))) { return null; } else { return "RAW"; -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -index ba0b7faf3f8..4840a116b34 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -@@ -29,14 +29,17 @@ import java.nio.ByteBuffer; - - import java.security.*; - import java.security.spec.AlgorithmParameterSpec; -+import java.security.spec.InvalidKeySpecException; - - import javax.crypto.MacSpi; -+import javax.crypto.spec.PBEKeySpec; - - import sun.nio.ch.DirectBuffer; - - import sun.security.pkcs11.wrapper.*; - import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - import static sun.security.pkcs11.wrapper.PKCS11Exception.*; -+import sun.security.util.PBEUtil; - - /** - * MAC implementation class. This class currently supports HMAC using -@@ -202,12 +205,23 @@ final class P11Mac extends MacSpi { - // see JCE spec - protected void engineInit(Key key, AlgorithmParameterSpec params) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- if (params != null) { -- throw new InvalidAlgorithmParameterException -- ("Parameters not supported"); -+ if (algorithm.startsWith("HmacPBE")) { -+ PBEKeySpec pbeSpec = PBEUtil.getPBAKeySpec(key, params); -+ reset(true); -+ try { -+ p11Key = P11SecretKeyFactory.derivePBEKey( -+ token, pbeSpec, algorithm); -+ } catch (InvalidKeySpecException e) { -+ throw new InvalidKeyException(e); -+ } -+ } else { -+ if (params != null) { -+ throw new InvalidAlgorithmParameterException -+ ("Parameters not supported"); -+ } -+ reset(true); -+ p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); - } -- reset(true); -- p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); - try { - initialize(); - } catch (PKCS11Exception e) { -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java -new file mode 100644 -index 00000000000..ae4262703e6 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java -@@ -0,0 +1,200 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.security.AlgorithmParameters; -+import java.security.Key; -+import java.security.InvalidAlgorithmParameterException; -+import java.security.InvalidKeyException; -+import java.security.NoSuchAlgorithmException; -+import java.security.SecureRandom; -+import java.security.spec.AlgorithmParameterSpec; -+import java.security.spec.InvalidKeySpecException; -+import javax.crypto.BadPaddingException; -+import javax.crypto.CipherSpi; -+import javax.crypto.IllegalBlockSizeException; -+import javax.crypto.NoSuchPaddingException; -+import javax.crypto.ShortBufferException; -+import javax.crypto.spec.PBEKeySpec; -+ -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.util.PBEUtil; -+ -+final class P11PBECipher extends CipherSpi { -+ -+ private static final int DEFAULT_SALT_LENGTH = 20; -+ private static final int DEFAULT_COUNT = 4096; -+ -+ private final Token token; -+ private final String pbeAlg; -+ private final P11Cipher cipher; -+ private final int blkSize; -+ private final int keyLen; -+ private final PBEUtil.PBES2Helper pbes2Helper = new PBEUtil.PBES2Helper( -+ DEFAULT_SALT_LENGTH, DEFAULT_COUNT); -+ -+ P11PBECipher(Token token, String pbeAlg, long cipherMech) -+ throws PKCS11Exception, NoSuchAlgorithmException { -+ super(); -+ String cipherTrans; -+ if (cipherMech == CKM_AES_CBC_PAD || cipherMech == CKM_AES_CBC) { -+ cipherTrans = "AES/CBC/PKCS5Padding"; -+ } else { -+ throw new NoSuchAlgorithmException( -+ "Cipher transformation not supported."); -+ } -+ cipher = new P11Cipher(token, cipherTrans, cipherMech); -+ blkSize = cipher.engineGetBlockSize(); -+ assert P11Util.kdfDataMap.get(pbeAlg) != null; -+ keyLen = P11Util.kdfDataMap.get(pbeAlg).keyLen; -+ this.pbeAlg = pbeAlg; -+ this.token = token; -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineSetMode(String mode) -+ throws NoSuchAlgorithmException { -+ cipher.engineSetMode(mode); -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineSetPadding(String padding) -+ throws NoSuchPaddingException { -+ cipher.engineSetPadding(padding); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineGetBlockSize() { -+ return cipher.engineGetBlockSize(); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineGetOutputSize(int inputLen) { -+ return cipher.engineGetOutputSize(inputLen); -+ } -+ -+ // see JCE spec -+ @Override -+ protected byte[] engineGetIV() { -+ return cipher.engineGetIV(); -+ } -+ -+ // see JCE spec -+ @Override -+ protected AlgorithmParameters engineGetParameters() { -+ return pbes2Helper.getAlgorithmParameters( -+ blkSize, pbeAlg, null, JCAUtil.getSecureRandom()); -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineInit(int opmode, Key key, -+ SecureRandom random) throws InvalidKeyException { -+ try { -+ engineInit(opmode, key, (AlgorithmParameterSpec) null, random); -+ } catch (InvalidAlgorithmParameterException e) { -+ throw new InvalidKeyException("requires PBE parameters", e); -+ } -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineInit(int opmode, Key key, -+ AlgorithmParameterSpec params, SecureRandom random) -+ throws InvalidKeyException, -+ InvalidAlgorithmParameterException { -+ -+ PBEKeySpec pbeSpec = pbes2Helper.getPBEKeySpec(blkSize, keyLen, -+ opmode, key, params, random); -+ -+ Key derivedKey; -+ try { -+ derivedKey = P11SecretKeyFactory.derivePBEKey( -+ token, pbeSpec, pbeAlg); -+ } catch (InvalidKeySpecException e) { -+ throw new InvalidKeyException(e); -+ } -+ cipher.engineInit(opmode, derivedKey, pbes2Helper.getIvSpec(), random); -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineInit(int opmode, Key key, -+ AlgorithmParameters params, SecureRandom random) -+ throws InvalidKeyException, -+ InvalidAlgorithmParameterException { -+ engineInit(opmode, key, PBEUtil.PBES2Helper.getParameterSpec(params), -+ random); -+ } -+ -+ // see JCE spec -+ @Override -+ protected byte[] engineUpdate(byte[] input, int inputOffset, -+ int inputLen) { -+ return cipher.engineUpdate(input, inputOffset, inputLen); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineUpdate(byte[] input, int inputOffset, -+ int inputLen, byte[] output, int outputOffset) -+ throws ShortBufferException { -+ return cipher.engineUpdate(input, inputOffset, inputLen, -+ output, outputOffset); -+ } -+ -+ // see JCE spec -+ @Override -+ protected byte[] engineDoFinal(byte[] input, int inputOffset, -+ int inputLen) -+ throws IllegalBlockSizeException, BadPaddingException { -+ return cipher.engineDoFinal(input, inputOffset, inputLen); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineDoFinal(byte[] input, int inputOffset, -+ int inputLen, byte[] output, int outputOffset) -+ throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { -+ return cipher.engineDoFinal(input, inputOffset, inputLen, output, -+ outputOffset); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineGetKeySize(Key key) -+ throws InvalidKeyException { -+ return cipher.engineGetKeySize(key); -+ } -+ -+} -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -index 8d1b8ccb0ae..7ea9b4c5e7f 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -@@ -31,6 +31,7 @@ import java.security.*; - import java.security.spec.*; - - import javax.crypto.*; -+import javax.crypto.interfaces.PBEKey; - import javax.crypto.spec.*; - - import static sun.security.pkcs11.TemplateManager.*; -@@ -194,6 +195,130 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { - return p11Key; +@@ -1625,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference { + this.clear(); } - -+ static P11Key derivePBEKey(Token token, PBEKeySpec keySpec, String algo) -+ throws InvalidKeySpecException { -+ token.ensureValid(); -+ if (keySpec == null) { -+ throw new InvalidKeySpecException("PBEKeySpec must not be null"); -+ } -+ Session session = null; -+ try { -+ session = token.getObjSession(); -+ P11Util.KDFData kdfData = P11Util.kdfDataMap.get(algo); -+ CK_MECHANISM ckMech; -+ char[] password = keySpec.getPassword(); -+ byte[] salt = keySpec.getSalt(); -+ int itCount = keySpec.getIterationCount(); -+ int keySize = keySpec.getKeyLength(); -+ if (kdfData.keyLen != -1) { -+ if (keySize == 0) { -+ keySize = kdfData.keyLen; -+ } else if (keySize != kdfData.keyLen) { -+ throw new InvalidKeySpecException( -+ "Key length is invalid for " + algo); -+ } -+ } -+ -+ if (kdfData.kdfMech == CKM_PKCS5_PBKD2) { -+ CK_INFO p11Info = token.p11.getInfo(); -+ CK_VERSION p11Ver = (p11Info != null ? p11Info.cryptokiVersion -+ : null); -+ if (P11Util.isNSS(token) || p11Ver != null && (p11Ver.major < -+ 2 || p11Ver.major == 2 && p11Ver.minor < 40)) { -+ // NSS keeps using the old structure beyond PKCS #11 v2.40 -+ ckMech = new CK_MECHANISM(kdfData.kdfMech, -+ new CK_PKCS5_PBKD2_PARAMS(password, salt, -+ itCount, kdfData.prfMech)); -+ } else { -+ ckMech = new CK_MECHANISM(kdfData.kdfMech, -+ new CK_PKCS5_PBKD2_PARAMS2(password, salt, -+ itCount, kdfData.prfMech)); -+ } -+ } else { -+ // PKCS #12 "General Method" PBKD (RFC 7292, Appendix B.2) -+ if (P11Util.isNSS(token)) { -+ // According to PKCS #11, "password" in CK_PBE_PARAMS has -+ // a CK_UTF8CHAR_PTR type. This suggests that it is encoded -+ // in UTF-8. However, NSS expects the password to be encoded -+ // as BMPString with a NULL terminator when C_GenerateKey -+ // is called for a PKCS #12 "General Method" derivation -+ // (see RFC 7292, Appendix B.1). -+ // -+ // The char size in Java is 2 bytes. When a char is -+ // converted to a CK_UTF8CHAR, the high-order byte is -+ // discarded (see jCharArrayToCKUTF8CharArray in -+ // p11_util.c). In order to have a BMPString passed to -+ // C_GenerateKey, we need to account for that and expand: -+ // the high and low parts of each char are split into 2 -+ // chars. As an example, this is the transformation for -+ // a NULL terminated password "a": -+ // char[] => [ 0x0061, 0x0000 ] -+ // / \ / \ -+ // Expansion => [0x0000, 0x0061, 0x0000, 0x0000] -+ // | | | | -+ // BMPString => [ 0x00, 0x61, 0x00, 0x00] -+ // -+ int inputLength = (password == null) ? 0 : password.length; -+ char[] expPassword = new char[inputLength * 2 + 2]; -+ for (int i = 0, j = 0; i < inputLength; i++, j += 2) { -+ expPassword[j] = (char) ((password[i] >>> 8) & 0xFF); -+ expPassword[j + 1] = (char) (password[i] & 0xFF); -+ } -+ password = expPassword; -+ } -+ ckMech = new CK_MECHANISM(kdfData.kdfMech, -+ new CK_PBE_PARAMS(password, salt, itCount)); -+ } -+ -+ long keyType = getKeyType(kdfData.keyAlgo); -+ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[ -+ switch (kdfData.op) { -+ case ENCRYPTION, AUTHENTICATION -> 4; -+ case GENERIC -> 5; -+ }]; -+ attrs[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); -+ attrs[1] = new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3); -+ attrs[2] = new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType); -+ switch (kdfData.op) { -+ case ENCRYPTION -> attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; -+ case AUTHENTICATION -> attrs[3] = CK_ATTRIBUTE.SIGN_TRUE; -+ case GENERIC -> { -+ attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; -+ attrs[4] = CK_ATTRIBUTE.SIGN_TRUE; -+ } -+ } -+ CK_ATTRIBUTE[] attr = token.getAttributes( -+ O_GENERATE, CKO_SECRET_KEY, keyType, attrs); -+ long keyID = token.p11.C_GenerateKey(session.id(), ckMech, attr); -+ return (P11Key)P11Key.secretKey( -+ session, keyID, kdfData.keyAlgo, keySize, attr); -+ } catch (PKCS11Exception e) { -+ throw new InvalidKeySpecException("Could not create key", e); -+ } finally { -+ token.releaseSession(session); -+ } -+ } -+ -+ static P11Key derivePBEKey(Token token, PBEKey key, String algo) -+ throws InvalidKeyException { -+ token.ensureValid(); -+ if (key == null) { -+ throw new InvalidKeyException("PBEKey must not be null"); -+ } -+ P11Key p11Key = token.secretCache.get(key); -+ if (p11Key != null) { -+ return p11Key; -+ } -+ try { -+ p11Key = derivePBEKey(token, new PBEKeySpec(key.getPassword(), -+ key.getSalt(), key.getIterationCount()), algo); -+ } catch (InvalidKeySpecException e) { -+ throw new InvalidKeyException(e); -+ } -+ token.secretCache.put(key, p11Key); -+ return p11Key; -+ } -+ - static void fixDESParity(byte[] key, int offset) { - for (int i = 0; i < 8; i++) { - int b = key[offset] & 0xfe; -@@ -320,6 +445,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { - keySpec = new SecretKeySpec(keyBytes, "DESede"); - return engineGenerateSecret(keySpec); - } -+ } else if (keySpec instanceof PBEKeySpec) { -+ return (SecretKey)derivePBEKey(token, -+ (PBEKeySpec)keySpec, algorithm); - } - throw new InvalidKeySpecException - ("Unsupported spec: " + keySpec.getClass().getName()); -@@ -373,6 +501,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { - // see JCE spec - protected SecretKey engineTranslateKey(SecretKey key) - throws InvalidKeyException { -+ if (key instanceof PBEKey) { -+ return (SecretKey)derivePBEKey(token, (PBEKey)key, algorithm); -+ } - return (SecretKey)convertKey(token, key, algorithm); - } - -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java -index 262cfc062ad..72b64f72c0a 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java -@@ -27,6 +27,10 @@ package sun.security.pkcs11; - - import java.math.BigInteger; - import java.security.*; -+import java.util.HashMap; -+import java.util.Map; -+ -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - - /** - * Collection of static utility methods. -@@ -40,10 +44,106 @@ public final class P11Util { - - private static volatile Provider sun, sunRsaSign, sunJce; - -+ // Used by PBE -+ static final class KDFData { -+ public enum Operation {ENCRYPTION, AUTHENTICATION, GENERIC} -+ public long kdfMech; -+ public long prfMech; -+ public String keyAlgo; -+ public int keyLen; -+ public Operation op; -+ KDFData(long kdfMech, long prfMech, String keyAlgo, -+ int keyLen, Operation op) { -+ this.kdfMech = kdfMech; -+ this.prfMech = prfMech; -+ this.keyAlgo = keyAlgo; -+ this.keyLen = keyLen; -+ this.op = op; -+ } -+ -+ public static void addPbkdf2Data(String algo, long kdfMech, -+ long prfMech) { -+ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, -+ "Generic", -1, Operation.GENERIC)); -+ } -+ -+ public static void addPbkdf2AesData(String algo, long kdfMech, -+ long prfMech, int keyLen) { -+ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, -+ "AES", keyLen, Operation.ENCRYPTION)); -+ } -+ -+ public static void addPkcs12KDData(String algo, long kdfMech, -+ int keyLen) { -+ kdfDataMap.put(algo, new KDFData(kdfMech, -1, -+ "Generic", keyLen, Operation.AUTHENTICATION)); -+ } -+ } -+ -+ static final Map kdfDataMap = new HashMap<>(); -+ -+ static { -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 256); -+ -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA1", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA224", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA384", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA512", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512); -+ -+ KDFData.addPkcs12KDData("HmacPBESHA1", -+ CKM_PBA_SHA1_WITH_SHA1_HMAC, 160); -+ KDFData.addPkcs12KDData("HmacPBESHA224", -+ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, 224); -+ KDFData.addPkcs12KDData("HmacPBESHA256", -+ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, 256); -+ KDFData.addPkcs12KDData("HmacPBESHA384", -+ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, 384); -+ KDFData.addPkcs12KDData("HmacPBESHA512", -+ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); -+ KDFData.addPkcs12KDData("HmacPBESHA512/224", -+ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); -+ KDFData.addPkcs12KDData("HmacPBESHA512/256", -+ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); -+ } -+ - private P11Util() { - // empty - } - -+ static boolean isNSS(Token token) { -+ char[] tokenLabel = token.tokenInfo.label; -+ if (tokenLabel != null && tokenLabel.length >= 3) { -+ return (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' -+ && tokenLabel[2] == 'S'); -+ } -+ return false; -+ } -+ - static Provider getSunProvider() { - Provider p = sun; - if (p == null) { + } +- diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index aa35e8fa668..1855e5631bd 100644 +index 5cd6828d293..bae49c4e8a9 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -4119,9 +3037,9 @@ index aa35e8fa668..1855e5631bd 100644 import static sun.security.util.SecurityProviderConstants.getAliases; import sun.security.pkcs11.Secmod.*; -@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; - */ - public final class SunPKCS11 extends AuthProvider { +@@ -65,6 +70,39 @@ public final class SunPKCS11 extends AuthProvider { + @Serial + private static final long serialVersionUID = -1354835039035306505L; + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); @@ -4156,10 +3074,10 @@ index aa35e8fa668..1855e5631bd 100644 + + private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; + - private static final long serialVersionUID = -1354835039035306505L; - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider { + // the PKCS11 object through which we make the native calls + @SuppressWarnings("serial") // Type of field is not Serializable; +@@ -123,6 +161,29 @@ public final class SunPKCS11 extends AuthProvider { return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { @Override public SunPKCS11 run() throws Exception { @@ -4189,7 +3107,7 @@ index aa35e8fa668..1855e5631bd 100644 return new SunPKCS11(new Config(newConfigName)); } }); -@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider { +@@ -325,9 +386,19 @@ public final class SunPKCS11 extends AuthProvider { // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; @@ -4202,266 +3120,35 @@ index aa35e8fa668..1855e5631bd 100644 + fipsExportKey, 0, this); + } try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, +- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, - config.getOmitInitialize()); ++ tmpPKCS11 = PKCS11.getInstance( ++ library, functionList, initArgs, + config.getOmitInitialize(), fipsKeyImporter, + fipsKeyExporter); } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); -@@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider { +@@ -342,8 +413,9 @@ public final class SunPKCS11 extends AuthProvider { + } else { initArgs.flags = 0; } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); +- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, +- config.getOmitInitialize()); ++ tmpPKCS11 = PKCS11.getInstance(library, + functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, + fipsKeyExporter); } p11 = tmpPKCS11; -- CK_INFO p11Info = p11.C_GetInfo(); -+ CK_INFO p11Info = p11.getInfo(); - if (p11Info.cryptokiVersion.major < 2) { - throw new ProviderException("Only PKCS#11 v2.0 and later " - + "supported, library version is v" + p11Info.cryptokiVersion); -@@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider { - final String className; - final List aliases; - final int[] mechanisms; -+ final int[] requiredMechs; - -+ // mechanisms is a list of possible mechanisms that implement the -+ // algorithm, at least one of them must be available. requiredMechs -+ // is a list of auxiliary mechanisms, all of them must be available - private Descriptor(String type, String algorithm, String className, -- List aliases, int[] mechanisms) { -+ List aliases, int[] mechanisms, int[] requiredMechs) { - this.type = type; - this.algorithm = algorithm; - this.className = className; - this.aliases = aliases; - this.mechanisms = mechanisms; -+ this.requiredMechs = requiredMechs; - } - private P11Service service(Token token, int mechanism) { - return new P11Service -@@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider { - - private static void d(String type, String algorithm, String className, - int[] m) { -- register(new Descriptor(type, algorithm, className, null, m)); -+ register(new Descriptor(type, algorithm, className, null, m, null)); - } - - private static void d(String type, String algorithm, String className, - List aliases, int[] m) { -- register(new Descriptor(type, algorithm, className, aliases, m)); -+ register(new Descriptor(type, algorithm, className, aliases, m, null)); -+ } -+ -+ private static void d(String type, String algorithm, String className, -+ int[] m, int[] requiredMechs) { -+ register(new Descriptor(type, algorithm, className, null, m, -+ requiredMechs)); -+ } -+ private static void dA(String type, String algorithm, String className, -+ int[] m, int[] requiredMechs) { -+ register(new Descriptor(type, algorithm, className, -+ getAliases(algorithm), m, requiredMechs)); - } - - private static void dA(String type, String algorithm, String className, - int[] m) { - register(new Descriptor(type, algorithm, className, -- getAliases(algorithm), m)); -+ getAliases(algorithm), m, null)); - } - - private static void register(Descriptor d) { -@@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider { - String P11Cipher = "sun.security.pkcs11.P11Cipher"; - String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; - String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; -+ String P11PBECipher = "sun.security.pkcs11.P11PBECipher"; - String P11Signature = "sun.security.pkcs11.P11Signature"; - String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; - -@@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider { - d(MAC, "SslMacSHA1", P11Mac, - m(CKM_SSL3_SHA1_MAC)); - -+ if (systemFipsEnabled) { -+ /* -+ * PBA HMacs -+ * -+ * KeyDerivationMech must be supported -+ * for these services to be available. -+ * -+ */ -+ d(MAC, "HmacPBESHA1", P11Mac, m(CKM_SHA_1_HMAC), -+ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); -+ d(MAC, "HmacPBESHA224", P11Mac, m(CKM_SHA224_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA256", P11Mac, m(CKM_SHA256_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA384", P11Mac, m(CKM_SHA384_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA512", P11Mac, m(CKM_SHA512_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA512/224", P11Mac, m(CKM_SHA512_224_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA512/256", P11Mac, m(CKM_SHA512_256_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ } -+ - d(KPG, "RSA", P11KeyPairGenerator, - getAliases("PKCS1"), - m(CKM_RSA_PKCS_KEY_PAIR_GEN)); -@@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider { - d(SKF, "ChaCha20", P11SecretKeyFactory, - m(CKM_CHACHA20_POLY1305)); - -+ if (systemFipsEnabled) { -+ /* -+ * PBE Secret Key Factories -+ * -+ * KeyDerivationPrf must be supported for these services -+ * to be available. -+ * -+ */ -+ d(SKF, "PBEWithHmacSHA1AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); -+ d(SKF, "PBEWithHmacSHA224AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); -+ d(SKF, "PBEWithHmacSHA256AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); -+ d(SKF, "PBEWithHmacSHA384AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); -+ d(SKF, "PBEWithHmacSHA512AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); -+ d(SKF, "PBEWithHmacSHA1AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); -+ d(SKF, "PBEWithHmacSHA224AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); -+ d(SKF, "PBEWithHmacSHA256AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); -+ d(SKF, "PBEWithHmacSHA384AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); -+ d(SKF, "PBEWithHmacSHA512AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); -+ /* -+ * PBA Secret Key Factories -+ */ -+ d(SKF, "HmacPBESHA1", P11SecretKeyFactory, -+ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); -+ d(SKF, "HmacPBESHA224", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA256", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA384", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA512", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA512/224", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA512/256", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ /* -+ * PBKDF2 Secret Key Factories -+ */ -+ dA(SKF, "PBKDF2WithHmacSHA1", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA224", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA256", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA384", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA512", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); -+ } -+ - // XXX attributes for Ciphers (supported modes, padding) - dA(CIP, "ARCFOUR", P11Cipher, - m(CKM_RC4)); -@@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider { - d(CIP, "RSA/ECB/NoPadding", P11RSACipher, - m(CKM_RSA_X_509)); - -+ if (systemFipsEnabled) { -+ /* -+ * PBE Ciphers -+ * -+ * KeyDerivationMech and KeyDerivationPrf must be supported -+ * for these services to be available. -+ * -+ */ -+ d(CIP, "PBEWithHmacSHA1AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); -+ d(CIP, "PBEWithHmacSHA224AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); -+ d(CIP, "PBEWithHmacSHA256AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); -+ d(CIP, "PBEWithHmacSHA384AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); -+ d(CIP, "PBEWithHmacSHA512AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); -+ d(CIP, "PBEWithHmacSHA1AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); -+ d(CIP, "PBEWithHmacSHA224AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); -+ d(CIP, "PBEWithHmacSHA256AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); -+ d(CIP, "PBEWithHmacSHA384AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); -+ d(CIP, "PBEWithHmacSHA512AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); -+ } -+ - d(SIG, "RawDSA", P11Signature, - List.of("NONEwithDSA"), - m(CKM_DSA)); -@@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider { - if (ds == null) { - continue; - } -+ descLoop: - for (Descriptor d : ds) { - Integer oldMech = supportedAlgs.get(d); - if (oldMech == null) { -+ if (d.requiredMechs != null) { -+ // Check that other mechanisms required for the -+ // service are supported before listing it as -+ // available for the first time. -+ for (int requiredMech : d.requiredMechs) { -+ if (token.getMechanismInfo( -+ requiredMech & 0xFFFFFFFFL) == null) { -+ continue descLoop; -+ } -+ } -+ } - supportedAlgs.put(d, integerMech); - continue; - } -@@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1389,11 +1461,52 @@ public final class SunPKCS11 extends AuthProvider { } @Override + @SuppressWarnings("removal") public Object newInstance(Object param) throws NoSuchAlgorithmException { - if (token.isValid() == false) { + if (!token.isValid()) { throw new NoSuchAlgorithmException("Token has been removed"); } + if (systemFipsEnabled && !token.fipsLoggedIn && @@ -4507,16 +3194,7 @@ index aa35e8fa668..1855e5631bd 100644 try { return newInstance0(param); } catch (PKCS11Exception e) { -@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider { - } else if (algorithm.endsWith("GCM/NoPadding") || - algorithm.startsWith("ChaCha20-Poly1305")) { - return new P11AEADCipher(token, algorithm, mechanism); -+ } else if (algorithm.startsWith("PBE")) { -+ return new P11PBECipher(token, algorithm, mechanism); - } else { - return new P11Cipher(token, algorithm, mechanism); - } -@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1750,6 +1863,9 @@ public final class SunPKCS11 extends AuthProvider { try { session = token.getOpSession(); p11.C_Logout(session.id()); @@ -4527,7 +3205,7 @@ index aa35e8fa668..1855e5631bd 100644 debug.println("logout succeeded"); } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -index 9858a5faedf..e63585486d9 100644 +index a6f5f0a8764..9a07c96ca4e 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java @@ -33,6 +33,7 @@ import java.lang.ref.*; @@ -4538,17 +3216,17 @@ index 9858a5faedf..e63585486d9 100644 import sun.security.jca.JCAUtil; import sun.security.pkcs11.wrapper.*; -@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; +@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; */ - class Token implements Serializable { + final class Token implements Serializable { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + // need to be serializable to allow SecureRandom to be serialized + @Serial private static final long serialVersionUID = 2541527649100571747L; - -@@ -114,6 +118,10 @@ class Token implements Serializable { +@@ -125,6 +129,10 @@ final class Token implements Serializable { // flag indicating whether we are logged in private volatile boolean loggedIn; @@ -4559,10 +3237,10 @@ index 9858a5faedf..e63585486d9 100644 // time we last checked login status private long lastLoginCheck; -@@ -232,7 +240,12 @@ class Token implements Serializable { +@@ -242,7 +250,12 @@ final class Token implements Serializable { // call provider.login() if not void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { - if (isLoggedIn(session) == false) { + if (!isLoggedIn(session)) { - provider.login(null, null); + if (systemFipsEnabled) { + provider.login(null, new FIPSTokenLoginHandler()); @@ -4573,350 +3251,8 @@ index 9858a5faedf..e63585486d9 100644 } } -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java -index 88ff8a71fc3..47a2f97eddf 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java -@@ -100,9 +100,9 @@ public class CK_ECDH1_DERIVE_PARAMS { - } - - /** -- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. -+ * Returns the string representation of CK_ECDH1_DERIVE_PARAMS. - * -- * @return the string representation of CK_PKCS5_PBKD2_PARAMS -+ * @return the string representation of CK_ECDH1_DERIVE_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java -index 0c9ebb289c1..b4b2448464d 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java -@@ -160,6 +160,18 @@ public class CK_MECHANISM { - init(mechanism, params); - } - -+ public CK_MECHANISM(long mechanism, CK_PBE_PARAMS params) { -+ init(mechanism, params); -+ } -+ -+ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS params) { -+ init(mechanism, params); -+ } -+ -+ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS2 params) { -+ init(mechanism, params); -+ } -+ - // For PSS. the parameter may be set multiple times, use the - // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS) - // methods instead of creating yet another constructor -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java -index e8b048869c4..a25fa1c39e5 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java -@@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper; - - - /** -- * class CK_PBE_PARAMS provides all of the necessary information required byte -+ * class CK_PBE_PARAMS provides all the necessary information required by - * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.

- * PKCS#11 structure: - * 

-  * typedef struct CK_PBE_PARAMS {
-- *   CK_CHAR_PTR pInitVector;
-- *   CK_CHAR_PTR pPassword;
-+ *   CK_BYTE_PTR pInitVector;
-+ *   CK_UTF8CHAR_PTR pPassword;
-  *   CK_ULONG ulPasswordLen;
-- *   CK_CHAR_PTR pSalt;
-+ *   CK_BYTE_PTR pSalt;
-  *   CK_ULONG ulSaltLen;
-  *   CK_ULONG ulIteration;
-  * } CK_PBE_PARAMS;
-@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
-     /**
-      * PKCS#11:
-      * 
--     *   CK_CHAR_PTR pInitVector;
-+     *   CK_BYTE_PTR pInitVector;
-      * 

-      */
--    public char[] pInitVector;
-+    public byte[] pInitVector;
- 
-     /**
-      * PKCS#11:
-      * 
--     *   CK_CHAR_PTR pPassword;
-+     *   CK_UTF8CHAR_PTR pPassword;
-      *   CK_ULONG ulPasswordLen;
-      * 

-      */
-@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
-     /**
-      * PKCS#11:
-      * 
--     *   CK_CHAR_PTR pSalt
-+     *   CK_BYTE_PTR pSalt
-      *   CK_ULONG ulSaltLen;
-      * 

-      */
--    public char[] pSalt;
-+    public byte[] pSalt;
- 
-     /**
-      * PKCS#11:
-@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
-      */
-     public long ulIteration;
- 
-+    public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
-+         this.pPassword = pPassword;
-+         this.pSalt = pSalt;
-+         this.ulIteration = ulIteration;
-+     }
-+
-     /**
-      * Returns the string representation of CK_PBE_PARAMS.
-      *
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
-index fb90bfced27..a01beb0753a 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
-@@ -47,7 +47,7 @@
- 
- package sun.security.pkcs11.wrapper;
- 
--
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- 
- /**
-  * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
-@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
-  * PKCS#11 structure:
-  * 
-  * typedef struct CK_PKCS5_PBKD2_PARAMS {
-- *   CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
-+ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-  *   CK_VOID_PTR pSaltSourceData;
-  *   CK_ULONG ulSaltSourceDataLen;
-  *   CK_ULONG iterations;
-  *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-  *   CK_VOID_PTR pPrfData;
-  *   CK_ULONG ulPrfDataLen;
-+ *   CK_UTF8CHAR_PTR pPassword;
-+ *   CK_ULONG_PTR ulPasswordLen;
-  * } CK_PKCS5_PBKD2_PARAMS;
-  * 

-  *
-@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
-      */
-     public byte[] pPrfData;
- 
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_UTF8CHAR_PTR pPassword
-+     *   CK_ULONG_PTR ulPasswordLen;
-+     * 

-+     */
-+    public char[] pPassword;
-+
-+    public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
-+            long iterations, long prf) {
-+        this.pPassword = pPassword;
-+        this.pSaltSourceData = pSalt;
-+        this.iterations = iterations;
-+        this.prf = prf;
-+        this.saltSource = CKZ_SALT_SPECIFIED;
-+    }
-+
-     /**
-      * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
-      *
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
-new file mode 100644
-index 00000000000..935db656639
---- /dev/null
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
-@@ -0,0 +1,156 @@
-+/*
-+ * Copyright (c) 2022, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11.wrapper;
-+
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+
-+/**
-+ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
-+ * mechanism.

-+ * PKCS#11 structure:
-+ * 
-+ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
-+ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-+ *   CK_VOID_PTR pSaltSourceData;
-+ *   CK_ULONG ulSaltSourceDataLen;
-+ *   CK_ULONG iterations;
-+ *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-+ *   CK_VOID_PTR pPrfData;
-+ *   CK_ULONG ulPrfDataLen;
-+ *   CK_UTF8CHAR_PTR pPassword;
-+ *   CK_ULONG ulPasswordLen;
-+ * } CK_PKCS5_PBKD2_PARAMS2;
-+ * 

-+ *
-+ */
-+public class CK_PKCS5_PBKD2_PARAMS2 {
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-+     * 

-+     */
-+    public long saltSource;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_VOID_PTR pSaltSourceData;
-+     *   CK_ULONG ulSaltSourceDataLen;
-+     * 

-+     */
-+    public byte[] pSaltSourceData;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_ULONG iterations;
-+     * 

-+     */
-+    public long iterations;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-+     * 

-+     */
-+    public long prf;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_VOID_PTR pPrfData;
-+     *   CK_ULONG ulPrfDataLen;
-+     * 

-+     */
-+    public byte[] pPrfData;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_UTF8CHAR_PTR pPassword
-+     *   CK_ULONG ulPasswordLen;
-+     * 

-+     */
-+    public char[] pPassword;
-+
-+    public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
-+            long iterations, long prf) {
-+        this.pPassword = pPassword;
-+        this.pSaltSourceData = pSalt;
-+        this.iterations = iterations;
-+        this.prf = prf;
-+        this.saltSource = CKZ_SALT_SPECIFIED;
-+    }
-+
-+    /**
-+     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
-+     *
-+     * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
-+     */
-+    public String toString() {
-+        StringBuilder sb = new StringBuilder();
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("saltSource: ");
-+        sb.append(saltSource);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("pSaltSourceData: ");
-+        sb.append(Functions.toHexString(pSaltSourceData));
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("ulSaltSourceDataLen: ");
-+        sb.append(pSaltSourceData.length);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("iterations: ");
-+        sb.append(iterations);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("prf: ");
-+        sb.append(prf);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("pPrfData: ");
-+        sb.append(Functions.toHexString(pPrfData));
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("ulPrfDataLen: ");
-+        sb.append(pPrfData.length);
-+
-+        return sb.toString();
-+    }
-+
-+}
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
-index 1f9c4d39f57..5e3c1b9d29f 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
-@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
-     public byte[] pPublicData;
- 
-     /**
--     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
-+     * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
-      *
--     * @return the string representation of CK_PKCS5_PBKD2_PARAMS
-+     * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
-      */
-     public String toString() {
-         StringBuilder sb = new StringBuilder();
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 5c0aacd1a67..d796aaa3075 100644
+index 4b06daaf264..55e14945469 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
 @@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
@@ -4929,23 +3265,8 @@ index 5c0aacd1a67..d796aaa3075 100644
  import java.util.*;
  
  import java.security.AccessController;
-@@ -113,6 +116,8 @@ public class PKCS11 {
- 
-     private long pNativeData;
- 
-+    private volatile CK_INFO pInfo;
-+
-     /**
-      * This method does the initialization of the native library. It is called
-      * exactly once for this class.
-@@ -145,23 +150,48 @@ public class PKCS11 {
-      * @postconditions
-      */
-     PKCS11(String pkcs11ModulePath, String functionListName)
--            throws IOException {
-+            throws IOException, PKCS11Exception {
-         connect(pkcs11ModulePath, functionListName);
-         this.pkcs11ModulePath = pkcs11ModulePath;
+@@ -174,18 +177,43 @@ public class PKCS11 {
+         return version;
      }
  
 +    /*
@@ -4991,45 +3312,7 @@ index 5c0aacd1a67..d796aaa3075 100644
              }
              if (omitInitialize == false) {
                  try {
-@@ -179,6 +209,28 @@ public class PKCS11 {
-         return pkcs11;
-     }
- 
-+    /**
-+     * Returns the CK_INFO structure fetched at initialization with
-+     * C_GetInfo. This structure represent Cryptoki library information.
-+     */
-+    public CK_INFO getInfo() {
-+        CK_INFO lPInfo = pInfo;
-+        if (lPInfo == null) {
-+            synchronized (this) {
-+                lPInfo = pInfo;
-+                if (lPInfo == null) {
-+                    try {
-+                        lPInfo = C_GetInfo();
-+                        pInfo = lPInfo;
-+                    } catch (PKCS11Exception e) {
-+                        // Some PKCS #11 tokens require initialization first.
-+                    }
-+                }
-+            }
-+        }
-+        return lPInfo;
-+    }
-+
-     /**
-      * Connects this object to the specified PKCS#11 library. This method is for
-      * internal use only.
-@@ -1625,7 +1677,7 @@ public class PKCS11 {
- static class SynchronizedPKCS11 extends PKCS11 {
- 
-     SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
--            throws IOException {
-+            throws IOException, PKCS11Exception {
-         super(pkcs11ModulePath, functionListName);
-     }
- 
-@@ -1911,4 +1963,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+@@ -1976,4 +2004,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
          super.C_GenerateRandom(hSession, randomData);
      }
  }
@@ -5043,7 +3326,7 @@ index 5c0aacd1a67..d796aaa3075 100644
 +    private MethodHandle hC_GetAttributeValue;
 +    FIPSPKCS11(String pkcs11ModulePath, String functionListName,
 +            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+                    throws IOException, PKCS11Exception {
++                    throws IOException {
 +        super(pkcs11ModulePath, functionListName);
 +        this.fipsKeyImporter = fipsKeyImporter;
 +        this.fipsKeyExporter = fipsKeyExporter;
@@ -5095,7 +3378,7 @@ index 5c0aacd1a67..d796aaa3075 100644
 +    private MethodHandle hC_GetAttributeValue;
 +    SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
 +            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+                    throws IOException, PKCS11Exception {
++                    throws IOException {
 +        super(pkcs11ModulePath, functionListName);
 +        this.fipsKeyImporter = fipsKeyImporter;
 +        this.fipsKeyExporter = fipsKeyExporter;
@@ -5224,455 +3507,38 @@ index 5c0aacd1a67..d796aaa3075 100644
 +    }
 +}
  }
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
-index 0d65ee26805..38fd4aff1f3 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
-@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
-     public static final long  CKD_BLAKE2B_384_KDF      = 0x00000019L;
-     public static final long  CKD_BLAKE2B_512_KDF      = 0x0000001aL;
- 
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
--
--    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
--
-     public static final long  CK_OTP_VALUE            = 0x00000000L;
-     public static final long  CK_OTP_PIN              = 0x00000001L;
-     public static final long  CK_OTP_CHALLENGE        = 0x00000002L;
-@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
-     public static final long  CKF_HKDF_SALT_KEY    = 0x00000004L;
-     */
- 
-+    // PBKDF2 support, used in P11Util
-+    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
-+
-     // private NSS attribute (for DSA and DH private keys)
-     public static final long  CKA_NETSCAPE_DB         = 0xD5A0DB00L;
- 
-     // base number of NSS private attributes
-     public static final long  CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
--                                                      = 0xCE534350L;
-+    /*          now known as CKM_NSS ^        */      = 0xCE534350L;
- 
-     // object type for NSS trust
-     public static final long  CKO_NETSCAPE_TRUST      = 0xCE534353L;
-@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
-                                                              = 0xCE534355L;
-     public static final long  CKT_NETSCAPE_VALID             = 0xCE53435AL;
-     public static final long  CKT_NETSCAPE_VALID_DELEGATOR   = 0xCE53435BL;
-+
-+    // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 29) */ = 0xCE53436DL;
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 30) */ = 0xCE53436EL;
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 31) */ = 0xCE53436FL;
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 32) */ = 0xCE534370L;
- }
-diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-index d941b574cc7..e2de13648be 100644
---- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
-         case CKM_PBE_SHA1_DES3_EDE_CBC:
-         case CKM_PBE_SHA1_DES2_EDE_CBC:
-         case CKM_PBA_SHA1_WITH_SHA1_HMAC:
-+        case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
-+        case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
-+        case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
-+        case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
-             ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
-             break;
-         case CKM_PKCS5_PBKD2:
-@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
-     // retrieve java values
-     jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
-     if (jPbeParamsClass == NULL) { return NULL; }
--    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
-+    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
-     if (fieldID == NULL) { return NULL; }
-     jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
-     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
-     if (fieldID == NULL) { return NULL; }
-     jPassword = (*env)->GetObjectField(env, jParam, fieldID);
--    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
-+    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
-     if (fieldID == NULL) { return NULL; }
-     jSalt = (*env)->GetObjectField(env, jParam, fieldID);
-     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
-@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
- 
-     // populate using java values
-     ckParamPtr->ulIteration = jLongToCKULong(jIteration);
--    jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
-+    jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
--    jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
-+    jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
--    jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
-+    jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
-@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
-     }
- }
- 
-+#define PBKD2_PARAM_SET(member, value)                              \
-+    do {                                                            \
-+        if(ckParamPtr->version == PARAMS) {                         \
-+            ckParamPtr->params.v1.member = value;                   \
-+        } else {                                                    \
-+            ckParamPtr->params.v2.member = value;                   \
-+        }                                                           \
-+    } while(0)
-+
-+#define PBKD2_PARAM_ADDR(member)                                    \
-+    (                                                               \
-+        (ckParamPtr->version == PARAMS) ?                           \
-+        (void*) &ckParamPtr->params.v1.member :                     \
-+        (void*) &ckParamPtr->params.v2.member                       \
-+    )
-+
- /*
-- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
-+ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
-+ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
-  * pointer
-  *
-- * @param env - used to call JNI funktions to get the Java classes and objects
-- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
-+ * @param env - used to call JNI functions to get the Java classes and objects
-+ * @param jParam - the Java object to convert
-  * @param pLength - length of the allocated memory of the returned pointer
-- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
-+ * @return pointer to the new structure
-  */
--CK_PKCS5_PBKD2_PARAMS_PTR
-+CK_VOID_PTR
- jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
- {
--    CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
-+    VersionedPbkd2ParamsPtr ckParamPtr;
-+    ParamVersion paramVersion;
-+    CK_ULONG_PTR pUlPasswordLen;
-     jclass jPkcs5Pbkd2ParamsClass;
-     jfieldID fieldID;
-     jlong jSaltSource, jIteration, jPrf;
--    jobject jSaltSourceData, jPrfData;
-+    jobject jSaltSourceData, jPrfData, jPassword;
- 
-     if (pLength != NULL) {
-         *pLength = 0L;
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+index 920422376f8..6aa308fa5f8 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+@@ -215,6 +215,14 @@ public class PKCS11Exception extends Exception {
+         return res;
      }
  
-     // retrieve java values
--    jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
--    if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
-+    if ((jPkcs5Pbkd2ParamsClass =
-+            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
-+            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
-+        paramVersion = PARAMS;
-+    } else if ((jPkcs5Pbkd2ParamsClass =
-+            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
-+            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
-+        paramVersion = PARAMS2;
-+    } else {
-+        return NULL;
++    /**
++     * Constructor taking the error code from the RV enum and
++     * extra info for error message.
++     */
++    public PKCS11Exception(RV errorEnum, String extraInfo) {
++        this(errorEnum.value, extraInfo);
 +    }
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
-     if (fieldID == NULL) { return NULL; }
-     jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
-@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
-     if (fieldID == NULL) { return NULL; }
-     jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
-+    fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
-+    if (fieldID == NULL) { return NULL; }
-+    jPassword = (*env)->GetObjectField(env, jParam, fieldID);
- 
--    // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
--    ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
-+    // allocate memory for VersionedPbkd2Params and store the structure version
-+    ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
-     if (ckParamPtr == NULL) {
-         throwOutOfMemoryError(env, 0);
-         return NULL;
-     }
-+    ckParamPtr->version = paramVersion;
- 
-     // populate using java values
--    ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
--    jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
--            &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
-+    PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
-+    jByteArrayToCKByteArray(env, jSaltSourceData,
-+            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
-+            PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
--    ckParamPtr->iterations = jLongToCKULong(jIteration);
--    ckParamPtr->prf = jLongToCKULong(jPrf);
--    jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
--            &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
-+    PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
-+    PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
-+    jByteArrayToCKByteArray(env, jPrfData,
-+            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
-+            PBKD2_PARAM_ADDR(ulPrfDataLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        goto cleanup;
-+    }
-+    if (ckParamPtr->version == PARAMS) {
-+        pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
-+        if (pUlPasswordLen == NULL) {
-+            throwOutOfMemoryError(env, 0);
-+            goto cleanup;
-+        }
-+        ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
-+    } else {
-+        pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
-+    }
-+    jCharArrayToCKUTF8CharArray(env, jPassword,
-+            (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
-+            pUlPasswordLen);
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
- 
-     if (pLength != NULL) {
--        *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
-+        *pLength = (ckParamPtr->version == PARAMS ?
-+            sizeof(ckParamPtr->params.v1) :
-+            sizeof(ckParamPtr->params.v2));
-     }
-+    // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
-     return ckParamPtr;
- cleanup:
--    free(ckParamPtr->pSaltSourceData);
--    free(ckParamPtr->pPrfData);
-+    FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
-     free(ckParamPtr);
-     return NULL;
- 
-diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-index 520bd52a2cd..aa76945283d 100644
---- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
-                  case CKM_CAMELLIA_CTR:
-                      // params do not contain pointers
-                      break;
-+                 case CKM_PKCS5_PBKD2:
-+                     // get the versioned structure from behind memory
-+                     TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
-+                             "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
-+                             "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
-+                     FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
-+                     break;
-+                 case CKM_PBA_SHA1_WITH_SHA1_HMAC:
-+                 case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
-+                 case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
-+                 case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
-+                 case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
-+                     free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
-+                     free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
-+                     free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
-+                     break;
-                  default:
-                      // currently unsupported mechs by SunPKCS11 provider
-                      // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
-                      // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
--                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
-+                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
-                      // PBE mechs, WTLS mechs, CMS mechs,
-                      // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
-                      // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
-@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
-     jboolean* jpTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
-     if (jpTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
-     jbyte* jpTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
-     if (jpTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
-     jlong* jTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
-     if (jTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
-     jchar* jpTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
-     if (jpTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
-     jchar* jTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
-     if (jTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
-index eb6d01b9e47..450e4d27d62 100644
---- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
-+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
-@@ -68,6 +68,7 @@
- /* extra PKCS#11 constants not in the standard include files */
- 
- #define CKA_NETSCAPE_BASE                       (0x80000000 + 0x4E534350)
-+/*             ^ now known as CKM_NSS   (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
- #define CKA_NETSCAPE_TRUST_BASE                 (CKA_NETSCAPE_BASE + 0x2000)
- #define CKA_NETSCAPE_TRUST_SERVER_AUTH          (CKA_NETSCAPE_TRUST_BASE + 8)
- #define CKA_NETSCAPE_TRUST_CLIENT_AUTH          (CKA_NETSCAPE_TRUST_BASE + 9)
-@@ -76,6 +77,12 @@
- #define CKA_NETSCAPE_DB                         0xD5A0DB00
- #define CKM_NSS_TLS_PRF_GENERAL                 0x80000373
- 
-+/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
-+#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 29)
-+#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 30)
-+#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 31)
-+#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 32)
 +
- /*
- 
-  Define the PKCS#11 functions to include and exclude. Reduces the size
-@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
- #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
- #define PBE_INIT_VECTOR_SIZE 8
- #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
-+#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
- #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
- 
- #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
-@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
- CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
-     jobject jParam, CK_ULONG* pLength);
- CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
--CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
-+CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
-@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
- CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- 
-+/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
-+typedef enum {PARAMS=0, PARAMS2} ParamVersion;
-+
-+typedef struct {
-+    union {
-+        CK_PKCS5_PBKD2_PARAMS v1;
-+        CK_PKCS5_PBKD2_PARAMS2 v2;
-+    } params;
-+    ParamVersion version;
-+} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
-+
-+#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr)                  \
-+    do {                                                            \
-+        if ((verParamsPtr)->version == PARAMS) {                    \
-+            free((verParamsPtr)->params.v1.pSaltSourceData);        \
-+            free((verParamsPtr)->params.v1.pPrfData);               \
-+            free((verParamsPtr)->params.v1.pPassword);              \
-+            free((verParamsPtr)->params.v1.ulPasswordLen);          \
-+        } else {                                                    \
-+            free((verParamsPtr)->params.v2.pSaltSourceData);        \
-+            free((verParamsPtr)->params.v2.pPrfData);               \
-+            free((verParamsPtr)->params.v2.pPassword);              \
-+        }                                                           \
-+    } while(0)
-+
- /* functions to copy the returned values inside CK-mechanism back to Java object */
- 
- void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
+     /**
+      * Constructor taking the error code (the CKR_* constants in PKCS#11) and
+      * extra info for error message.
 diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-index 8c9e4f9dbe6..883dc04758e 100644
+index 7f8c4dba002..e65b11fc3ee 100644
 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
 +++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-@@ -38,6 +38,7 @@ import java.util.HashMap;
- import java.util.Iterator;
+@@ -34,6 +34,7 @@ import java.security.ProviderException;
+ import java.util.HashMap;
  import java.util.List;
  
 +import jdk.internal.access.SharedSecrets;
- import sun.security.ec.ed.EdDSAAlgorithmParameters;
  import sun.security.ec.ed.EdDSAKeyFactory;
  import sun.security.ec.ed.EdDSAKeyPairGenerator;
-@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
+ import sun.security.ec.ed.EdDSASignature;
+@@ -50,6 +51,10 @@ public final class SunEC extends Provider {
  
      private static final long serialVersionUID = -2279741672933606418L;
  
@@ -5683,11 +3549,10 @@ index 8c9e4f9dbe6..883dc04758e 100644
      private static class ProviderServiceA extends ProviderService {
          ProviderServiceA(Provider p, String type, String algo, String cn,
              HashMap attrs) {
-@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
- 
+@@ -240,83 +245,85 @@ public final class SunEC extends Provider {
          putXDHEntries();
          putEdDSAEntries();
--
+ 
 -        /*
 -         * Signature engines
 -         */
@@ -5757,9 +3622,8 @@ index 8c9e4f9dbe6..883dc04758e 100644
 -        /*
 -         *  Key Pair Generator engine
 -         */
--        putService(new ProviderService(this, "KeyPairGenerator",
--            "EC", "sun.security.ec.ECKeyPairGenerator",
--            List.of("EllipticCurve"), ATTRS));
+-        putService(new ProviderServiceA(this, "KeyPairGenerator",
+-            "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS));
 -
 -        /*
 -         * Key Agreement engine
@@ -5836,9 +3700,8 @@ index 8c9e4f9dbe6..883dc04758e 100644
 +            /*
 +             *  Key Pair Generator engine
 +             */
-+            putService(new ProviderService(this, "KeyPairGenerator",
-+                "EC", "sun.security.ec.ECKeyPairGenerator",
-+                List.of("EllipticCurve"), ATTRS));
++            putService(new ProviderServiceA(this, "KeyPairGenerator",
++                "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS));
 +
 +            /*
 +             * Key Agreement engine
@@ -5849,7 +3712,7 @@ index 8c9e4f9dbe6..883dc04758e 100644
      }
  
      private void putXDHEntries() {
-@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
+@@ -333,23 +340,25 @@ public final class SunEC extends Provider {
              "X448", "sun.security.ec.XDHKeyFactory.X448",
              ATTRS));
  
@@ -5892,7 +3755,7 @@ index 8c9e4f9dbe6..883dc04758e 100644
      }
  
      private void putEdDSAEntries() {
-@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
+@@ -364,21 +373,23 @@ public final class SunEC extends Provider {
          putService(new ProviderServiceA(this, "KeyFactory",
              "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
  
@@ -5931,883 +3794,6 @@ index 8c9e4f9dbe6..883dc04758e 100644
  
      }
  }
-diff --git a/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java
-new file mode 100644
-index 00000000000..a184a169732
---- /dev/null
-+++ b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java
-@@ -0,0 +1,233 @@
-+/*
-+ * Copyright (c) 2022, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+import java.math.BigInteger;
-+import java.security.AlgorithmParameters;
-+import java.security.NoSuchAlgorithmException;
-+import java.security.Provider;
-+import java.security.SecureRandom;
-+import java.security.Security;
-+import java.util.Map;
-+
-+import javax.crypto.Cipher;
-+import javax.crypto.SecretKey;
-+import javax.crypto.SecretKeyFactory;
-+import javax.crypto.interfaces.PBEKey;
-+import javax.crypto.spec.IvParameterSpec;
-+import javax.crypto.spec.PBEKeySpec;
-+import javax.crypto.spec.PBEParameterSpec;
-+
-+/*
-+ * @test
-+ * @bug 9999999
-+ * @summary test password based encryption on SunPKCS11's Cipher service
-+ * @requires (jdk.version.major >= 8)
-+ * @library /test/lib ..
-+ * @run main/othervm/timeout=30 PBECipher
-+ */
-+
-+public final class PBECipher {
-+    public static void main(String[] args) throws Exception {
-+        java.security.Security.getProviders();
-+        PBECipher2.main(args);
-+    }
-+}
-+
-+final class PBECipher2 extends PKCS11Test {
-+    private static final char[] password = "123456".toCharArray();
-+    private static final byte[] salt = "abcdefgh".getBytes();
-+    private static final byte[] iv = new byte[16];
-+    private static final int iterations = 1000;
-+    private static final String plainText = "This is a know plain text!";
-+    private static final String sep =
-+    "=========================================================================";
-+
-+    private static enum Configuration {
-+        // Provide salt and iterations through a PBEParameterSpec instance
-+        PBEParameterSpec,
-+
-+        // Provide salt and iterations through a AlgorithmParameters instance
-+        AlgorithmParameters,
-+
-+        // Provide salt and iterations through an anonymous class implementing
-+        // the javax.crypto.interfaces.PBEKey interface
-+        AnonymousPBEKey,
-+    }
-+
-+    private static Provider sunJCE = Security.getProvider("SunJCE");
-+
-+    // Generated with SunJCE
-+    private static final Map assertionData = Map.of(
-+            "PBEWithHmacSHA1AndAES_128", new BigInteger("8eebe98a580fb09d026" +
-+                    "dbfe60b3733b079e0de9ea7b0b1ccba011a1652d1e257", 16),
-+            "PBEWithHmacSHA224AndAES_128", new BigInteger("1cbabdeb5d483af4a" +
-+                    "841942f4b1095b7d6f60e46fabfd2609c015adc38cc227", 16),
-+            "PBEWithHmacSHA256AndAES_128", new BigInteger("4d82f6591df3508d2" +
-+                    "4531f06cdc4f90f4bdab7aeb07fbb57a3712e999d5b6f59", 16),
-+            "PBEWithHmacSHA384AndAES_128", new BigInteger("3a0ed0959d51f40b9" +
-+                    "ba9f506a5277f430521f2fbe1ba94bae368835f221b6cb9", 16),
-+            "PBEWithHmacSHA512AndAES_128", new BigInteger("1388287a446009309" +
-+                    "1418f4eca3ba1735b1fa025423d74ced36ce578d8ebf9da", 16),
-+            "PBEWithHmacSHA1AndAES_256", new BigInteger("80f8208daab27ed02dd" +
-+                    "8a354ef6f23ff7813c84dd1c8a1b081d6f4dee27182a2", 16),
-+            "PBEWithHmacSHA224AndAES_256", new BigInteger("7e3b9ce20aec2e52f" +
-+                    "f6c781602d4f79a55a88495b5217f1e22e1a068268e6247", 16),
-+            "PBEWithHmacSHA256AndAES_256", new BigInteger("9d6a8b6a351dfd0dd" +
-+                    "9e9f45924b2860dca7719c4c07e207a64ebc1acd16cc157", 16),
-+            "PBEWithHmacSHA384AndAES_256", new BigInteger("6f1b386cee3a8e2d9" +
-+                    "8c2e81828da0467dec8b989d22258efeab5932580d01d53", 16),
-+            "PBEWithHmacSHA512AndAES_256", new BigInteger("30aaa346b2edd394f" +
-+                    "50916187876ac32f1287b19d55c5eea6f7ef9b84aaf291e", 16)
-+            );
-+
-+    private static final class NoRandom extends SecureRandom {
-+        @Override
-+        public void nextBytes(byte[] bytes) {
-+            return;
-+        }
-+    }
-+
-+    public void main(Provider sunPKCS11) throws Exception {
-+        System.out.println("SunPKCS11: " + sunPKCS11.getName());
-+        for (Configuration conf : Configuration.values()) {
-+            testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128", conf);
-+            testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128", conf);
-+            testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128", conf);
-+            testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128", conf);
-+            testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128", conf);
-+            testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256", conf);
-+            testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256", conf);
-+            testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256", conf);
-+            testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256", conf);
-+            testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256", conf);
-+        }
-+        System.out.println("TEST PASS - OK");
-+    }
-+
-+    private void testWith(Provider sunPKCS11, String algorithm,
-+            Configuration conf) throws Exception {
-+        System.out.println(sep + System.lineSeparator() + algorithm
-+                + " (with " + conf.name() + ")");
-+
-+        Cipher pbeCipher = getCipher(sunPKCS11, algorithm, conf);
-+        BigInteger cipherText = new BigInteger(1, pbeCipher.doFinal(
-+                plainText.getBytes()));
-+        printByteArray("Cipher Text", cipherText);
-+
-+        BigInteger expectedCipherText = null;
-+        if (sunJCE != null) {
-+            Cipher c = getCipher(sunJCE, algorithm, conf);
-+            if (c != null) {
-+                expectedCipherText = new BigInteger(1, c.doFinal(
-+                        plainText.getBytes()));
-+            } else {
-+                // Move to assertionData as it's unlikely that any of
-+                // the algorithms are available.
-+                sunJCE = null;
-+            }
-+        }
-+        if (expectedCipherText == null) {
-+            // If SunJCE or the algorithm are not available, assertionData
-+            // is used instead.
-+            expectedCipherText = assertionData.get(algorithm);
-+        }
-+
-+        if (!cipherText.equals(expectedCipherText)) {
-+            printByteArray("Expected Cipher Text", expectedCipherText);
-+            throw new Exception("Expected Cipher Text did not match");
-+        }
-+    }
-+
-+    private Cipher getCipher(Provider p, String algorithm,
-+            Configuration conf) throws Exception {
-+        Cipher pbeCipher = null;
-+        try {
-+            pbeCipher = Cipher.getInstance(algorithm, p);
-+        } catch (NoSuchAlgorithmException e) {
-+            return null;
-+        }
-+        switch (conf) {
-+            case PBEParameterSpec, AlgorithmParameters -> {
-+                SecretKey key = getPasswordOnlyPBEKey();
-+                PBEParameterSpec paramSpec = new PBEParameterSpec(
-+                        salt, iterations, new IvParameterSpec(iv));
-+                switch (conf) {
-+                    case PBEParameterSpec -> {
-+                        pbeCipher.init(Cipher.ENCRYPT_MODE, key, paramSpec);
-+                    }
-+                    case AlgorithmParameters -> {
-+                        AlgorithmParameters algoParams =
-+                                AlgorithmParameters.getInstance("PBES2");
-+                        algoParams.init(paramSpec);
-+                        pbeCipher.init(Cipher.ENCRYPT_MODE, key, algoParams);
-+                    }
-+                }
-+            }
-+            case AnonymousPBEKey -> {
-+                SecretKey key = getPasswordSaltIterationsPBEKey();
-+                pbeCipher.init(Cipher.ENCRYPT_MODE, key, new NoRandom());
-+            }
-+        }
-+        return pbeCipher;
-+    }
-+
-+    private static SecretKey getPasswordOnlyPBEKey() throws Exception {
-+        PBEKeySpec keySpec = new PBEKeySpec(password);
-+        SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
-+        SecretKey skey = skFac.generateSecret(keySpec);
-+        keySpec.clearPassword();
-+        return skey;
-+    }
-+
-+    private static SecretKey getPasswordSaltIterationsPBEKey() {
-+        return new PBEKey() {
-+            public byte[] getSalt() { return salt.clone(); }
-+            public int getIterationCount() { return iterations; }
-+            public String getAlgorithm() { return "PBE"; }
-+            public String getFormat() { return "RAW"; }
-+            public char[] getPassword() { return null; } // unused in PBE Cipher
-+            public byte[] getEncoded() {
-+                byte[] passwdBytes = new byte[password.length];
-+                for (int i = 0; i < password.length; i++)
-+                    passwdBytes[i] = (byte) (password[i] & 0x7f);
-+                return passwdBytes;
-+            }
-+        };
-+    }
-+
-+    private static void printByteArray(String title, BigInteger b) {
-+        String repr = (b == null) ? "buffer is null" : b.toString(16);
-+        System.out.println(title + ": " + repr + System.lineSeparator());
-+    }
-+
-+    public static void main(String[] args) throws Exception {
-+        PBECipher2 test = new PBECipher2();
-+        Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
-+        if (p != null) {
-+            test.main(p);
-+        } else {
-+            main(test);
-+        }
-+    }
-+}
-diff --git a/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java
-new file mode 100644
-index 00000000000..360e11c339d
---- /dev/null
-+++ b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java
-@@ -0,0 +1,137 @@
-+/*
-+ * Copyright (c) 2022, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+import java.io.ByteArrayInputStream;
-+import java.io.ByteArrayOutputStream;
-+import java.security.Key;
-+import java.security.KeyStore;
-+import java.security.KeyStoreException;
-+import java.security.MessageDigest;
-+import java.security.Provider;
-+import java.security.Security;
-+
-+import javax.crypto.spec.SecretKeySpec;
-+
-+/*
-+ * @test
-+ * @bug 9999999
-+ * @summary test SunPKCS11's password based privacy and integrity
-+ *          applied to PKCS#12 keystores
-+ * @requires (jdk.version.major >= 8)
-+ * @library /test/lib ..
-+ * @modules java.base/sun.security.util
-+ * @run main/othervm/timeout=30 -Dcom.redhat.fips=false -DNO_DEFAULT=true ImportKeyToP12
-+ */
-+
-+public final class ImportKeyToP12 {
-+    public static void main(String[] args) throws Exception {
-+        java.security.Security.getProviders();
-+        ImportKeyToP122.main(args);
-+    }
-+}
-+
-+final class ImportKeyToP122 extends PKCS11Test {
-+    private static final String alias = "alias";
-+    private static final char[] password = "123456".toCharArray();
-+    private static final Key key = new SecretKeySpec(new byte[] {
-+            0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7,
-+            0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf }, "AES");
-+    private static final String[] pbeCipherAlgs = new String[] {
-+            "PBEWithHmacSHA1AndAES_128", "PBEWithHmacSHA224AndAES_128",
-+            "PBEWithHmacSHA256AndAES_128", "PBEWithHmacSHA384AndAES_128",
-+            "PBEWithHmacSHA512AndAES_128", "PBEWithHmacSHA1AndAES_256",
-+            "PBEWithHmacSHA224AndAES_256", "PBEWithHmacSHA256AndAES_256",
-+            "PBEWithHmacSHA384AndAES_256", "PBEWithHmacSHA512AndAES_256"
-+    };
-+    private static final String[] pbeMacAlgs = new String[] {
-+            "HmacPBESHA1", "HmacPBESHA224", "HmacPBESHA256",
-+            "HmacPBESHA384", "HmacPBESHA512"
-+    };
-+    private static final KeyStore p12;
-+    private static final String sep =
-+    "=========================================================================";
-+
-+    static {
-+        KeyStore tP12 = null;
-+        try {
-+            tP12 = KeyStore.getInstance("PKCS12");
-+        } catch (KeyStoreException e) {}
-+        p12 = tP12;
-+    }
-+
-+    public void main(Provider sunPKCS11) throws Exception {
-+        System.out.println("SunPKCS11: " + sunPKCS11.getName());
-+        // Test all privacy PBE algorithms with an integrity algorithm fixed
-+        for (String pbeCipherAlg : pbeCipherAlgs) {
-+            testWith(sunPKCS11, pbeCipherAlg, pbeMacAlgs[0]);
-+        }
-+        // Test all integrity PBE algorithms with a privacy algorithm fixed
-+        for (String pbeMacAlg : pbeMacAlgs) {
-+            testWith(sunPKCS11, pbeCipherAlgs[0], pbeMacAlg);
-+        }
-+        System.out.println("TEST PASS - OK");
-+    }
-+
-+    /*
-+     * Consistency test: 1) store a secret key in a PKCS#12 keystore using
-+     * PBE algorithms from SunPKCS11 and, 2) read the secret key from the
-+     * PKCS#12 keystore using PBE algorithms from other security providers
-+     * such as SunJCE.
-+     */
-+    private void testWith(Provider sunPKCS11, String pbeCipherAlg,
-+            String pbeMacAlg) throws Exception {
-+        System.out.println(sep + System.lineSeparator() +
-+                "Cipher PBE: " + pbeCipherAlg + System.lineSeparator() +
-+                "Mac PBE: " + pbeMacAlg);
-+
-+        System.setProperty("keystore.pkcs12.macAlgorithm", pbeMacAlg);
-+        System.setProperty("keystore.pkcs12.keyProtectionAlgorithm",
-+                pbeCipherAlg);
-+
-+        // Create an empty PKCS#12 keystore
-+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
-+        p12.load(null, password);
-+
-+        // Use PBE privacy and integrity algorithms from SunPKCS11 to store
-+        // the secret key
-+        Security.insertProviderAt(sunPKCS11, 1);
-+        p12.setKeyEntry(alias, key, password, null);
-+        p12.store(baos, password);
-+
-+        // Use PBE privacy and integrity algorithms from other security
-+        // providers, such as SunJCE, to read the secret key
-+        Security.removeProvider(sunPKCS11.getName());
-+        p12.load(new ByteArrayInputStream(baos.toByteArray()), password);
-+        Key k = p12.getKey(alias, password);
-+
-+        if (!MessageDigest.isEqual(key.getEncoded(), k.getEncoded())) {
-+            throw new Exception("Keys differ. Consistency check failed.");
-+        }
-+        System.out.println("Secret key import successful" + System.lineSeparator() + sep);
-+    }
-+
-+    public static void main(String[] args) throws Exception {
-+        main(new ImportKeyToP122());
-+    }
-+}
-diff --git a/test/jdk/sun/security/pkcs11/Mac/PBAMac.java b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java
-new file mode 100644
-index 00000000000..6b5662f6b4c
---- /dev/null
-+++ b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java
-@@ -0,0 +1,187 @@
-+/*
-+ * Copyright (c) 2022, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+import java.math.BigInteger;
-+import java.security.NoSuchAlgorithmException;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.util.Map;
-+
-+import javax.crypto.Mac;
-+import javax.crypto.SecretKey;
-+import javax.crypto.SecretKeyFactory;
-+import javax.crypto.interfaces.PBEKey;
-+import javax.crypto.spec.PBEKeySpec;
-+import javax.crypto.spec.PBEParameterSpec;
-+
-+/*
-+ * @test
-+ * @bug 9999999
-+ * @summary test password based authentication on SunPKCS11's Mac service
-+ * @requires (jdk.version.major >= 8)
-+ * @library /test/lib ..
-+ * @run main/othervm/timeout=30 PBAMac
-+ */
-+
-+public final class PBAMac {
-+    public static void main(String[] args) throws Exception {
-+        java.security.Security.getProviders();
-+        PBAMac2.main(args);
-+    }
-+}
-+
-+final class PBAMac2 extends PKCS11Test {
-+    private static final char[] password = "123456".toCharArray();
-+    private static final byte[] salt = "abcdefgh".getBytes();
-+    private static final int iterations = 1000;
-+    private static final String plainText = "This is a know plain text!";
-+    private static final String sep =
-+    "=========================================================================";
-+
-+    private static enum Configuration {
-+        // Provide salt & iterations through a PBEParameterSpec instance
-+        PBEParameterSpec,
-+
-+        // Provide salt & iterations through an anonymous class implementing
-+        // the javax.crypto.interfaces.PBEKey interface
-+        AnonymousPBEKey,
-+    }
-+
-+    // Generated with SunJCE
-+    private static final Map assertionData = Map.of(
-+            "HmacPBESHA1", new BigInteger("febd26da5d63ce819770a2af1fc2857e" +
-+                    "e2c9c41c", 16),
-+            "HmacPBESHA224", new BigInteger("aa6a3a1c35a4b266fea62d1a871508" +
-+                    "bd45f8ec326bcf16e09699063", 16),
-+            "HmacPBESHA256", new BigInteger("af4d71121fd4e9d52eb42944d99b77" +
-+                    "8ff64376fcf6af8d1dca3ec688dfada5c8", 16),
-+            "HmacPBESHA384", new BigInteger("5d6d37764205985ffca7e4a6222752" +
-+                    "a8bbd0520858da08ecafdc57e6246894675e375b9ba084f9ce7142" +
-+                    "35f202cc3452", 16),
-+            "HmacPBESHA512", new BigInteger("f586c2006cc2de73fd5743e5cca701" +
-+                    "c942d3741a7a54a2a649ea36898996cf3c483f2d734179b47751db" +
-+                    "e8373c980b4072136d2e2810f4e7276024a3e9081cc1", 16)
-+            );
-+
-+    private static Provider sunJCE = Security.getProvider("SunJCE");
-+
-+    public void main(Provider sunPKCS11) throws Exception {
-+        System.out.println("SunPKCS11: " + sunPKCS11.getName());
-+        for (Configuration conf : Configuration.values()) {
-+            testWith(sunPKCS11, "HmacPBESHA1", conf);
-+            testWith(sunPKCS11, "HmacPBESHA224", conf);
-+            testWith(sunPKCS11, "HmacPBESHA256", conf);
-+            testWith(sunPKCS11, "HmacPBESHA384", conf);
-+            testWith(sunPKCS11, "HmacPBESHA512", conf);
-+        }
-+        System.out.println("TEST PASS - OK");
-+    }
-+
-+    private void testWith(Provider sunPKCS11, String algorithm,
-+            Configuration conf) throws Exception {
-+        System.out.println(sep + System.lineSeparator() + algorithm
-+                + " (with " + conf.name() + ")");
-+
-+        BigInteger macResult = computeMac(sunPKCS11, algorithm, conf);
-+        printByteArray("HMAC Result", macResult);
-+
-+        BigInteger expectedMacResult = computeExpectedMac(algorithm, conf);
-+
-+        if (!macResult.equals(expectedMacResult)) {
-+            printByteArray("Expected HMAC Result", expectedMacResult);
-+            throw new Exception("Expected HMAC Result did not match");
-+        }
-+    }
-+
-+    private BigInteger computeMac(Provider p, String algorithm,
-+            Configuration conf) throws Exception {
-+        Mac pbaMac;
-+        try {
-+            pbaMac = Mac.getInstance(algorithm, p);
-+        } catch (NoSuchAlgorithmException e) {
-+            return null;
-+        }
-+        switch (conf) {
-+            case PBEParameterSpec -> {
-+                SecretKey key = getPasswordOnlyPBEKey();
-+                pbaMac.init(key, new PBEParameterSpec(salt, iterations));
-+            }
-+            case AnonymousPBEKey -> {
-+                SecretKey key = getPasswordSaltIterationsPBEKey();
-+                pbaMac.init(key);
-+            }
-+        }
-+        return new BigInteger(1, pbaMac.doFinal(plainText.getBytes()));
-+    }
-+
-+    private BigInteger computeExpectedMac(String algorithm, Configuration conf)
-+            throws Exception {
-+        if (sunJCE != null) {
-+            BigInteger macResult = computeMac(sunJCE, algorithm, conf);
-+            if (macResult != null) {
-+                return macResult;
-+            }
-+            // Move to assertionData as it's unlikely that any of
-+            // the algorithms are available.
-+            sunJCE = null;
-+        }
-+        // If SunJCE or the algorithm are not available, assertionData
-+        // is used instead.
-+        return assertionData.get(algorithm);
-+    }
-+
-+    private static SecretKey getPasswordOnlyPBEKey() throws Exception {
-+        PBEKeySpec keySpec = new PBEKeySpec(password);
-+        SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
-+        SecretKey skey = skFac.generateSecret(keySpec);
-+        keySpec.clearPassword();
-+        return skey;
-+    }
-+
-+    private static SecretKey getPasswordSaltIterationsPBEKey() {
-+        return new PBEKey() {
-+            public byte[] getSalt() { return salt.clone(); }
-+            public int getIterationCount() { return iterations; }
-+            public String getAlgorithm() { return "PBE"; }
-+            public String getFormat() { return "RAW"; }
-+            public char[] getPassword() { return password.clone(); }
-+            public byte[] getEncoded() { return null; } // unused in PBA Mac
-+        };
-+    }
-+
-+    private static void printByteArray(String title, BigInteger b) {
-+        String repr = (b == null) ? "buffer is null" : b.toString(16);
-+        System.out.println(title + ": " + repr + System.lineSeparator());
-+    }
-+
-+    public static void main(String[] args) throws Exception {
-+        PBAMac2 test = new PBAMac2();
-+        Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
-+        if (p != null) {
-+            test.main(p);
-+        } else {
-+            main(test);
-+        }
-+    }
-+}
-diff --git a/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java
-new file mode 100644
-index 00000000000..67c3cee5970
---- /dev/null
-+++ b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java
-@@ -0,0 +1,296 @@
-+/*
-+ * Copyright (c) 2022, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+import java.lang.reflect.Field;
-+import java.lang.reflect.Method;
-+import java.math.BigInteger;
-+import java.security.NoSuchAlgorithmException;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.util.HashMap;
-+import java.util.Map;
-+
-+import javax.crypto.SecretKeyFactory;
-+import javax.crypto.spec.PBEKeySpec;
-+
-+/*
-+ * @test
-+ * @bug 9999999
-+ * @summary test key derivation on SunPKCS11's SecretKeyFactory service
-+ * @requires (jdk.version.major >= 8)
-+ * @library /test/lib ..
-+ * @modules java.base/com.sun.crypto.provider:open
-+ * @run main/othervm/timeout=30 TestPBKD
-+ */
-+
-+public final class TestPBKD {
-+    public static void main(String[] args) throws Exception {
-+        java.security.Security.getProviders();
-+        TestPBKD2.main(args);
-+    }
-+}
-+
-+final class TestPBKD2 extends PKCS11Test {
-+    private static final char[] password = "123456".toCharArray();
-+    private static final byte[] salt = "abcdefgh".getBytes();
-+    private static final int iterations = 1000;
-+    private static final String sep =
-+    "=========================================================================";
-+
-+    private static Provider sunJCE = Security.getProvider("SunJCE");
-+
-+    // Generated with SunJCE
-+    private static final Map assertionData =
-+            new HashMap<>() {{
-+                put("HmacPBESHA1", new BigInteger("5f7d1c360d1703cede76f47db" +
-+                        "2fa3facc62e7694", 16));
-+                put("HmacPBESHA224", new BigInteger("289563f799b708f522ab2a3" +
-+                        "8d283d0afa8fc1d3d227fcb9236c3a035", 16));
-+                put("HmacPBESHA256", new BigInteger("888defcf4ef37eb0647014a" +
-+                        "d172dd6fa3b3e9d024b962dba47608eea9b9c4b79", 16));
-+                put("HmacPBESHA384", new BigInteger("f5464b34253fadab8838d0d" +
-+                        "b11980c1787a99bf6f6304f2d8c942e30bada523494f9d5a0f3" +
-+                        "741e411de21add8b5718a8", 16));
-+                put("HmacPBESHA512", new BigInteger("18ae94337b132c68c611bc2" +
-+                        "e723ac24dcd44a46d900dae2dd6170380d4c34f90fef7bdeb5f" +
-+                        "6fddeb0d2230003e329b7a7eefcd35810d364ba95d31b68bb61" +
-+                        "e52", 16));
-+                put("PBEWithHmacSHA1AndAES_128", new BigInteger("fdb3dcc2e81" +
-+                        "244d4d56bf7ec8dd61dd7", 16));
-+                put("PBEWithHmacSHA224AndAES_128", new BigInteger("5ef9e5c6f" +
-+                        "df7c355f3b424233a9f24c2", 16));
-+                put("PBEWithHmacSHA256AndAES_128", new BigInteger("c5af597b0" +
-+                        "1b4f6baac8f62ff6f22bfb1", 16));
-+                put("PBEWithHmacSHA384AndAES_128", new BigInteger("c3208ebc5" +
-+                        "d6db88858988ec00153847d", 16));
-+                put("PBEWithHmacSHA512AndAES_128", new BigInteger("b27e8f7fb" +
-+                        "6a4bd5ebea892cd9a7f5043", 16));
-+                put("PBEWithHmacSHA1AndAES_256", new BigInteger("fdb3dcc2e81" +
-+                        "244d4d56bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2ccde" +
-+                        "98", 16));
-+                put("PBEWithHmacSHA224AndAES_256", new BigInteger("5ef9e5c6f" +
-+                        "df7c355f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8d" +
-+                        "f64d", 16));
-+                put("PBEWithHmacSHA256AndAES_256", new BigInteger("c5af597b0" +
-+                        "1b4f6baac8f62ff6f22bfb1f319c3278c8b31cc616294716d4e" +
-+                        "ab08", 16));
-+                put("PBEWithHmacSHA384AndAES_256", new BigInteger("c3208ebc5" +
-+                        "d6db88858988ec00153847d5b1b7a8723640a022dc332bcaefe" +
-+                        "b356", 16));
-+                put("PBEWithHmacSHA512AndAES_256", new BigInteger("b27e8f7fb" +
-+                        "6a4bd5ebea892cd9a7f5043cefff9c38b07e599721e8d116189" +
-+                        "5482", 16));
-+                put("PBKDF2WithHmacSHA1", new BigInteger("fdb3dcc2e81244d4d5" +
-+                        "6bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2cc", 16));
-+                put("PBKDF2WithHmacSHA224", new BigInteger("5ef9e5c6fdf7c355" +
-+                        "f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8df64d1a0" +
-+                        "736ec1c69eef1c7b2", 16));
-+                put("PBKDF2WithHmacSHA256", new BigInteger("c5af597b01b4f6ba" +
-+                        "ac8f62ff6f22bfb1f319c3278c8b31cc616294716d4eab080b9" +
-+                        "add9db34a42ceb2fea8d27adc00f4", 16));
-+                put("PBKDF2WithHmacSHA384", new BigInteger("c3208ebc5d6db888" +
-+                        "58988ec00153847d5b1b7a8723640a022dc332bcaefeb356995" +
-+                        "d076a949d35c42c7e1e1ca936c12f8dc918e497edf279a522b7" +
-+                        "c99580e2613846b3919af637da", 16));
-+                put("PBKDF2WithHmacSHA512", new BigInteger("b27e8f7fb6a4bd5e" +
-+                        "bea892cd9a7f5043cefff9c38b07e599721e8d1161895482da2" +
-+                        "55746844cc1030be37ba1969df10ff59554d1ac5468fa9b7297" +
-+                        "7bb7fd52103a0a7b488cdb8957616c3e23a16bca92120982180" +
-+                        "c6c11a4f14649b50d0ade3a", 16));
-+                }};
-+
-+    static interface AssertData {
-+        BigInteger derive(String pbAlgo, PBEKeySpec keySpec) throws Exception;
-+    }
-+
-+    static final class P12PBKDAssertData implements AssertData {
-+        private final int outLen;
-+        private final String kdfAlgo;
-+        private final int blockLen;
-+
-+        P12PBKDAssertData(int outLen, String kdfAlgo, int blockLen) {
-+            this.outLen = outLen;
-+            this.kdfAlgo = kdfAlgo;
-+            this.blockLen = blockLen;
-+        }
-+
-+        @Override
-+        public BigInteger derive(String pbAlgo, PBEKeySpec keySpec)
-+                throws Exception {
-+            // Since we need to access an internal SunJCE API, we use reflection
-+            Class PKCS12PBECipherCore = Class.forName(
-+                    "com.sun.crypto.provider.PKCS12PBECipherCore");
-+
-+            Field macKeyField = PKCS12PBECipherCore.getDeclaredField("MAC_KEY");
-+            macKeyField.setAccessible(true);
-+            int MAC_KEY = (int) macKeyField.get(null);
-+
-+            Method deriveMethod = PKCS12PBECipherCore.getDeclaredMethod(
-+                    "derive", char[].class, byte[].class, int.class,
-+                    int.class, int.class, String.class, int.class);
-+            deriveMethod.setAccessible(true);
-+
-+            return new BigInteger(1, (byte[]) deriveMethod.invoke(null,
-+                    keySpec.getPassword(), keySpec.getSalt(),
-+                    keySpec.getIterationCount(), this.outLen,
-+                    MAC_KEY, this.kdfAlgo, this.blockLen));
-+        }
-+    }
-+
-+    static final class PBKD2AssertData implements AssertData {
-+        private final String kdfAlgo;
-+        private final int keyLen;
-+
-+        PBKD2AssertData(String kdfAlgo, int keyLen) {
-+            // Key length is pinned by the algorithm name (not kdfAlgo,
-+            // but the algorithm under test: PBEWithHmacSHA*AndAES_*)
-+            this.kdfAlgo = kdfAlgo;
-+            this.keyLen = keyLen;
-+        }
-+
-+        PBKD2AssertData(String kdfAlgo) {
-+            // Key length is variable for the algorithm under test
-+            // (kdfAlgo is the algorithm under test: PBKDF2WithHmacSHA*)
-+            this(kdfAlgo, -1);
-+        }
-+
-+        @Override
-+        public BigInteger derive(String pbAlgo, PBEKeySpec keySpec)
-+                throws Exception {
-+            if (this.keyLen != -1) {
-+                keySpec = new PBEKeySpec(
-+                        keySpec.getPassword(), keySpec.getSalt(),
-+                        keySpec.getIterationCount(), this.keyLen);
-+            }
-+            if (sunJCE != null) {
-+                try {
-+                    return new BigInteger(1, SecretKeyFactory.getInstance(
-+                            this.kdfAlgo, sunJCE).generateSecret(keySpec)
-+                            .getEncoded());
-+                } catch (NoSuchAlgorithmException e) {
-+                    // Move to assertionData as it's unlikely that any of
-+                    // the algorithms are available.
-+                    sunJCE = null;
-+                }
-+            }
-+            // If SunJCE or the algorithm are not available, assertionData
-+            // is used instead.
-+            return assertionData.get(pbAlgo);
-+        }
-+    }
-+
-+    public void main(Provider sunPKCS11) throws Exception {
-+        System.out.println("SunPKCS11: " + sunPKCS11.getName());
-+        testWith(sunPKCS11, "HmacPBESHA1",
-+                new P12PBKDAssertData(20, "SHA-1", 64));
-+        testWith(sunPKCS11, "HmacPBESHA224",
-+                new P12PBKDAssertData(28, "SHA-224", 64));
-+        testWith(sunPKCS11, "HmacPBESHA256",
-+                new P12PBKDAssertData(32, "SHA-256", 64));
-+        testWith(sunPKCS11, "HmacPBESHA384",
-+                new P12PBKDAssertData(48, "SHA-384", 128));
-+        testWith(sunPKCS11, "HmacPBESHA512",
-+                new P12PBKDAssertData(64, "SHA-512", 128));
-+
-+        testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128",
-+                new PBKD2AssertData("PBKDF2WithHmacSHA1", 128));
-+        testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128",
-+                new PBKD2AssertData("PBKDF2WithHmacSHA224", 128));
-+        testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128",
-+                new PBKD2AssertData("PBKDF2WithHmacSHA256", 128));
-+        testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128",
-+                new PBKD2AssertData("PBKDF2WithHmacSHA384", 128));
-+        testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128",
-+                new PBKD2AssertData("PBKDF2WithHmacSHA512", 128));
-+        testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256",
-+                new PBKD2AssertData("PBKDF2WithHmacSHA1", 256));
-+        testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256",
-+                new PBKD2AssertData("PBKDF2WithHmacSHA224", 256));
-+        testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256",
-+                new PBKD2AssertData("PBKDF2WithHmacSHA256", 256));
-+        testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256",
-+                new PBKD2AssertData("PBKDF2WithHmacSHA384", 256));
-+        testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256",
-+                new PBKD2AssertData("PBKDF2WithHmacSHA512", 256));
-+
-+        // Use 1,5 * digest size as the testing derived key length (in bits)
-+        testWith(sunPKCS11, "PBKDF2WithHmacSHA1", 240,
-+                new PBKD2AssertData("PBKDF2WithHmacSHA1"));
-+        testWith(sunPKCS11, "PBKDF2WithHmacSHA224", 336,
-+                new PBKD2AssertData("PBKDF2WithHmacSHA224"));
-+        testWith(sunPKCS11, "PBKDF2WithHmacSHA256", 384,
-+                new PBKD2AssertData("PBKDF2WithHmacSHA256"));
-+        testWith(sunPKCS11, "PBKDF2WithHmacSHA384", 576,
-+                new PBKD2AssertData("PBKDF2WithHmacSHA384"));
-+        testWith(sunPKCS11, "PBKDF2WithHmacSHA512", 768,
-+                new PBKD2AssertData("PBKDF2WithHmacSHA512"));
-+
-+        System.out.println("TEST PASS - OK");
-+    }
-+
-+    private static void testWith(Provider sunPKCS11, String algorithm,
-+            AssertData assertData) throws Exception {
-+        PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations);
-+        testWith(sunPKCS11, algorithm, keySpec, assertData);
-+    }
-+
-+    private static void testWith(Provider sunPKCS11, String algorithm,
-+            int keyLen, AssertData assertData) throws Exception {
-+        PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations, keyLen);
-+        testWith(sunPKCS11, algorithm, keySpec, assertData);
-+    }
-+
-+    private static void testWith(Provider sunPKCS11, String algorithm,
-+            PBEKeySpec keySpec, AssertData assertData) throws Exception {
-+        System.out.println(sep + System.lineSeparator() + algorithm);
-+
-+        SecretKeyFactory skFac = SecretKeyFactory.getInstance(
-+                algorithm, sunPKCS11);
-+        BigInteger derivedKey = new BigInteger(1,
-+                skFac.generateSecret(keySpec).getEncoded());
-+        printByteArray("Derived Key", derivedKey);
-+
-+        BigInteger expectedDerivedKey = assertData.derive(algorithm, keySpec);
-+
-+        if (!derivedKey.equals(expectedDerivedKey)) {
-+            printByteArray("Expected Derived Key", expectedDerivedKey);
-+            throw new Exception("Expected Derived Key did not match");
-+        }
-+    }
-+
-+    private static void printByteArray(String title, BigInteger b) {
-+        String repr = (b == null) ? "buffer is null" : b.toString(16);
-+        System.out.println(title + ": " + repr + System.lineSeparator());
-+    }
-+
-+    public static void main(String[] args) throws Exception {
-+        TestPBKD2 test = new TestPBKD2();
-+        Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
-+        if (p != null) {
-+            test.main(p);
-+        } else {
-+            main(test);
-+        }
-+    }
-+}
 diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java
 new file mode 100644
 index 00000000000..ce01c655eb8
diff --git a/SOURCES/gating.yaml b/SOURCES/gating.yaml
deleted file mode 100644
index c7412f1..0000000
--- a/SOURCES/gating.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-# recipients: java-qa
---- !Policy
-product_versions:
-  - rhel-9
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
diff --git a/SOURCES/generate_source_tarball.sh b/SOURCES/generate_source_tarball.sh
deleted file mode 100755
index d32c8d2..0000000
--- a/SOURCES/generate_source_tarball.sh
+++ /dev/null
@@ -1,210 +0,0 @@
-#!/bin/bash
-# Generates the 'source tarball' for JDK projects.
-#
-# Example:
-# When used from local repo set REPO_ROOT pointing to file:// with your repo
-# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL
-# If you want to use a local copy of patch PR3788, set the path to it in the PR3788 variable
-#
-# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
-# PROJECT_NAME=openjdk
-# REPO_NAME=jdk17u
-# VERSION=jdk-17.0.3+5
-# or to eg prepare systemtap:
-# icedtea7's jstack and other tapsets
-# VERSION=6327cf1cea9e
-# REPO_NAME=icedtea7-2.6
-# PROJECT_NAME=release
-# OPENJDK_URL=http://icedtea.classpath.org/hg/
-# TO_COMPRESS="*/tapset"
-#
-# They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set)
-
-# This script creates a single source tarball out of the repository
-# based on the given tag and removes code not allowed in fedora/rhel. For
-# consistency, the source tarball will always contain 'openjdk' as the top
-# level folder, name is created, based on parameter
-#
-
-if [ ! "x$PR3823" = "x" ] ; then
-  if [ ! -f "$PR3823" ] ; then
-    echo "You have specified PR3823 as $PR3823 but it does not exist. Exiting"
-    exit 1
-  fi
-fi
-
-set -e
-
-OPENJDK_URL_DEFAULT=https://github.com
-COMPRESSION_DEFAULT=xz
-# Corresponding IcedTea version
-ICEDTEA_VERSION=12.0
-
-if [ "x$1" = "xhelp" ] ; then
-    echo -e "Behaviour may be specified by setting the following variables:\n"
-    echo "VERSION - the version of the specified OpenJDK project"
-    echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)"
-    echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)"
-    echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})"
-    echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})"
-    echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
-    echo "TO_COMPRESS - what part of clone to pack (default is openjdk)"
-    echo "PR3823 - the path to the PR3823 patch to apply (optional; downloaded if unavailable)"
-    echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run"
-    exit 1;
-fi
-
-
-if [ "x$VERSION" = "x" ] ; then
-    echo "No VERSION specified"
-    exit 2
-fi
-echo "Version: ${VERSION}"
-
-NUM_VER=${VERSION##jdk-}
-RELEASE_VER=${NUM_VER%%+*}
-BUILD_VER=${NUM_VER##*+}
-MAJOR_VER=${RELEASE_VER%%.*}
-echo "Major version is ${MAJOR_VER}, release ${RELEASE_VER}, build ${BUILD_VER}"
-
-if [ "x$BOOT_JDK" = "x" ] ; then
-    echo "No boot JDK specified".
-    BOOT_JDK=/usr/lib/jvm/java-${MAJOR_VER}-openjdk;
-    echo -n "Checking for ${BOOT_JDK}...";
-    if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then
-        echo "Boot JDK found at ${BOOT_JDK}";
-    else
-        echo "Not found";
-        PREV_VER=$((${MAJOR_VER} - 1));
-        BOOT_JDK=/usr/lib/jvm/java-${PREV_VER}-openjdk;
-        echo -n "Checking for ${BOOT_JDK}...";
-        if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then
-            echo "Boot JDK found at ${BOOT_JDK}";
-        else
-            echo "Not found";
-            exit 4;
-        fi
-    fi
-else
-    echo "Boot JDK: ${BOOT_JDK}";
-fi
-
-# REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT
-if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then
-  if [ "x$PROJECT_NAME" = "x" ] ; then
-    echo "No PROJECT_NAME specified"
-    exit 1
-  fi
-  echo "Project name: ${PROJECT_NAME}"
-  if [ "x$REPO_NAME" = "x" ] ; then
-    echo "No REPO_NAME specified"
-    exit 3
-  fi
-  echo "Repository name: ${REPO_NAME}"
-fi
-
-if [ "x$OPENJDK_URL" = "x" ] ; then
-    OPENJDK_URL=${OPENJDK_URL_DEFAULT}
-    echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}"
-else
-    echo "OpenJDK URL: ${OPENJDK_URL}"
-fi
-
-if [ "x$COMPRESSION" = "x" ] ; then
-    # rhel 5 needs tar.gz
-    COMPRESSION=${COMPRESSION_DEFAULT}
-fi
-echo "Creating a tar.${COMPRESSION} archive"
-
-if [ "x$FILE_NAME_ROOT" = "x" ] ; then
-    FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION}
-    echo "No file name root specified; default to ${FILE_NAME_ROOT}"
-fi
-if [ "x$REPO_ROOT" = "x" ] ; then
-    REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}.git"
-    echo "No repository root specified; default to ${REPO_ROOT}"
-fi;
-
-if [ "x$TO_COMPRESS" = "x" ] ; then
-    TO_COMPRESS="openjdk"
-    echo "No targets to be compressed specified, ; default to ${TO_COMPRESS}"
-fi;
-
-if [ -d ${FILE_NAME_ROOT} ] ; then
-  echo "exists exists exists exists exists exists exists "
-  echo "reusing reusing reusing reusing reusing reusing "
-  echo ${FILE_NAME_ROOT}
-else
-  mkdir "${FILE_NAME_ROOT}"
-  pushd "${FILE_NAME_ROOT}"
-    echo "Cloning ${VERSION} root repository from ${REPO_ROOT}"
-    git clone -b ${VERSION} ${REPO_ROOT} openjdk
-  popd
-fi
-pushd "${FILE_NAME_ROOT}"
-    if [ -d openjdk/src ]; then
-        pushd openjdk
-            echo "Removing EC source code we don't build"
-            CRYPTO_PATH=src/jdk.crypto.ec/share/native/libsunec/impl
-            rm -vf ${CRYPTO_PATH}/ec2.h
-            rm -vf ${CRYPTO_PATH}/ec2_163.c
-            rm -vf ${CRYPTO_PATH}/ec2_193.c
-            rm -vf ${CRYPTO_PATH}/ec2_233.c
-            rm -vf ${CRYPTO_PATH}/ec2_aff.c
-            rm -vf ${CRYPTO_PATH}/ec2_mont.c
-            rm -vf ${CRYPTO_PATH}/ecp_192.c
-            rm -vf ${CRYPTO_PATH}/ecp_224.c
-
-            echo "Syncing EC list with NSS"
-            if [ "x$PR3823" = "x" ] ; then
-                # get PR3823.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
-                # Do not push it or publish it
-                echo "PR3823 not found. Downloading..."
-                wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3823.patch
-                echo "Applying ${PWD}/pr3823.patch"
-                patch -Np1 < pr3823.patch
-                rm pr3823.patch
-            else
-                echo "Applying ${PR3823}"
-                patch -Np1 < $PR3823
-            fi;
-            find . -name '*.orig' -exec rm -vf '{}' ';'
-        popd
-    fi
-
-    # Generate .src-rev so build has knowledge of the revision the tarball was created from
-    mkdir build
-    pushd build
-    sh ${PWD}/../openjdk/configure --with-boot-jdk=${BOOT_JDK}
-    make store-source-revision
-    popd
-    rm -rf build
-
-    # Remove commit checks
-    echo "Removing $(find openjdk -name '.jcheck' -print)"
-    find openjdk -name '.jcheck' -print0 | xargs -0 rm -r
-
-    # Remove history and GHA
-    echo "find openjdk -name '.hgtags'"
-    find openjdk -name '.hgtags' -exec rm -v '{}' '+'
-    echo "find openjdk -name '.hgignore'"
-    find openjdk -name '.hgignore' -exec rm -v '{}' '+'
-    echo "find openjdk -name '.gitattributes'"
-    find openjdk -name '.gitattributes' -exec rm -v '{}' '+'
-    echo "find openjdk -name '.gitignore'"
-    find openjdk -name '.gitignore' -exec rm -v '{}' '+'
-    echo "find openjdk -name '.git'"
-    find openjdk -name '.git' -exec rm -rv '{}' '+'
-    echo "find openjdk -name '.github'"
-    find openjdk -name '.github' -exec rm -rv '{}' '+'
-
-    echo "Compressing remaining forest"
-    if [ "X$COMPRESSION" = "Xxz" ] ; then
-        SWITCH=cJf
-    else
-        SWITCH=czf
-    fi
-    tar --exclude-vcs -$SWITCH ${FILE_NAME_ROOT}.tar.${COMPRESSION} $TO_COMPRESS
-    mv ${FILE_NAME_ROOT}.tar.${COMPRESSION}  ..
-popd
-echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
diff --git a/SOURCES/icedtea_sync.sh b/SOURCES/icedtea_sync.sh
deleted file mode 100755
index 1b94e9e..0000000
--- a/SOURCES/icedtea_sync.sh
+++ /dev/null
@@ -1,191 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2019 Red Hat, Inc.
-# Written by Andrew John Hughes .
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see .
-
-ICEDTEA_USE_VCS=true
-
-ICEDTEA_VERSION=3.15.0
-ICEDTEA_URL=https://icedtea.classpath.org/download/source
-ICEDTEA_SIGNING_KEY=CFDA0F9B35964222
-
-ICEDTEA_HG_URL=https://icedtea.classpath.org/hg/icedtea
-set -e
-
-RPM_DIR=${PWD}
-if [ ! -f ${RPM_DIR}/jconsole.desktop.in ] ; then
-    echo "Not in RPM source tree.";
-    exit 1;
-fi
-
-if test "x${TMPDIR}" = "x"; then
-    TMPDIR=/tmp;
-fi
-WORKDIR=${TMPDIR}/it.sync
-
-echo "Using working directory ${WORKDIR}"
-mkdir ${WORKDIR}
-pushd ${WORKDIR}
-
-if test "x${WGET}" = "x"; then
-    WGET=$(which wget);
-    if test "x${WGET}" = "x"; then
-	echo "wget not found";
-	exit 1;
-    fi
-fi
-
-if test "x${TAR}" = "x"; then
-    TAR=$(which tar)
-    if test "x${TAR}" = "x"; then
-	echo "tar not found";
-	exit 2;
-    fi
-fi
-
-echo "Dependencies:";
-echo -e "\tWGET: ${WGET}";
-echo -e "\tTAR: ${TAR}\n";
-
-if test "x${ICEDTEA_USE_VCS}" = "xtrue"; then
-    echo "Mode: Using VCS";
-
-    if test "x${GREP}" = "x"; then
-	GREP=$(which grep);
-	if test "x${GREP}" = "x"; then
-	    echo "grep not found";
-	    exit 3;
-	fi
-    fi
-
-    if test "x${CUT}" = "x"; then
-	CUT=$(which cut);
-	if test "x${CUT}" = "x"; then
-	    echo "cut not found";
-	    exit 4;
-	fi
-    fi
-
-    if test "x${TR}" = "x"; then
-	TR=$(which tr);
-	if test "x${TR}" = "x"; then
-	    echo "tr not found";
-	    exit 5;
-	fi
-    fi
-
-    if test "x${HG}" = "x"; then
-	HG=$(which hg);
-	if test "x${HG}" = "x"; then
-	    echo "hg not found";
-	    exit 6;
-	fi
-    fi
-
-    echo "Dependencies:";
-    echo -e "\tGREP: ${GREP}";
-    echo -e "\tCUT: ${CUT}";
-    echo -e "\tTR: ${TR}";
-    echo -e "\tHG: ${HG}";
-
-    echo "Checking out repository from VCS...";
-    ${HG} clone ${ICEDTEA_HG_URL} icedtea
-
-    echo "Obtaining version from configure.ac...";
-    ROOT_VER=$(${GREP} '^AC_INIT' icedtea/configure.ac|${CUT} -d ',' -f 2|${TR} -d '[][:space:]')
-    echo "Root version from configure: ${ROOT_VER}";
-
-    VCS_REV=$(${HG} log -R icedtea --template '{node|short}' -r tip)
-    echo "VCS revision: ${VCS_REV}";
-
-    ICEDTEA_VERSION="${ROOT_VER}-${VCS_REV}"
-    echo "Creating icedtea-${ICEDTEA_VERSION}";
-    mkdir icedtea-${ICEDTEA_VERSION}
-    echo "Copying required files from checkout to icedtea-${ICEDTEA_VERSION}";
-    # Commented out for now as IcedTea 6's jconsole.desktop.in is outdated
-    #cp -a icedtea/jconsole.desktop.in ../icedtea-${ICEDTEA_VERSION}
-    cp -a ${RPM_DIR}/jconsole.desktop.in icedtea-${ICEDTEA_VERSION}
-    cp -a icedtea/tapset icedtea-${ICEDTEA_VERSION}
-
-    rm -rf icedtea
-else
-    echo "Mode: Using tarball";
-
-    if test "x${ICEDTEA_VERSION}" = "x"; then
-	echo "No IcedTea version specified for tarball download.";
-	exit 3;
-    fi
-
-    if test "x${CHECKSUM}" = "x"; then
-	CHECKSUM=$(which sha256sum)
-	if test "x${CHECKSUM}" = "x"; then
-	    echo "sha256sum not found";
-	    exit 4;
-	fi
-    fi
-
-    if test "x${PGP}" = "x"; then
-	PGP=$(which gpg)
-	if test "x${PGP}" = "x"; then
-	    echo "gpg not found";
-	    exit 5;
-	fi
-    fi
-
-    echo "Dependencies:";
-    echo -e "\tCHECKSUM: ${CHECKSUM}";
-    echo -e "\tPGP: ${PGP}\n";
-
-    echo "Checking for IcedTea signing key ${ICEDTEA_SIGNING_KEY}...";
-    if ! gpg --list-keys ${ICEDTEA_SIGNING_KEY}; then
-	echo "IcedTea signing key ${ICEDTEA_SIGNING_KEY} not installed.";
-	exit 6;
-    fi
-
-    echo "Downloading IcedTea release tarball...";
-    ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz
-    echo "Downloading IcedTea tarball signature...";
-    ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz.sig
-    echo "Downloading IcedTea tarball checksums...";
-    ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.sha256
-
-    echo "Verifying checksums...";
-    ${CHECKSUM} --check --ignore-missing icedtea-${ICEDTEA_VERSION}.sha256
-
-    echo "Checking signature...";
-    ${PGP} --verify icedtea-${ICEDTEA_VERSION}.tar.xz.sig
-
-    echo "Extracting files...";
-    ${TAR} xJf icedtea-${ICEDTEA_VERSION}.tar.xz \
-       icedtea-${ICEDTEA_VERSION}/tapset \
-       icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in
-
-    rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz
-    rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz.sig
-    rm -vf icedtea-${ICEDTEA_VERSION}.sha256
-fi
-
-echo "Replacing desktop files...";
-mv -v icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in ${RPM_DIR}
-
-echo "Creating new tapset tarball...";
-mv -v icedtea-${ICEDTEA_VERSION} openjdk
-${TAR} cJf ${RPM_DIR}/tapsets-icedtea-${ICEDTEA_VERSION}.tar.xz openjdk
-
-rm -rvf openjdk
-
-popd
-rm -rf ${WORKDIR}
diff --git a/SOURCES/java-21-openjdk-portable.specfile b/SOURCES/java-21-openjdk-portable.specfile
index 1f3ad8d..1d56ee3 100644
--- a/SOURCES/java-21-openjdk-portable.specfile
+++ b/SOURCES/java-21-openjdk-portable.specfile
@@ -1,6 +1,3 @@
-# portable jdk 21 specific bug, _jvmdir being missing
-%define _jvmdir /usr/lib/jvm
-
 # debug_package %%{nil} is portable-jdks specific
 %define  debug_package %{nil}
 
@@ -31,6 +28,12 @@
 # Build with system libraries
 %bcond_with system_libs
 
+# This is RHEL 7 specific as it doesn't seem to have the
+# __brp_strip_static_archive macro.
+%if 0%{?rhel} == 7
+%define __os_install_post %{nil}
+%endif
+
 # Workaround for stripping of debug symbols from static libraries
 %if %{with staticlibs}
 %define __brp_strip_static_archive %{nil}
@@ -39,13 +42,6 @@
 %global include_staticlibs 0
 %endif
 
-# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
-%if %{with fresh_libjvm}
-%global build_hotspot_first 1
-%else
-%global build_hotspot_first 0
-%endif
-
 %if %{with system_libs}
 %global system_libs 1
 %global link_type system
@@ -160,6 +156,13 @@
 %else
 %global gdb_arches %{jit_arches} %{zero_arches}
 %endif
+# Architecture on which we run Java only tests
+%global jdk_test_arch x86_64
+# Set of architectures for which we have a devkit
+# Only used on RHEL
+%if 0%{?centos} == 0
+%global devkit_arches %{aarch64} %{ppc64le} s390x x86_64
+%endif
 
 # By default, we build a slowdebug build during main build on JIT architectures
 %if %{with slowdebug}
@@ -239,8 +242,10 @@
 # Target to use to just build HotSpot
 %global hotspot_target hotspot
 
-# JDK to use for bootstrapping
-%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
+# DTS toolset to use to provide gcc & binutils
+%if 0%{?rhel} == 7
+%global dtsversion 10
+%endif
 
 # Filter out flags from the optflags macro that cause problems with the OpenJDK build
 # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
@@ -251,12 +256,6 @@
 %global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
 %global ourldflags %{__global_ldflags}
 
-# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
-# the initialization must be here. Later the pkg-config have buggy behavior
-# looks like openjdk RPM specific bug
-# Always set this so the nss.cfg file is not broken
-%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
-
 # In some cases, the arch used by the JDK does
 # not match _arch.
 # Also, in some cases, the machine name used by SystemTap
@@ -317,23 +316,21 @@
 %global stapinstall %{nil}
 %endif
 
-# always off for portable builds
 %ifarch %{systemtap_arches}
-%global with_systemtap 0
+%global with_systemtap 1
 %else
 %global with_systemtap 0
 %endif
 
 # New Version-String scheme-style defines
-%global featurever 17
-%global fakefeaturever 21
+%global featurever 21
 %global interimver 0
-%global updatever 7
+%global updatever 6
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
 # and this it is better to change it here, on single place
-%global buildjdkver 17
+%global buildjdkver %{featurever}
 # We don't add any LTS designator for STS packages (Fedora and EPEL).
 # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
 %if 0%{?rhel} && !0%{?epel}
@@ -343,6 +340,16 @@
   %global lts_designator ""
   %global lts_designator_zip ""
 %endif
+# JDK to use for bootstrapping
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+# This will only work where the bootstrap JDK is the same major version
+# as the JDK being built
+%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
 
 # Define vendor information used by OpenJDK
 %global oj_vendor Red Hat, Inc.
@@ -357,7 +364,7 @@
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
 %else
 %if 0%{?rhel}
-%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%global oj_vendor_bug_url https://access.redhat.com/support/cases/
 %else
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi
 %endif
@@ -368,15 +375,22 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver bf363eecce3
+%global fipsver 0a42e29b391
+# Define JDK versions
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver         %{featurever}
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
 
 # Standard JPackage naming and versioning defines
 %global origin          openjdk
 %global origin_nice     OpenJDK
-%global top_level_dir_name   %{origin}
+%global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        7
-%global rpmrelease      2
+%global rpmrelease      1
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -390,15 +404,6 @@
 # for techpreview, using 1, so slowdebugs can have 0
 %global priority %( printf '%08d' 1 )
 %endif
-%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-# Force 21 until we are actually ready to build that JDK version
-%global javaver         %{fakefeaturever}
-
-# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
-%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
-
-# The tag used to create the OpenJDK tarball
-%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
 
 # Define milestone (EA for pre-releases, GA for releases)
 # Release will be (where N is usually a number starting at 1):
@@ -408,7 +413,7 @@
 %if %{is_ga}
 %global build_type GA
 %global ea_designator ""
-%global ea_designator_zip ""
+%global ea_designator_zip %{nil}
 %global extraver %{nil}
 %global eaprefix %{nil}
 %else
@@ -420,15 +425,16 @@
 %endif
 
 # parametrized macros are order-sensitive
-%global compatiblename  java-%{fakefeaturever}-%{origin}
+%global compatiblename  java-%{featurever}-%{origin}
 %global fullversion     %{compatiblename}-%{version}-%{release}
 # images directories from upstream build
 %global jdkimage                jdk
 %global static_libs_image       static-libs
 # output dir stub
-%define buildoutputdir() %{expand:build/jdk%{fakefeaturever}.build%{?1}}
-%define installoutputdir() %{expand:install/jdk%{fakefeaturever}.install%{?1}}
-%define packageoutputdir() %{expand:packages/jdk%{fakefeaturever}.packages%{?1}}
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
+%global altjavaoutputdir install/altjava.install
+%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}}
 # we can copy the javadoc to not arched dir, or make it not noarch
 %define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
 # main id and dir of this jdk
@@ -471,6 +477,12 @@
 %global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
 %endif
 
+# VM variant being built
+%ifarch %{zero_arches}
+%global vm_variant zero
+%else
+%global vm_variant server
+%endif
 
 %global etcjavasubdir     %{_sysconfdir}/java/java-%{javaver}-%{origin}
 %define etcjavadir()      %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
@@ -482,6 +494,7 @@
 %define jrebindir()     %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
 
 %global alt_java_name     alt-java
+%global devkit_name %{origin}-devkit
 
 %global rpm_state_dir %{_localstatedir}/lib/rpm-state/
 
@@ -493,23 +506,6 @@
 %global alternatives_requires %{_sbindir}/alternatives
 %endif
 
-%if %{with_systemtap}
-# Where to install systemtap tapset (links)
-# We would like these to be in a package specific sub-dir,
-# but currently systemtap doesn't support that, so we have to
-# use the root tapset dir for now. To distinguish between 64
-# and 32 bit architectures we place the tapsets under the arch
-# specific dir (note that systemtap will only pickup the tapset
-# for the primary arch for now). Systemtap uses the machine name
-# aka target_cpu as architecture specific directory name.
-%global tapsetroot /usr/share/systemtap
-%global tapsetdirttapset %{tapsetroot}/tapset/
-%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
-%endif
-
-# x86 is not supported by OpenJDK 17
-ExcludeArch: %{ix86}
-
 # Portables have no repo (requires/provides), but these are awesome for orientation in spec
 # Also scriptlets are happily missing and files are handled old fashion
 # not-duplicated requires/provides/obsoletes for normal/debug packages
@@ -534,11 +530,20 @@ ExcludeArch: %{ix86}
 # Prevent brp-java-repack-jars from being run
 %global __jar_repack 0
 
-# portables have grown out of its component, moving back to java-x-vendor
-# this expression, when declared as global, filled component with java-x-vendor portable
-%define component %(echo %{name} | sed "s;-portable;;g")
+# Define an optional suffix for the OS this package is built on
+%if 0%{?rhel} == 7
+%global pkgos rhel7
+%endif
 
-Name:    java-%{javaver}-%{origin}-portable
+# Define the architectures on which we build
+# On RHEL, this should be the architectures with a devkit
+%if 0%{?centos} == 0
+ExclusiveArch: %{devkit_arches}
+%else
+ExclusiveArch: %{aarch64} %{ppc64le} s390x x86_64
+%endif
+
+Name:    java-%{javaver}-%{origin}-portable%{?pkgos:-%{pkgos}}
 Version: %{newjavaver}.%{buildver}
 Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
@@ -575,15 +580,13 @@ Group:   Development/Languages
 License:  ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
 URL:      http://openjdk.java.net/
 
-
 # The source tarball, generated using generate_source_tarball.sh
-Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
+Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz
 
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
 # Systemtap tapsets. Zipped up to keep it small.
-# Disabled in portables
-#Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
+Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
 
 # Desktop files. Adapted from IcedTea
 # Disabled in portables
@@ -592,8 +595,8 @@ Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
 # Release notes
 Source10: NEWS
 
-# nss configuration file
-Source11: nss.cfg.in
+# Source code for alt-java
+Source11: alt-java.c
 
 # Removed libraries that we link instead
 Source12: remove-intree-libraries.sh
@@ -618,20 +621,9 @@ Source18: TestTranslations.java
 # RPM/distribution specific patches
 #
 ############################################
-
-# Ignore AWTError when assistive technologies are loaded
-Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
-Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# NSS via SunPKCS11 Provider (disabled due to memory leak).
-Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
-# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
-Patch600: rh1750419-redhat_alt_java.patch
-# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
-Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
-
 # Crypto policy and FIPS support patches
-# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
-# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
+# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
+# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
 # Diff is limited to src and make subdirectories to exclude .github changes
 # Fixes currently included:
 # PR3183, RH1340845: Follow system wide crypto policy
@@ -655,7 +647,7 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
 # RH2104724: Avoid import/export of DH private keys
 # RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
 # Build the systemconf library on all platforms
-# RH2048582: Support PKCS#12 keystores
+# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream]
 # RH2020290: Support TLS 1.3 in FIPS mode
 # Add nss.fips.cfg support to OpenJDK tree
 # RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
@@ -664,8 +656,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
 # RH2134669: Add missing attributes when registering services in FIPS mode.
 # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
 # RH1940064: Enable XML Signature provider in FIPS mode
-# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
-Patch1001: fips-17u-%{fipsver}.patch
+# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
+Patch1001: fips-%{featurever}u-%{fipsver}.patch
 
 #############################################
 #
@@ -677,13 +669,11 @@ Patch1001: fips-17u-%{fipsver}.patch
 
 #############################################
 #
-# OpenJDK patches appearing in 17.0.8
+# OpenJDK patches which missed last update
 #
 #############################################
-# JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
-Patch2001: jdk8274864-remove_amman_cairo_hacks.patch
-# JDK-8305113: (tz) Update Timezone Data to 2023c
-Patch2002: jdk8305113-tzdata2023c.patch
+
+# Currently empty
 
 #############################################
 #
@@ -691,11 +681,7 @@ Patch2002: jdk8305113-tzdata2023c.patch
 #
 #############################################
 
-#############################################
-#
-# OpenJDK patches targetted for 17.0.6
-#
-#############################################
+# Currently empty
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -707,7 +693,19 @@ BuildRequires: desktop-file-utils
 BuildRequires: elfutils-devel
 BuildRequires: file
 BuildRequires: fontconfig-devel
+# RHEL 7 builds obtain a newer compiler from DTS
+%if 0%{?rhel} == 7
+BuildRequires: devtoolset-%{dtsversion}-gcc
+BuildRequires: devtoolset-%{dtsversion}-gcc-c++
+%else
+%ifarch %{devkit_arches}
+BuildRequires: %{devkit_name} >= 1.0-9
+%else
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
 BuildRequires: gcc-c++
+%endif
+%endif
 BuildRequires: gdb
 BuildRequires: libxslt
 BuildRequires: libX11-devel
@@ -717,10 +715,10 @@ BuildRequires: libXrandr-devel
 BuildRequires: libXrender-devel
 BuildRequires: libXt-devel
 BuildRequires: libXtst-devel
-# Requirement for setting up nss.cfg
+# Requirement for setting up nss.fips.cfg
 BuildRequires: nss-devel
 # Requirement for system security property test
-# N/A for portable. RHEL7 doesn't provide them
+# N/A for portable as we don't enable support for them
 #BuildRequires: crypto-policies
 BuildRequires: pkgconfig
 BuildRequires: xorg-x11-proto-devel
@@ -728,19 +726,20 @@ BuildRequires: zip
 # to pack portable tarballs
 BuildRequires: tar
 BuildRequires: unzip
-# No javapackages-filesystem on el7,nor is needed for portables
-# BuildRequires: javapackages-filesystem
-BuildRequires: java-%{buildjdkver}-openjdk-devel
+BuildRequires: javapackages-filesystem
+BuildRequires: java-%{buildjdkver}-%{origin}%{?pkgos:-%{pkgos}}-devel
 # Zero-assembler build requirement
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2023c required as of JDK-8305113
-BuildRequires: tzdata-java >= 2023c
+# Full documentation build requirements
+# pandoc is only available on RHEL/CentOS 8
+%if 0%{?rhel} == 8
+BuildRequires: graphviz
+BuildRequires: pandoc
+%endif
 # cacerts build requirement in portable mode
 BuildRequires: ca-certificates
-# Earlier versions have a bug in tree vectorization on PPC
-BuildRequires: gcc >= 4.8.3-8
 
 %if %{with_systemtap}
 BuildRequires: systemtap-sdt-devel
@@ -754,22 +753,27 @@ BuildRequires: harfbuzz-devel
 BuildRequires: lcms2-devel
 BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
+BuildRequires: zlib-devel
 %else
-# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.12.1
+# Version in src/java.desktop/share/legal/freetype.md
+Provides: bundled(freetype) = 2.13.2
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
-Provides: bundled(giflib) = 5.2.1
+Provides: bundled(giflib) = 5.2.2
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 4.4.1
+Provides: bundled(harfbuzz) = 8.2.2
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
-Provides: bundled(lcms2) = 2.12.0
+Provides: bundled(lcms2) = 2.16.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.37
+Provides: bundled(libpng) = 1.6.43
+# Version in src/java.base/share/native/libzip/zlib/zlib.h
+Provides: bundled(zlib) = 1.3.1
 # We link statically against libstdc++ to increase portability
+%ifnarch %{devkit_arches}
 BuildRequires: libstdc++-static
 %endif
+%endif
 
 # this is always built, also during debug-only build
 # when it is built in debug-only this package is just placeholder
@@ -912,6 +916,7 @@ The %{origin_nice} %{featurever} miscellany.
 %prep
 
 echo "Preparing %{oj_vendor_version}"
+echo "System is RHEL=%{?rhel}%{!?rhel:0}, CentOS=%{?centos}%{!?centos:0}, EPEL=%{?epel}%{!?epel:0}, Fedora=%{?fedora}%{!?fedora:0}"
 
 # Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
 %if 0%{?stapinstall:1}
@@ -942,6 +947,13 @@ if [ %{include_debug_build} -eq 0 -a  %{include_normal_build} -eq 0 -a  %{includ
   echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
   exit 14
 fi
+
+%if %{with fresh_libjvm} && ! %{build_hotspot_first}
+echo "WARNING: The build of a fresh libjvm has been disabled due to a JDK version mismatch"
+echo "Build JDK version is %{buildjdkver}, feature JDK version is %{featurever}"
+%endif
+
+export XZ_OPT="-T0"
 %setup -q -c -n %{uniquesuffix ""} -T -a 0
 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084
 prioritylength=`expr length %{priority}`
@@ -958,20 +970,24 @@ sh %{SOURCE12} %{top_level_dir_name}
 %endif
 
 # Patch the JDK
+# This syntax is deprecated:
+#    %patchN [...]
+# and should be replaced with:
+#    %patch -PN [...]
+# For example:
+#    %patch1001 -p1
+# becomes:
+#    %patch -P1001 -p1
+# The replacement format suggested by recent (circa Fedora 38) RPM
+# deprecation messages:
+#    %patch N [...]
+# is not backward-compatible with prior (circa RHEL-8) versions of
+# rpmbuild.
 pushd %{top_level_dir_name}
-%patch1 -p1
-%patch3 -p1
-%patch6 -p1
 # Add crypto policy and FIPS support
-%patch1001 -p1
-# nss.cfg PKCS11 support; must come last as it also alters java.security
-%patch1000 -p1
-# tzdata update
-%patch2001 -p1
-%patch2002 -p1
+%patch -P1001 -p1
 popd # openjdk
 
-%patch600
 
 # The OpenJDK version file includes the current
 # upstream version information. For some reason,
@@ -1005,18 +1021,8 @@ cp -r tapset tapset%{fastdebug_suffix}
 
 for suffix in %{build_loop} ; do
   for file in "tapset"$suffix/*.in; do
-    OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
-    sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
-    sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2
-# TODO find out which architectures other than i686 have a client vm
-%ifarch %{ix86}
-    sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE
-%else
-    sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE
-%endif
-    sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
-    sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
-    sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
+    sed -i -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file
+    sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file
   done
 done
 # systemtap tapsets ends
@@ -1025,8 +1031,22 @@ done
 # Prepare desktop files
 # Portables do not have desktop integration
 
-# Setup nss.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
+# Extract devkit
+%ifarch %{devkit_arches}
+  devkittarball=%{_datadir}/%{devkit_name}/sdk-%{_target_cpu}-%{_target_os}-gnu*.tar.gz
+  echo "Extracting devkit ${devkittarball}";
+  mkdir devkit;
+  tar -C devkit --strip-components=1 -xzf ${devkittarball}
+  DEVKIT_ROOT=$(pwd)/devkit
+  source ${DEVKIT_ROOT}/devkit.info
+  echo "Installed ${DEVKIT_NAME} devkit"
+%else
+%if 0%{?centos} > 0
+  echo "No devkit for CentOS %{?centos}"
+%else
+  echo "No devkit for %{_target_cpu} on RHEL %{?rhel}";
+%endif
+%endif
 
 %build
 # How many CPU's do we have?
@@ -1036,6 +1056,7 @@ export NUM_PROC=${NUM_PROC:-1}
 # Honor %%_smp_ncpus_max
 [ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
 %endif
+export XZ_OPT="-T0"
 
 %ifarch s390x sparc64 alpha %{power64} %{aarch64}
 export ARCH_DATA_MODEL=64
@@ -1059,9 +1080,61 @@ EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
 EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
 EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
 %endif
+%ifarch %{devkit_arches}
+# Remove annobin plugin reference which isn't available in the devkit
+EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1||')"
+EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1||')"
+# Force DWARF 4 for compatibility
+EXTRA_CFLAGS="${EXTRA_CFLAGS} -gdwarf-4"
+EXTRA_CPP_FLAGS="${EXTRA_CPP_FLAGS} -gdwarf-4"
+%endif
+
 export EXTRA_CFLAGS EXTRA_CPP_FLAGS
 
-echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+# Set modification times (mtimes) of files within JAR files generated
+# by the OpenJDK build to a timestamp that is constant across RPM
+# rebuilds.  OpenJDK provides the --with-source-date configure option
+# for this purpose.  Potential arguments in the RPM build context are:
+#
+# A) --with-source-date="${SOURCE_DATE_EPOCH}"
+# B) --with-source-date=version
+# C) --with-source-date="${OPENJDK_UPSTREAM_TAG_EPOCH}"
+#
+# Consider Option A.  Fedora 38 (rpm-4.18.2) and RHEL-8 (rpm-4.14.3)
+# have different support for SOURCE_DATE_EPOCH.  To keep
+# SOURCE_DATE_EPOCH constant across RPM rebuilds, one could set the
+# source_date_epoch_from_changelog macro to 1 on both Fedora 38 and
+# RHEL-8.  However, on RHEL-8, this results in the RPM build times
+# being set to the timestamp of the most recent changelog.  This is
+# bad for tracing when RPMs were actually built.  Fedora 38 supports a
+# better behaviour via the introduction of the
+# use_source_date_epoch_as_buildtime macro, set to 0 by default.
+# There is no way to make this work on RHEL-8 as well though, so
+# option A is suboptimal.
+#
+# Option B uses the value of the DEFAULT_VERSION_DATE field from
+# make/conf/version-numbers.conf.  DEFAULT_VERSION_DATE represents the
+# aspirational eventual JDK general availability (GA) release date.
+# When the RPM build occurs prior to GA, generated JAR files will have
+# payload mtimes in the future relative to the RPM build time.
+# Whereas for tarballs some tools will issue warnings about future
+# mtimes, per OPENJDK-2583 apparently this is no problem for Java and
+# JAR files.
+#
+# Option C uses the modification timestamp of files in the source
+# tarball. The reproducibility logic in generate_source_tarball.sh
+# sets them all to the commit time of the release-tagged OpenJDK
+# commit, as archived in the tarball.  This timestamp is deterministic
+# across RPM rebuilds and is reliably in the past.  Any file's mtime
+# will do, so use version-numbers.conf's.
+#
+# Use option B for JAR files, based on the discussion in OPENJDK-2583.
+#
+# For portable tarballs, use option C (OPENJDK_UPSTREAM_TAG_EPOCH) for
+# the modification times of all files in the portable tarballs.  Doing
+# so eliminates one source of variability across RPM rebuilds.
+VERSION_FILE="$(pwd)"/"%{top_level_dir_name}"/make/conf/version-numbers.conf
+OPENJDK_UPSTREAM_TAG_EPOCH="$(stat --format=%Y "${VERSION_FILE}")"
 
 function buildjdk() {
     local outputdir=${1}
@@ -1070,6 +1143,7 @@ function buildjdk() {
     local debuglevel=${4}
     local link_opt=${5}
     local debug_symbols=${6}
+    local devkit=${7}
 
     local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
     local top_dir_abs_build_path=$(pwd)/${outputdir}
@@ -1091,6 +1165,11 @@ function buildjdk() {
     echo "Using debug_symbols: ${debug_symbols}"
     echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
 
+%ifarch %{devkit_arches}
+    LIBPATH="${devkit}/lib:${devkit}/lib64"
+    echo "Setting library path to ${LIBPATH}"
+%endif
+
     mkdir -p ${outputdir}
     pushd ${outputdir}
 
@@ -1098,17 +1177,18 @@ function buildjdk() {
     # rather than ${link_opt} as the system versions
     # are always used in a system_libs build, even
     # for the static library build
+    LD_LIBRARY_PATH=${LIBPATH} \
     bash ${top_dir_abs_src_path}/configure \
 %ifarch %{zero_arches}
     --with-jvm-variants=zero \
 %endif
-%ifarch %{ppc64le}
-    --with-jobs=1 \
+%ifarch %{devkit_arches}
+    --with-devkit=${devkit} \
 %endif
     --with-cacerts-file=$(readlink -f %{_sysconfdir}/pki/java/cacerts)  \
     --with-version-build=%{buildver} \
-    --with-version-pre="${ea_designator}" \
-    --with-version-opt=%{lts_designator} \
+    --with-version-pre="%{ea_designator}" \
+    --with-version-opt="%{lts_designator}" \
     --with-vendor-version-string="%{oj_vendor_version}" \
     --with-vendor-name="%{oj_vendor}" \
     --with-vendor-url="%{oj_vendor_url}" \
@@ -1131,7 +1211,7 @@ function buildjdk() {
     --with-extra-cflags="$EXTRA_CFLAGS" \
     --with-extra-ldflags="%{ourldflags}" \
     --with-num-cores="$NUM_PROC" \
-    --with-source-date="${SOURCE_DATE_EPOCH}" \
+    --with-source-date="version" \
     --disable-javac-server \
 %ifarch %{zgc_arches}
     --with-jvm-features=zgc \
@@ -1139,17 +1219,108 @@ function buildjdk() {
     --disable-warnings-as-errors
 
     cat spec.gmk
+    LD_LIBRARY_PATH=${LIBPATH} \
     make LOG=trace $maketargets || \
-	( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name \"hs_err_pid*.log\" | xargs cat && false )
+        ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name \"hs_err_pid*.log\" | xargs cat && false )
 
     popd
 }
 
+function stripjdk() {
+    local outputdir=${1}
+    local toolpath=${2}
+    local jdkimagepath=images/%{jdkimage}
+    local jreimagepath=images/%{jreimage}
+    local jmodimagepath=images/jmods
+    local modulefile=lib/modules
+    local supportdir=${outputdir}/support
+    local modulebuildpath=${outputdir}/jdk/modules
+    local jdkoutdir=${outputdir}/${jdkimagepath}
+    local jreoutdir=${outputdir}/${jreimagepath}
+
+%ifarch %{devkit_arches}
+    OBJCOPY=${toolpath}/objcopy
+    STRIP=${toolpath}/strip
+%else
+    OBJCOPY=$(which objcopy)
+    STRIP=$(which strip)
+%endif
+
+    if [ "x$suffix" = "x" ] ; then
+        # Keep the unstripped version for consumption by RHEL RPMs
+        cp -a ${jdkoutdir}{,.unstripped}
+
+        # Strip the files
+        for file in $(find ${jdkoutdir} ${jreoutdir} ${supportdir} ${modulebuildpath} -type f) ; do
+            if file ${file} | cut -d ':' -f 2 | grep -q 'ELF'; then
+                noextfile=${file/.so/};
+                ${OBJCOPY} --only-keep-debug ${file} ${noextfile}.debuginfo;
+                ${OBJCOPY} --add-gnu-debuglink=${noextfile}.debuginfo ${file};
+                ${STRIP} -g ${file};
+            fi
+        done
+
+        # Rebuild jmod files against the stripped binaries
+        if [ ! -d ${supportdir} ] ; then
+            echo "Support directory missing.";
+            exit 15
+        fi
+        # Build the java.base jmod a third time to fix the hashes of dependent jmods
+        for cmd in $(find ${supportdir}/${jmodimagepath} -name '*.jmod_exec.cmdline') \
+                   ${supportdir}/${jmodimagepath}/*java.base*exec.cmdline ; do
+            pre=${cmd/_exec/_pre};
+            post=${cmd/_exec/_post};
+            jmod=$(echo ${cmd}|sed 's#.*_create_##'|sed 's#_exec.cmdline##')
+            echo "Rebuilding ${jmod} against stripped binaries...";
+            if [ -e ${pre} ] ; then
+                echo -e "Executing ${pre}...\n$(cat ${pre})";
+                cat ${pre} | sh -s ;
+            fi
+            echo "Executing ${cmd}...$(cat ${cmd})";
+            cat ${cmd} | sh -s ;
+            if [ -e ${post} ] ; then
+                echo -e "Executing ${post}...\n$(cat ${post})";
+                cat ${post} | sh -s ;
+            fi
+        done
+
+        # Rebuild the image with the stripped modules
+        for image in ${jdkimagepath} ${jreimagepath} ; do
+            outdir=${outputdir}/${image};
+            jlink=${supportdir}/${image}/_jlink*_exec.cmdline;
+            # Backup the existing image as it contains
+            # files not generated by jlink
+            mv ${outdir}{,.bak};
+            # Regenerate the image using the command
+            # generated using the initial build
+            echo -e "Executing ${jlink}...\n$(cat ${jlink})";
+            cat ${jlink} | sh -s;
+            # Move the new jmods and module file from the new
+            # image to the old one
+            if [ -e ${outdir}.bak/jmods ] ; then
+                rm -rf ${outdir}.bak/jmods;
+                mv ${outdir}/jmods ${outdir}.bak;
+            fi
+            rm -f ${outdir}.bak/${modulefile};
+            mv ${outdir}/${modulefile} ${outdir}.bak/$(dirname ${modulefile});
+            # Restore the original image
+            rm -rf ${outdir};
+            mv ${outdir}{.bak,};
+            # Update the CDS archives
+            for cmd in ${supportdir}/${image}/*_gen_cds*_exec.cmdline ; do
+                echo -e "Executing ${cmd}...\n$(cat ${cmd})";
+                cat ${cmd} | sh -s;
+            done
+        done
+    fi
+}
+
 function installjdk() {
     local outputdir=${1}
     local installdir=${2}
     local jdkimagepath=${installdir}/images/%{jdkimage}
     local jreimagepath=${installdir}/images/%{jreimage}
+    local unstripped=${jdkimagepath}.unstripped
 
     echo "Installing build from ${outputdir} to ${installdir}..."
     mkdir -p ${installdir}
@@ -1178,7 +1349,7 @@ function installjdk() {
         fi;
     done
 
-    for imagepath in ${jdkimagepath} ${jreimagepath} ; do
+    for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do
 
         if [ -d ${imagepath} ] ; then
             # the build (erroneously) removes read permissions from some jars
@@ -1193,14 +1364,6 @@ function installjdk() {
 
             # Install local files which are distributed with the JDK
             install -m 644 %{SOURCE10} ${imagepath}
-            install -m 644 nss.cfg ${imagepath}/conf/security/
-
-            # Create fake alt-java as a placeholder for future alt-java
-            pushd ${imagepath}
-            # add alt-java man page
-            echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
-            cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
-            popd
 
             # Print release information
             cat ${imagepath}/release
@@ -1221,12 +1384,61 @@ function genchecksum() {
     popd
 }
 
+# Create a reproducible tarball in an appropriate way for
+# the version of tar in use
+function createtar() {
+    local directory=${1}
+    local archive=${2}
+    local filter=${3}
+    local transform=${4}
+    local exclude=${5}
+
+    if [ "x${filter}" != "x" ] ; then
+        local filteroption="-name ${filter}";
+    fi
+    if [ "x${transform}" != "x" ] ; then
+        local transoption="--transform ${transform}";
+    fi
+    if [ "x${exclude}" != "x" ] ; then
+        local excludeoption="--exclude=${exclude}";
+    fi
+
+    local common_tar_opts="--owner=0 --group=0 --numeric-owner \
+                           ${transoption} ${excludeoption} --create --xz"
+    # Capture tar version, removing the decimal point (so 1.28 => 128)
+    tarver=$(tar --version|head -n1|sed -re 's|tar \(GNU tar\) ([0-9]).([0-9]*)|\1\2|')
+    echo "Detected tar ${tarver}"
+    if [ ${tarver} -gt 128 ] ; then
+        local tar_time="$(date --utc --iso-8601=seconds --date=@"${OPENJDK_UPSTREAM_TAG_EPOCH}")"
+        local tar_opts="--mtime=${tar_time} --sort=name ${common_tar_opts}"
+        if test "x${filteroption}" = "x"; then
+            tar ${tar_opts} --file ${archive} ${directory}
+        else
+            tar ${tar_opts} --file ${archive} $(find ${directory} ${filteroption})
+        fi
+    else
+        # See https://reproducible-builds.org/docs/archives/
+        # RHEL-7 has tar 1.26 which does not support --sort=name (added
+        # in 1.28), so use find-piped-through-sort instead.  Omit
+        # --pax-option since it made the docs package not reproducible
+        # due to PaxHeaders timestamp differences.
+        local tar_opts="--mtime=@${OPENJDK_UPSTREAM_TAG_EPOCH} \
+                        --no-recursion --null --files-from - \
+                        ${common_tar_opts}"
+        find ${directory} ${filteroption} -print0 | \
+            LC_ALL=C sort -z | \
+            tar ${tar_opts} --file ${archive}
+    fi
+}
+
 function packagejdk() {
     local imagesdir=$(pwd)/${1}/images
     local docdir=$(pwd)/${1}/images/docs
     local bundledir=$(pwd)/${1}/bundles
     local packagesdir=$(pwd)/${2}
     local srcdir=$(pwd)/%{top_level_dir_name}
+    local tapsetdir=$(pwd)/tapset
+    local altjavadir=$(pwd)/${3}
 
     echo "Packaging build from ${imagesdir} to ${packagesdir}..."
     mkdir -p ${packagesdir}
@@ -1244,15 +1456,16 @@ function packagejdk() {
     jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"}
     staticname=%{staticlibsportablename -- "$nameSuffix"}
     staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"}
-    debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"}
-    unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"}
-    # We only use docs for the release build
-    docname=%{docportablename}
-    docarchive=${packagesdir}/%{docportablearchive}
-    built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
-    # These are from the source tree so no debug variants
-    miscname=%{miscportablename}
-    miscarchive=${packagesdir}/%{miscportablearchive}
+
+    if [ "x$suffix" = "x" ] ; then
+        unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"}
+
+        # Keep the unstripped version for consumption by RHEL RPMs
+        mv %{jdkimage}.unstripped ${jdkname}
+        createtar ${jdkname} ${unstrippedarchive}
+        genchecksum ${unstrippedarchive}
+        mv ${jdkname} %{jdkimage}.unstripped
+    fi
 
     # Rename directories for packaging
     mv %{jdkimage} ${jdkname}
@@ -1260,50 +1473,48 @@ function packagejdk() {
 
     # Release images have external debug symbols
     if [ "x$suffix" = "x" ] ; then
-        # Keep the unstripped version for consumption by RHEL RPMs
-        tar -cJf ${unstrippedarchive} ${jdkname}
-        genchecksum ${unstrippedarchive}
+        debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"}
+        # We only use docs for the release build
+        docname=%{docportablename}
+        docarchive=${packagesdir}/%{docportablearchive}
+        built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
+        # These are from the source tree so no debug variants
+        miscname=%{miscportablename}
+        miscarchive=${packagesdir}/%{miscportablearchive}
 
-        # Strip the files
-        for file in $(find ${jdkname} ${jrename} -type f) ; do
-            if file ${file} | grep -q 'ELF'; then
-                noextfile=${file/.so/};
-                objcopy --only-keep-debug ${file} ${noextfile}.debuginfo;
-                objcopy --add-gnu-debuglink=${noextfile}.debuginfo ${file};
-                strip -g ${file};
-            fi
-        done
-
-        tar -cJf ${debugarchive} $(find ${jdkname} -name \*.debuginfo)
+        createtar ${jdkname} ${debugarchive} \*.debuginfo
         genchecksum ${debugarchive}
 
-	mkdir ${docname}
-	mv ${docdir} ${docname}
-	mv ${bundledir}/${built_doc_archive} ${docname}
-	tar -cJf ${docarchive} ${docname}
-	genchecksum ${docarchive}
+        mkdir ${docname}
+        mv ${docdir} ${docname}
+        mv ${bundledir}/${built_doc_archive} ${docname}
+        createtar ${docname} ${docarchive}
+        genchecksum ${docarchive}
 
-	mkdir ${miscname}
-	for s in 16 24 32 48 ; do
-	    cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname}
-	done
-	cp -a ${srcdir}/src/sample ${miscname}
-	tar -cJf ${miscarchive} ${miscname}
-	genchecksum ${miscarchive}
+        mkdir ${miscname}
+        for s in 16 24 32 48 ; do
+            cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname}
+        done
+%if %{with_systemtap}
+        cp -a ${tapsetdir}* ${miscname}
+%endif
+        cp -av ${altjavadir}/%{alt_java_name}{,.1} ${miscname}
+        createtar ${miscname} ${miscarchive}
+        genchecksum ${miscarchive}
     fi
 
-    tar -cJf ${jdkarchive} --exclude='**.debuginfo' ${jdkname}
+    createtar ${jdkname} ${jdkarchive} "" "" "**.debuginfo"
     genchecksum ${jdkarchive}
 
-    tar -cJf ${jrearchive}  --exclude='**.debuginfo' ${jrename}
+    createtar ${jrename} ${jrearchive} "" "" "**.debuginfo"
     genchecksum ${jrearchive}
 
 %if %{include_staticlibs}
     # Static libraries (needed for building graal vm with native image)
     # Tar as overlay. Transform to the JDK name, since we just want to "add"
     # static libraries to that folder
-    tar -cJf ${staticarchive} \
-        --transform "s|^%{static_libs_image}/lib/*|${staticname}/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
+    createtar "%{static_libs_image}/lib" ${staticarchive} "" \
+        "s|^%{static_libs_image}/lib/*|${staticname}/lib/static/linux-%{archinstall}/glibc/|"
     genchecksum ${staticarchive}
 %endif
 
@@ -1316,12 +1527,32 @@ function packagejdk() {
 
 }
 
+%ifarch %{devkit_arches}
+  DEVKIT_ROOT=$(pwd)/devkit
+  source ${DEVKIT_ROOT}/devkit.info
+  GCC="${DEVKIT_TOOLCHAIN_PATH}/gcc --sysroot=${DEVKIT_SYSROOT}"
+  LIBPATH="${DEVKIT_ROOT}/lib:${DEVKIT_ROOT}/lib64"
+%else
+  GCC=$(which gcc)
+%endif
+
+echo "Building %{SOURCE11}"
+mkdir -p %{altjavaoutputdir}
+LD_LIBRARY_PATH="${LIBPATH}" ${GCC} ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11}
+echo "Generating %{alt_java_name} man page"
+altjavamanpage=%{altjavaoutputdir}/%{alt_java_name}.1
+echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > ${altjavamanpage}
+cat %{top_level_dir_name}/src/java.base/share/man/java.1 >> ${altjavamanpage}
+
+echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
 %if %{build_hotspot_first}
   # Build a fresh libjvm.so first and use it to bootstrap
+  echo "Building HotSpot only for the latest libjvm.so"
   cp -LR --preserve=mode,timestamps %{bootjdk} newboot
   systemjdk=$(pwd)/newboot
-  buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal"
-  mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
+  buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal" ${DEVKIT_ROOT}
+  mv build/newboot/jdk/lib/%{vm_variant}/libjvm.so newboot/lib/%{vm_variant}
 %else
   systemjdk=%{bootjdk}
 %endif
@@ -1363,16 +1594,18 @@ for suffix in %{build_loop} ; do
       run_bootstrap=%{bootstrap_build}
   fi
   if ${run_bootstrap} ; then
-      buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols}
+      buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols} ${DEVKIT_ROOT}
       installjdk ${bootbuilddir} ${bootinstalldir}
-      buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols}
+      buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} ${DEVKIT_ROOT}
+      stripjdk ${builddir} ${DEVKIT_TOOLCHAIN_PATH}
       installjdk ${builddir} ${installdir}
       %{!?with_artifacts:rm -rf ${bootinstalldir}}
   else
-      buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols}
+      buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} ${DEVKIT_ROOT}
+      stripjdk ${builddir} ${DEVKIT_TOOLCHAIN_PATH}
       installjdk ${builddir} ${installdir}
   fi
-  packagejdk ${installdir} ${packagesdir}
+  packagejdk ${installdir} ${packagesdir} %{altjavaoutputdir}
 
 %if %{system_libs}
   # Restore original source tree we modified by removing full in-tree sources
@@ -1403,51 +1636,91 @@ export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
 #sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
 #${JAVA_HOME}/conf/security/java.security
 
-
-#check Shenandoah is enabled
-%if %{use_shenandoah_hotspot}
-$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
-%endif
-
-# Check unlimited policy has been used
-$JAVA_HOME/bin/javac -d . %{SOURCE13}
-$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
-
-# Check ECC is working
-$JAVA_HOME/bin/javac -d . %{SOURCE14}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-
-# Check system crypto (policy) is active and can be disabled
-# Test takes a single argument - true or false - to state whether system
-# security properties are enabled or not.
-$JAVA_HOME/bin/javac -d . %{SOURCE15}
-export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
-export SEC_DEBUG="-Djava.security.debug=properties"
-# Specific to portable:System security properties to be off by default
-$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false
-$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
-
-# Check correct vendor values have been set
-$JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
-
-# Check java launcher has no SSB mitigation
-if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
-
-# Check alt-java launcher has SSB mitigation on supported architectures
-%ifarch %{ssbd_arches}
-nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+# Set up tools
+%ifarch %{devkit_arches}
+  DEVKIT_ROOT=$(pwd)/devkit
+  source ${DEVKIT_ROOT}/devkit.info
+  NM="${DEVKIT_TOOLCHAIN_PATH}/nm"
 %else
-if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+  NM=$(which nm)
 %endif
+# elfutils readelf supports more binaries than binutils version on RHEL 8
+# and debug symbols tests below were designed around this version
+READELF=$(which eu-readelf)
+# Only native gdb seems to work
+# The devkit gdb needs the devkit stdc++ library but then the JVM
+# segfaults when this is on the LD_LIBRARY_PATH
+GDB=$(which gdb)
+
+# Check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Only test on one architecture (the fastest) for Java only tests
+%ifarch %{jdk_test_arch}
+
+  # Check unlimited policy has been used
+  $JAVA_HOME/bin/javac -d . %{SOURCE13}
+  $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+  # Check ECC is working
+  $JAVA_HOME/bin/javac -d . %{SOURCE14}
+  $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+  # Check system crypto (policy) is active and can be disabled
+  # Test takes a single argument - true or false - to state whether system
+  # security properties are enabled or not.
+  $JAVA_HOME/bin/javac -d . %{SOURCE15}
+  export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+  export SEC_DEBUG="-Djava.security.debug=properties"
+  # Specific to portable:System security properties to be off by default
+  $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false
+  $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+  # Check correct vendor values have been set
+  $JAVA_HOME/bin/javac -d . %{SOURCE16}
+  $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
 
 %if ! 0%{?flatpak}
-# Check translations are available for new timezones (during flatpak builds, the
-# tzdb.dat used by this test is not where the test expects it, so this is
-# disabled for flatpak builds)
-$JAVA_HOME/bin/javac -d . %{SOURCE18}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
-$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+  # Check translations are available for new timezones (during flatpak builds, the
+  # tzdb.dat used by this test is not where the test expects it, so this is
+  # disabled for flatpak builds)
+  # Disable test until we are on the latest JDK
+  $JAVA_HOME/bin/javac -d . %{SOURCE18}
+  $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+  $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+%endif
+
+  # Check src.zip has all sources. See RHBZ#1130490
+  unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
+
+  # Check class files include useful debugging information
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
+
+  # Check generated class files include useful debugging information
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+
+%else
+
+  # Just run a basic java -version test on other architectures
+  $JAVA_HOME/bin/java -version
+
+%endif
+
+# Check java launcher has no SSB mitigation
+if ! ${NM} $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+# set_speculation function exists in both cases, so check for prctl call
+%ifarch %{ssbd_arches}
+${NM} %{altjavaoutputdir}/%{alt_java_name} | grep prctl
+%else
+if ! ${NM} %{altjavaoutputdir}/%{alt_java_name} | grep prctl ; then true ; else false; fi
 %endif
 
 %if %{include_staticlibs}
@@ -1455,9 +1728,8 @@ $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|
 export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
 ls -l $STATIC_LIBS_HOME
 ls -l $STATIC_LIBS_HOME/lib
-# they are here, but grep do not find the remainders
-#readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
-#readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
+${READELF} --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet4AddressImpl.c
+${READELF} --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet6AddressImpl.c
 %endif
 
 # Release builds strip the debug symbols into external .debuginfo files
@@ -1476,15 +1748,15 @@ do
 
     # Test for .debug_* sections in the shared object. This is the main test
     # Stripped objects will not contain these
-    eu-readelf -S "$lib" | grep "] .debug_"
-    test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+    ${READELF} -S "$lib" | grep "] .debug_"
+    test $(${READELF} -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
 
     # Test FILE symbols. These will most likely be removed by anything that
     # manipulates symbol tables because it's generally useless. So a nice test
     # that nothing has messed with symbols
     old_IFS="$IFS"
     IFS=$'\n'
-    for line in $(eu-readelf -s "$lib" | grep "00000000      0 FILE    LOCAL  DEFAULT")
+    for line in $(${READELF} -s "$lib" | grep "00000000      0 FILE    LOCAL  DEFAULT")
     do
      # We expect to see .cpp and .S files, except for architectures like aarch64 and
      # s390 where we expect .o and .oS files
@@ -1494,17 +1766,17 @@ do
 
     # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
     if [ "`basename $lib`" = "libjvm.so" ]; then
-      eu-readelf -s "$lib" | \
+      ${READELF} -s "$lib" | \
         grep -E "00000000      0 FILE    LOCAL  DEFAULT      ABS javaCalls.(cpp|o)$"
     fi
 
     # Test that there are no .gnu_debuglink sections pointing to another
     # debuginfo file. There shouldn't be any debuginfo files, so the link makes
     # no sense either
-    eu-readelf -S "$lib" | grep 'gnu'
-    if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+    ${READELF} -S "$lib" | grep 'gnu'
+    if ${READELF} -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
       echo "bad .gnu_debuglink section."
-      eu-readelf -x .gnu_debuglink "$lib"
+      ${READELF} -x .gnu_debuglink "$lib"
       false
     fi
   fi
@@ -1516,7 +1788,7 @@ done
 # Using line number 1 might cause build problems. See:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1539664
 # https://bugzilla.redhat.com/show_bug.cgi?id=1538767
-gdb -q "$JAVA_HOME/bin/java" < - 1:21.0.6.0.7-1
+- Update to jdk-21.0.6+7 (GA)
+- Update release notes to 21.0.6+7
+- Build with DWARF 4 debuginfo for compatibility with older toolchains
+- Check for CentOS being defined to determine use of devkit
+- Bump devkit requirement to 1.0-9 to bring in updated sysroot
+- Drop workaround of building s390x with dynamic libstdc++
+- Turn on fresh_libjvm now 21.0.5 with JDK-8329088 is released
+- ** This tarball is embargoed until 2025-01-21 @ 1pm PT. **
+- Resolves: OPENJDK-3556
+- Resolves: OPENJDK-3590
+- Related: OPENJDK-3070
+
+* Thu Nov 28 2024 Andrew Hughes  - 1:21.0.5.0.11-2
+- Bump devkit requirement to 1.0-8 to bring in the gcc with --enable-linker-build-id
+- Related: OPENJDK-3068
+
+* Wed Oct 16 2024 Andrew Hughes  - 1:21.0.5.0.11-1
+- Update to jdk-21.0.5+11 (GA)
+- Update release notes to 21.0.5+11
+- Remove local JDK-8327501 & JDK-8328366 backport as this is now upstream.
+
+* Sat Oct 12 2024 Andrew Hughes  - 1:21.0.5.0.10-1
+- Update to jdk-21.0.5+10 (GA)
+- Update release notes to 21.0.5+10
+- Switch to GA mode.
+- Revert JDK-8327501 & JDK-8328366 backport until more mature.
+- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. **
+- Resolves: OPENJDK-3327
+- Resolves: OPENJDK-3084
+
+* Thu Oct 10 2024 Andrew Hughes  - 1:21.0.5.0.9-0.1.ea
+- Update to jdk-21.0.5+9 (EA)
+- Update release notes to 21.0.5+9
+
+* Wed Sep 18 2024 Andrew Hughes  - 1:21.0.5.0.5-0.1.ea
+- Update to jdk-21.0.5+5 (EA)
+- Update release notes to 21.0.5+5
+
+* Sun Sep 15 2024 Andrew Hughes  - 1:21.0.5.0.1-0.1.ea
+- Update to jdk-21.0.5+1 (EA)
+- Update release notes to 21.0.5+1
+- Switch to EA mode
+- Bump giflib version to 5.2.2 following JDK-8328999
+- Bump libpng version to 1.6.43 following JDK-8329004
+- Turn off fresh_libjvm following JDK-8329088 which changes jdk.internal.vm.StackChunk in CDS archive
+- Add build scripts to repository to ease remembering all CentOS & RHEL targets and options
+- Make build scripts executable
+
+* Fri Jul 12 2024 Andrew Hughes  - 1:21.0.4.0.7-1
+- Update to jdk-21.0.4+7 (GA)
+- Update release notes to 21.0.4+7
+- Switch to GA mode.
+- Sync with RHEL 7 portable build:
+  - Conditionally define __os_install_post, dtsversion & pkgos only on RHEL 7
+  - Use ExclusiveArch over ExcludeArch
+  - Depend on devtoolset only on RHEL 7
+  - Use javapackages-filesystem rather than manually defining _jvmdir
+  - Restrict pandoc dependency to RHEL/CentOS 8
+  - Drop unused component macro
+- Sync ExclusiveArch with devkit_arches on RHEL only
+- ** This tarball is embargoed until 2024-07-16 @ 1pm PT. **
+- Resolves: OPENJDK-2756
+- Resolves: OPENJDK-3163
+
+* Wed Jun 26 2024 Andrew Hughes  - 1:21.0.4.0.5-0.1.ea
+- Update to jdk-21.0.4+5 (EA)
+- Update release notes to 21.0.4+5
+- Move unstripped, misc and doc tarball handling into normal build / no suffix blocks
+- Limit Java only tests to one architecture using jdk_test_arch
+- Drop unneeded tzdata-java build dependency following 3e3cf8fa2df7bac2f6a60a0ddd596ec39228a3e1
+- Resolves: OPENJDK-3133
+- Resolves: OPENJDK-3237
+- Resolves: OPENJDK-3182
+- Resolves: OPENJDK-3190
+
+* Sat Jun 22 2024 Andrew Hughes  - 1:21.0.4.0.1-0.1.ea
+- Update to jdk-21.0.4+1 (EA)
+- Update release notes to 21.0.4+1
+- Switch to EA mode
+- Bump LCMS 2 version to 2.16.0 following JDK-8321489
+- Add zlib build requirement or bundled version (1.3.1), depending on system_libs setting
+- Resolves: OPENJDK-3061
+- Resolves: OPENJDK-3064
+
+* Sat Apr 13 2024 Andrew Hughes  - 1:21.0.3.0.9-1
+- Update to jdk-21.0.3+9 (GA)
+- Update release notes to 21.0.3+9
+- Switch to GA mode.
+- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. **
+
+* Thu Apr 04 2024 Andrew Hughes  - 1:21.0.3.0.7-0.1.ea
+- Update to jdk-21.0.3+7 (EA)
+- Update release notes to 21.0.3+7
+- Require tzdata 2024a due to upstream inclusion of JDK-8322725
+- Only require tzdata 2023d for now as 2024a is unavailable in buildroot
+- Drop JDK-8009550 which is now available upstream
+- Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254
+
+* Wed Mar 20 2024 Thomas Fitzsimmons  - 1:21.0.3.0.1-0.1.ea
+- generate_source_tarball.sh: Add WITH_TEMP environment variable
+- generate_source_tarball.sh: Multithread xz on all available cores
+- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable
+- generate_source_tarball.sh: Update comment about tarball naming
+- generate_source_tarball.sh: Reformat comment header
+- generate_source_tarball.sh: Reformat and update help output
+- generate_source_tarball.sh: Do a shallow clone, for speed
+- generate_source_tarball.sh: Append -ea designator when required
+- generate_source_tarball.sh: Eliminate some removal prompting
+- generate_source_tarball.sh: Make tarball reproducible
+- generate_source_tarball.sh: Prefix temporary directory with temp-
+- generate_source_tarball.sh: Remove temporary directory exit conditions
+- generate_source_tarball.sh: Fix -ea logic to add dash
+- generate_source_tarball.sh: Set compile-command in Emacs
+- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT
+- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks
+- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- generate_source_tarball.sh: shellcheck: Double-quote variable references (SC2086)
+- generate_source_tarball.sh: shellcheck: Do not use -a (SC2166)
+- generate_source_tarball.sh: shellcheck: Do not use $ on arithmetic variables (SC2004)
+- Use backward-compatible patch syntax
+- generate_source_tarball.sh: Ignore -ga tags with OPENJDK_LATEST
+- generate_source_tarball.sh: Fix whitespace
+- generate_source_tarball.sh: Remove trailing period in echo
+- generate_source_tarball.sh: Use long-style argument to grep
+- generate_source_tarball.sh: Add license
+- generate_source_tarball.sh: Add indentation instructions for Emacs
+- Remove -T0 argument from systemtap tar invocation
+- Use RHEL-7 tar-1.26-compatible invocations for reproducible tarballs
+- createtar: Add exclude option
+- packagejdk: Exclude debuginfo when creating jdkarchive and jrearchive tarballs
+- Resolves: OPENJDK-2995
+
+* Mon Mar 18 2024 Andrew Hughes  - 1:21.0.3.0.1-0.1.ea
+- Update to jdk-21.0.3+1 (EA)
+- Update release notes to 21.0.3+1
+- Switch to EA mode
+- Require tzdata 2023d due to upstream inclusion of JDK-8322725
+- Bump FreeType version to 2.13.2 following JDK-8316028
+- Add module build path to stripped directories to catch jpackageapplauncher files
+- Move alt-java man page to the misc tarball so it is not in the JDK image
+- generate_source_tarball.sh: Update examples in header for clarity
+- generate_source_tarball.sh: Cleanup message issued when checkout already exists
+- generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP
+- generate_source_tarball.sh: Only add --depth=1 on non-local repositories
+- icedtea_sync.sh: Reinstate from rhel-8.9.0 branch
+- Move maintenance scripts to a scripts subdirectory
+- discover_trees.sh: Set compile-command and indentation instructions for Emacs
+- discover_trees.sh: shellcheck: Do not use -o (SC2166)
+- discover_trees.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- discover_trees.sh: shellcheck: Double-quote variable references (SC2086)
+- generate_source_tarball.sh: Add authorship
+- icedtea_sync.sh: Set compile-command and indentation instructions for Emacs
+- icedtea_sync.sh: shellcheck: Double-quote variable references (SC2086)
+- icedtea_sync.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- openjdk_news.sh: Set compile-command and indentation instructions for Emacs
+- openjdk_news.sh: shellcheck: Double-quote variable references (SC2086)
+- openjdk_news.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- openjdk_news.sh: shellcheck: Remove deprecated egrep usage (SC2196)
+- generate_source_tarball.sh: Output values of new options WITH_TEMP and OPENJDK_LATEST
+- generate_source_tarball.sh: Double-quote DEPTH reference (SC2086)
+- generate_source_tarball.sh: Avoid empty DEPTH reference while still appeasing shellcheck
+- Vary reproducible tar creation by version of tar detected
+- Set OPENJDK_UPSTREAM_TAG_EPOCH & VERSION_FILE at start of build section as in 17u
+- Change --with-source-date value to 'version' to match Temurin builds
+- Re-run jlink to regenerate the jmods directory and lib/modules with stripped libraries
+- Rebuild CDS archives against the updated lib/modules
+- Require openjdk-devkit 1.0-4 to bring in fixes for .comment section and deterministic archives
+- Bump devkit requirement to 1.0-5 to bring in the bootstrapped version
+- Set LD_LIBRARY_PATH when calling gcc to build alt-java
+- Set LD_LIBRARY_PATH when calling configure
+- Set LD_LIBRARY_PATH when calling make
+- Bump devkit requirement to 1.0-6 to bring in the AS=/as fix
+- Resolves: OPENJDK-2820
+- Resolves: OPENJDK-2821
+- Resolves: OPENJDK-2585
+- Resolves: OPENJDK-3138
+
+* Fri Mar 15 2024 Andrew Hughes  - 1:21.0.2.0.13-1
+- Update to jdk-21.0.2+13 (GA)
+- Update release notes to 21.0.2+13
+- Bump libpng version to 1.6.40 following JDK-8316030
+- Bump HarfBuzz version to 8.2.2 following JDK-8313643
+
+* Mon Mar 11 2024 Andrew Hughes  - 1:21.0.1.0.12-2
+- Use a devkit to build on architectures where we have one (s390x, aarch64, ppc64le, x86_64)
+- Use a dynamic libstdc++ on s390x to workaround failure with static libstdc++
+- Use the devkit tools during the check stage so they can understand the generated binaries
+- Use eu-readelf on devkit and non-devkit builds as debug symbol tests rely on its behaviour
+- Use system gdb for both builds as devkit version fails (needs devkit libraries, then JDK segfaults with them)
+- Filter out annobin plugin when using the devkit
+- Drop static libstdc++ build dependency on devkit builds as it should come from the devkit
+- Introduce tar_opts to avoid repetition of lengthy tar creation options
+
+* Thu Feb 08 2024 Thomas Fitzsimmons  - 1:21.0.1.0.12-2
+- Invoke xz in multi-threaded mode
+- Remove ppc64le with-jobs=1 workaround
+- Make portable tarball modification times reproducible
+
+* Fri Oct 27 2023 Andrew Hughes  - 1:21.0.1.0.12-1
+- Update to jdk-21.0.1.0+12 (GA)
+- Update release notes to 21.0.1.0+12
+- Update openjdk_news script to specify subdirectory last
+- Add missing discover_trees script required by openjdk_news
+- Synchronise bundled versions with 21u sources (FreeType, LCMS, HarfBuzz, libpng)
+- Sync generate_tarball.sh with 11u & 17u version
+- Update bug URL for RHEL to point to the Red Hat customer portal
+- Fix upstream release URL for OpenJDK source
+- Update buildjdkver to match the featurever
+
+* Fri Oct 27 2023 Andrew Hughes  - 1:21.0.0.0.35-4
+- Rebuild jmods using the stripped binaries in release builds
+- Make sure the unstripped JDK is customised by the installjdk function
+- Resolves: OPENJDK-1974
+
+* Thu Oct 26 2023 Andrew Hughes  - 1:21.0.0.0.35-3
+- Re-enable SystemTap support and perform only substitutions possible without final NVR available
+- Depend on graphviz & pandoc for full documentation support
+- Fix typo which stops the EA designator being included in the build
+- Include tapsets in the miscellaneous tarball
+- Drop unused globals for tapset installation
+
+* Thu Aug 24 2023 Andrew Hughes  - 1:21.0.0.0.35-2
+- Update documentation (README.md, add missing JEP to release notes)
+- Replace alt-java patch with a binary separate from the JDK
+- Drop stale patches that are of little use any more:
+- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
+- * No accessibility subpackage to warrant RH1648242 patch any more
+- * No use of system libjpeg turbo to warrant RH649512 patch any more
+- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
+- Related: rhbz#2192749
+
+* Mon Aug 21 2023 Andrew Hughes  - 1:21.0.0.0.35-1
+- Update to jdk-21.0.0+35
+- Update release notes to 21.0.0+35
+- Update system crypto policy & FIPS patch from new fips-21u tree
+- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal
+- Drop fakefeaturever now it is no longer needed
+- Hardcode buildjdkver while the build JDK is not yet 21
+- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
+- Use upstream release URL for OpenJDK source
+- Re-enable tzdata tests now we are on the latest JDK and things are back in sync
+- Related: rhbz#2192749
+
+* Mon Aug 21 2023 Petra Alice Mikova  - 1:21.0.0.0.35-1
+- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798
+- Related: rhbz#2192749
+
+* Wed Aug 16 2023 Andrew Hughes  - 1:20.0.0.0.36-1
+- Update to jdk-20.0.2+9
+- Update release notes to 20.0.2+9
+- Update system crypto policy & FIPS patch from new fips-20u tree
+- Update generate_tarball.sh ICEDTEA_VERSION
+- Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit)
+- Related: rhbz#2192749
+
+* Wed Aug 16 2023 Jiri Vanek  - 1:20.0.0.0.36-1
+- Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream
+- Adapted rh1750419-redhat_alt_java.patch
+- Related: rhbz#2192749
+
+* Tue Aug 15 2023 Andrew Hughes  - 1:19.0.1.0.10-1
+- Update to jdk-19.0.2 release
+- Update release notes to 19.0.2
+- Rebase FIPS patches from fips-19u branch
+- Remove references to sample directory removed by JDK-8284999
+- Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag
+- Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases
+- Related: rhbz#2192749
+
+* Thu Aug 10 2023 Andrew Hughes  - 1:18.0.2.0.9-1
+- Update to jdk-18.0.2 release
+- Update release notes to actually reflect OpenJDK 18
+- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory
+- Rebase FIPS patches from fips-18u branch
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built
+- Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21
+- Switch bootjdkver to java-21-openjdk
+- Disable tzdata tests until we are on the latest JDK and things are back in sync
+- Related: rhbz#2192749
+
+* Thu Aug 10 2023 Petra Alice Mikova  - 1:18.0.0.0.37-1
+- Update to ea version of jdk18
+- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+- Related: rhbz#2192749
+
 * Mon May 15 2023 Andrew Hughes  - 1:17.0.7.0.7-2
 - Create java-21-openjdk-portable package based on java-17-openjdk-portable
 - Related: rhbz#2192749
diff --git a/SOURCES/jdk8274864-remove_amman_cairo_hacks.patch b/SOURCES/jdk8274864-remove_amman_cairo_hacks.patch
deleted file mode 100644
index 5a5263a..0000000
--- a/SOURCES/jdk8274864-remove_amman_cairo_hacks.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-commit 1b3825db8631e55771fb723d4fcd10040ea15b7e
-Author: duke 
-Date:   Wed Apr 12 17:25:27 2023 +0000
-
-    Backport ec199072c5867624d66840238cc8828e16ae8da7
-
-diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
-index 6f6e190efcd..ef278203182 100644
---- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
-+++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
-@@ -608,34 +608,6 @@ public final class ZoneInfoFile {
-                 params[8] = endRule.secondOfDay * 1000;
-                 params[9] = toSTZTime[endRule.timeDefinition];
-                 dstSavings = (startRule.offsetAfter - startRule.offsetBefore) * 1000;
--
--                // Note: known mismatching -> Asia/Amman
--                // ZoneInfo :      startDayOfWeek=5     <= Thursday
--                //                 startTime=86400000   <= 24 hours
--                // This:           startDayOfWeek=6
--                //                 startTime=0
--                // Similar workaround needs to be applied to Africa/Cairo and
--                // its endDayOfWeek and endTime
--                // Below is the workarounds, it probably slows down everyone a little
--                if (params[2] == 6 && params[3] == 0 &&
--                    (zoneId.equals("Asia/Amman"))) {
--                    params[2] = 5;
--                    params[3] = 86400000;
--                }
--                // Additional check for startDayOfWeek=6 and starTime=86400000
--                // is needed for Asia/Amman;
--                if (params[2] == 7 && params[3] == 0 &&
--                     (zoneId.equals("Asia/Amman"))) {
--                    params[2] = 6;        // Friday
--                    params[3] = 86400000; // 24h
--                }
--                //endDayOfWeek and endTime workaround
--                if (params[7] == 6 && params[8] == 0 &&
--                    (zoneId.equals("Africa/Cairo"))) {
--                    params[7] = 5;
--                    params[8] = 86400000;
--                }
--
-             } else if (nTrans > 0) {  // only do this if there is something in table already
-                 if (lastyear < LASTYEAR) {
-                     // ZoneInfo has an ending entry for 2037
-@@ -908,7 +880,6 @@ public final class ZoneInfoFile {
-             this.dow = dowByte == 0 ? -1 : dowByte;
-             this.secondOfDay = timeByte == 31 ? in.readInt() : timeByte * 3600;
-             this.timeDefinition = (data & (3 << 12)) >>> 12;
--
-             this.standardOffset = stdByte == 255 ? in.readInt() : (stdByte - 128) * 900;
-             this.offsetBefore = beforeByte == 3 ? in.readInt() : standardOffset + beforeByte * 1800;
-             this.offsetAfter = afterByte == 3 ? in.readInt() : standardOffset + afterByte * 1800;
diff --git a/SOURCES/jdk8305113-tzdata2023c.patch b/SOURCES/jdk8305113-tzdata2023c.patch
deleted file mode 100644
index 6758dfd..0000000
--- a/SOURCES/jdk8305113-tzdata2023c.patch
+++ /dev/null
@@ -1,1098 +0,0 @@
-commit 9619cdb7b7f63f2d8a71d35c8672be93fd6255e9
-Author: Yoshiki Sato 
-Date:   Wed Apr 5 01:19:00 2023 +0000
-
-    Backport ed9592c6e81f82e2bf6508ce45ba15aad8232181
-
-diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
-index 0f328a4a7ff..66bd061e8bc 100644
---- a/make/data/tzdata/VERSION
-+++ b/make/data/tzdata/VERSION
-@@ -21,4 +21,4 @@
- # or visit www.oracle.com if you need additional information or have any
- # questions.
- #
--tzdata2022g
-+tzdata2023c
-diff --git a/make/data/tzdata/africa b/make/data/tzdata/africa
-index 830d7d10b7e..a73405fdb01 100644
---- a/make/data/tzdata/africa
-+++ b/make/data/tzdata/africa
-@@ -344,6 +344,14 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	0	-
- # From Mina Samuel (2016-07-04):
- # Egyptian government took the decision to cancel the DST,
- 
-+# From Ahmad ElDardiry (2023-03-01):
-+# Egypt officially announced today that daylight savings will be
-+# applied from last Friday of April to last Thursday of October.
-+# From Paul Eggert (2023-03-01):
-+# Assume transitions are at 00:00 and 24:00 respectively.
-+# From Amir Adib (2023-03-07):
-+# https://www.facebook.com/EgyptianCabinet/posts/638829614954129/
-+
- Rule	Egypt	2008	only	-	Aug	lastThu	24:00	0	-
- Rule	Egypt	2009	only	-	Aug	20	24:00	0	-
- Rule	Egypt	2010	only	-	Aug	10	24:00	0	-
-@@ -353,6 +361,8 @@ Rule	Egypt	2014	only	-	May	15	24:00	1:00	S
- Rule	Egypt	2014	only	-	Jun	26	24:00	0	-
- Rule	Egypt	2014	only	-	Jul	31	24:00	1:00	S
- Rule	Egypt	2014	only	-	Sep	lastThu	24:00	0	-
-+Rule	Egypt	2023	max	-	Apr	lastFri	 0:00	1:00	S
-+Rule	Egypt	2023	max	-	Oct	lastThu	24:00	0	-
- 
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
- 		#STDOFF	2:05:08.9
-@@ -452,7 +462,7 @@ Zone	Africa/Nairobi	2:27:16	-	LMT	1908 May
- # President William R. Tolbert, Jr., July 23, 1971-July 31, 1972.
- # Monrovia: Executive Mansion.
- #
--# Use the abbreviation "MMT" before 1972, as the more-accurate numeric
-+# Use the abbreviation "MMT" before 1972, as the more accurate numeric
- # abbreviation "-004430" would be one byte over the POSIX limit.
- #
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
-@@ -589,8 +599,8 @@ Zone	Africa/Tripoli	0:52:44 -	LMT	1920
- # DST the coming summer...
- #
- # Some sources, in French:
--# http://www.defimedia.info/news/946/Rashid-Beebeejaun-:-%C2%AB-L%E2%80%99heure-d%E2%80%99%C3%A9t%C3%A9-ne-sera-pas-appliqu%C3%A9e-cette-ann%C3%A9e-%C2%BB
--# http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-%C3%A9conomie-d-%C3%A9nergie-de-l-heure-d-%C3%A9t%C3%A9-ont-%C3%A9t%C3%A9-atteints-
-+# http://www.defimedia.info/news/946/Rashid-Beebeejaun-:-«-L%E2%80%99heure-d%E2%80%99été-ne-sera-pas-appliquée-cette-année-»
-+# http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-économie-d-énergie-de-l-heure-d-été-ont-été-atteints-
- #
- # Our wrap-up:
- # https://www.timeanddate.com/news/time/mauritius-dst-will-not-repeat.html
-@@ -721,7 +731,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
- # More articles in the press
- # https://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-leve.html
- # http://www.lematin.ma/Actualite/Express/Article.asp?id=148923
--# http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT%2B1-a-partir-de-dim
-+# http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT+1-a-partir-de-dim
- 
- # From Petr Machata (2011-03-30):
- # They have it written in English here:
-@@ -736,7 +746,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
- # According to Infomédiaire web site from Morocco (infomediaire.ma),
- # on March 9, 2012, (in French) Heure légale:
- # Le Maroc adopte officiellement l'heure d'été
--# http://www.infomediaire.ma/news/maroc/heure-l%C3%A9gale-le-maroc-adopte-officiellement-lheure-d%C3%A9t%C3%A9
-+# http://www.infomediaire.ma/news/maroc/heure-légale-le-maroc-adopte-officiellement-lheure-dété
- # Governing Council adopted draft decree, that Morocco DST starts on
- # the last Sunday of March (March 25, 2012) and ends on
- # last Sunday of September (September 30, 2012)
-@@ -860,19 +870,28 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
- # Friday or Saturday (and so the 2 days off are on a weekend), the next time
- # shift will be the next weekend.
- #
--# From Paul Eggert (2020-05-31):
-+# From Milamber (2021-03-31, 2022-03-10):
-+# https://www.mmsp.gov.ma/fr/actualites.aspx?id=2076
-+# https://www.ecoactu.ma/horaires-administration-ramadan-gmtheure-gmt-a-partir-de-dimanche-27-mars/
-+#
-+# From Milamber (2023-03-14, 2023-03-15):
-+# The return to legal GMT time will take place this Sunday, March 19 at 3 a.m.
-+# ... the return to GMT+1 will be made on Sunday April 23, 2023 at 2 a.m.
-+# https://www.mmsp.gov.ma/fr/actualites/passage-à-l%E2%80%99heure-gmt-à-partir-du-dimanche-19-mars-2023
-+#
-+# From Paul Eggert (2023-03-14):
- # For now, guess that in the future Morocco will fall back at 03:00
- # the last Sunday before Ramadan, and spring forward at 02:00 the
--# first Sunday after two days after Ramadan.  To implement this,
-+# first Sunday after one day after Ramadan.  To implement this,
- # transition dates and times for 2019 through 2087 were determined by
--# running the following program under GNU Emacs 26.3.  (This algorithm
-+# running the following program under GNU Emacs 28.2.  (This algorithm
- # also produces the correct transition dates for 2016 through 2018,
- # though the times differ due to Morocco's time zone change in 2018.)
- # (let ((islamic-year 1440))
- #   (require 'cal-islam)
- #   (while (< islamic-year 1511)
- #     (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year)))
--#           (b (+ 2 (calendar-islamic-to-absolute (list 10 1 islamic-year))))
-+#           (b (+ 1 (calendar-islamic-to-absolute (list 10 1 islamic-year))))
- #           (sunday 0))
- #       (while (/= sunday (mod (setq a (1- a)) 7)))
- #       (while (/= sunday (mod b 7))
-@@ -886,10 +905,6 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
- #         (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a))
- #         (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b)))))
- #     (setq islamic-year (+ 1 islamic-year))))
--#
--# From Milamber (2021-03-31, 2022-03-10), confirming these predictions:
--# https://www.mmsp.gov.ma/fr/actualites.aspx?id=2076
--# https://www.ecoactu.ma/horaires-administration-ramadan-gmtheure-gmt-a-partir-de-dimanche-27-mars/
- 
- # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
- Rule	Morocco	1939	only	-	Sep	12	 0:00	1:00	-
-@@ -942,7 +957,7 @@ Rule	Morocco	2021	only	-	May	16	 2:00	0	-
- Rule	Morocco	2022	only	-	Mar	27	 3:00	-1:00	-
- Rule	Morocco	2022	only	-	May	 8	 2:00	0	-
- Rule	Morocco	2023	only	-	Mar	19	 3:00	-1:00	-
--Rule	Morocco	2023	only	-	Apr	30	 2:00	0	-
-+Rule	Morocco	2023	only	-	Apr	23	 2:00	0	-
- Rule	Morocco	2024	only	-	Mar	10	 3:00	-1:00	-
- Rule	Morocco	2024	only	-	Apr	14	 2:00	0	-
- Rule	Morocco	2025	only	-	Feb	23	 3:00	-1:00	-
-@@ -958,7 +973,7 @@ Rule	Morocco	2029	only	-	Feb	18	 2:00	0	-
- Rule	Morocco	2029	only	-	Dec	30	 3:00	-1:00	-
- Rule	Morocco	2030	only	-	Feb	10	 2:00	0	-
- Rule	Morocco	2030	only	-	Dec	22	 3:00	-1:00	-
--Rule	Morocco	2031	only	-	Feb	 2	 2:00	0	-
-+Rule	Morocco	2031	only	-	Jan	26	 2:00	0	-
- Rule	Morocco	2031	only	-	Dec	14	 3:00	-1:00	-
- Rule	Morocco	2032	only	-	Jan	18	 2:00	0	-
- Rule	Morocco	2032	only	-	Nov	28	 3:00	-1:00	-
-@@ -974,7 +989,7 @@ Rule	Morocco	2036	only	-	Nov	23	 2:00	0	-
- Rule	Morocco	2037	only	-	Oct	 4	 3:00	-1:00	-
- Rule	Morocco	2037	only	-	Nov	15	 2:00	0	-
- Rule	Morocco	2038	only	-	Sep	26	 3:00	-1:00	-
--Rule	Morocco	2038	only	-	Nov	 7	 2:00	0	-
-+Rule	Morocco	2038	only	-	Oct	31	 2:00	0	-
- Rule	Morocco	2039	only	-	Sep	18	 3:00	-1:00	-
- Rule	Morocco	2039	only	-	Oct	23	 2:00	0	-
- Rule	Morocco	2040	only	-	Sep	 2	 3:00	-1:00	-
-@@ -990,7 +1005,7 @@ Rule	Morocco	2044	only	-	Aug	28	 2:00	0	-
- Rule	Morocco	2045	only	-	Jul	 9	 3:00	-1:00	-
- Rule	Morocco	2045	only	-	Aug	20	 2:00	0	-
- Rule	Morocco	2046	only	-	Jul	 1	 3:00	-1:00	-
--Rule	Morocco	2046	only	-	Aug	12	 2:00	0	-
-+Rule	Morocco	2046	only	-	Aug	 5	 2:00	0	-
- Rule	Morocco	2047	only	-	Jun	23	 3:00	-1:00	-
- Rule	Morocco	2047	only	-	Jul	28	 2:00	0	-
- Rule	Morocco	2048	only	-	Jun	 7	 3:00	-1:00	-
-@@ -1006,7 +1021,7 @@ Rule	Morocco	2052	only	-	Jun	 2	 2:00	0	-
- Rule	Morocco	2053	only	-	Apr	13	 3:00	-1:00	-
- Rule	Morocco	2053	only	-	May	25	 2:00	0	-
- Rule	Morocco	2054	only	-	Apr	 5	 3:00	-1:00	-
--Rule	Morocco	2054	only	-	May	17	 2:00	0	-
-+Rule	Morocco	2054	only	-	May	10	 2:00	0	-
- Rule	Morocco	2055	only	-	Mar	28	 3:00	-1:00	-
- Rule	Morocco	2055	only	-	May	 2	 2:00	0	-
- Rule	Morocco	2056	only	-	Mar	12	 3:00	-1:00	-
-@@ -1022,7 +1037,7 @@ Rule	Morocco	2060	only	-	Mar	 7	 2:00	0	-
- Rule	Morocco	2061	only	-	Jan	16	 3:00	-1:00	-
- Rule	Morocco	2061	only	-	Feb	27	 2:00	0	-
- Rule	Morocco	2062	only	-	Jan	 8	 3:00	-1:00	-
--Rule	Morocco	2062	only	-	Feb	19	 2:00	0	-
-+Rule	Morocco	2062	only	-	Feb	12	 2:00	0	-
- Rule	Morocco	2062	only	-	Dec	31	 3:00	-1:00	-
- Rule	Morocco	2063	only	-	Feb	 4	 2:00	0	-
- Rule	Morocco	2063	only	-	Dec	16	 3:00	-1:00	-
-@@ -1038,7 +1053,7 @@ Rule	Morocco	2067	only	-	Dec	11	 2:00	0	-
- Rule	Morocco	2068	only	-	Oct	21	 3:00	-1:00	-
- Rule	Morocco	2068	only	-	Dec	 2	 2:00	0	-
- Rule	Morocco	2069	only	-	Oct	13	 3:00	-1:00	-
--Rule	Morocco	2069	only	-	Nov	24	 2:00	0	-
-+Rule	Morocco	2069	only	-	Nov	17	 2:00	0	-
- Rule	Morocco	2070	only	-	Oct	 5	 3:00	-1:00	-
- Rule	Morocco	2070	only	-	Nov	 9	 2:00	0	-
- Rule	Morocco	2071	only	-	Sep	20	 3:00	-1:00	-
-@@ -1054,7 +1069,7 @@ Rule	Morocco	2075	only	-	Sep	15	 2:00	0	-
- Rule	Morocco	2076	only	-	Jul	26	 3:00	-1:00	-
- Rule	Morocco	2076	only	-	Sep	 6	 2:00	0	-
- Rule	Morocco	2077	only	-	Jul	18	 3:00	-1:00	-
--Rule	Morocco	2077	only	-	Aug	29	 2:00	0	-
-+Rule	Morocco	2077	only	-	Aug	22	 2:00	0	-
- Rule	Morocco	2078	only	-	Jul	10	 3:00	-1:00	-
- Rule	Morocco	2078	only	-	Aug	14	 2:00	0	-
- Rule	Morocco	2079	only	-	Jun	25	 3:00	-1:00	-
-@@ -1064,13 +1079,13 @@ Rule	Morocco	2080	only	-	Jul	21	 2:00	0	-
- Rule	Morocco	2081	only	-	Jun	 1	 3:00	-1:00	-
- Rule	Morocco	2081	only	-	Jul	13	 2:00	0	-
- Rule	Morocco	2082	only	-	May	24	 3:00	-1:00	-
--Rule	Morocco	2082	only	-	Jul	 5	 2:00	0	-
-+Rule	Morocco	2082	only	-	Jun	28	 2:00	0	-
- Rule	Morocco	2083	only	-	May	16	 3:00	-1:00	-
- Rule	Morocco	2083	only	-	Jun	20	 2:00	0	-
- Rule	Morocco	2084	only	-	Apr	30	 3:00	-1:00	-
- Rule	Morocco	2084	only	-	Jun	11	 2:00	0	-
- Rule	Morocco	2085	only	-	Apr	22	 3:00	-1:00	-
--Rule	Morocco	2085	only	-	Jun	 3	 2:00	0	-
-+Rule	Morocco	2085	only	-	May	27	 2:00	0	-
- Rule	Morocco	2086	only	-	Apr	14	 3:00	-1:00	-
- Rule	Morocco	2086	only	-	May	19	 2:00	0	-
- Rule	Morocco	2087	only	-	Mar	30	 3:00	-1:00	-
-@@ -1213,15 +1228,15 @@ Zone	Africa/Windhoek	1:08:24 -	LMT	1892 Feb 8
- # From P Chan (2020-12-03):
- # GMT was adopted as the standard time of Lagos on 1905-07-01.
- # Lagos Weekly Record, 1905-06-24, p 3
--# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446%2C5221%2C1931%2C1235
-+# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446,5221,1931,1235
- # says "It is officially notified that on and after the 1st of July 1905
--# Greenwich Mean Solar Time will be adopted thought the Colony and
-+# Greenwich Mean Solar Time will be adopted throughout the Colony and
- # Protectorate, and that it will be necessary to put all clocks 13 minutes and
- # 35 seconds back, recording local mean time."
- #
- # It seemed that Lagos returned to LMT on 1908-07-01.
- # [The Lagos Standard], 1908-07-01, p 5
--# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92%2C3590%2C3944%2C2523
-+# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92,3590,3944,2523
- # says "Scarcely have the people become accustomed to this new time, when
- # another official notice has now appeared announcing that from and after the
- # 1st July next, return will be made to local mean time."
-@@ -1233,7 +1248,7 @@ Zone	Africa/Windhoek	1:08:24 -	LMT	1892 Feb 8
- # https://libsysdigi.library.illinois.edu/ilharvest/Africana/Books2011-05/3064634/3064634_1914/3064634_1914_opt.pdf#page=27
- # "On January 1st [1914], a universal standard time for Nigeria was adopted,
- # viz., half an hour fast on Greenwich mean time, corresponding to the meridian
--# 7 [degrees] 30' E. long."
-+# 7° 30' E. long."
- # Lloyd's Register of Shipping (1915) says "Hitherto the time observed in Lagos
- # was the local mean time. On 1st January, 1914, standard time for the whole of
- # Nigeria was introduced ... Lagos time has been advanced about 16 minutes
-@@ -1251,7 +1266,7 @@ Zone	Africa/Windhoek	1:08:24 -	LMT	1892 Feb 8
- # The Lagos Weekly Record, 1919-09-20, p 3 details discussion on the first
- # reading of this Bill by the Legislative Council of the Colony of Nigeria on
- # Thursday 1919-08-28:
--# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261%2C3408%2C2994%2C1915
-+# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261,3408,2994,1915
- # "The proposal is that the Globe should be divided into twelve zones East and
- # West of Greenwich, of one hour each, Nigeria falling into the zone with a
- # standard of one hour fast on Greenwich Mean Time.  Nigeria standard time is
-diff --git a/make/data/tzdata/antarctica b/make/data/tzdata/antarctica
-index 792542b9224..3de5e726eb4 100644
---- a/make/data/tzdata/antarctica
-+++ b/make/data/tzdata/antarctica
-@@ -315,7 +315,7 @@ Zone Antarctica/Rothera	0	-	-00	1976 Dec  1
- # but that he found it more convenient to keep GMT+12
- # as supplies for the station were coming from McMurdo Sound,
- # which was on GMT+12 because New Zealand was on GMT+12 all year
--# at that time (1957).  (Source: Siple's book 90 Degrees South.)
-+# at that time (1957).  (Source: Siple's book 90° South.)
- #
- # From Susan Smith
- # http://www.cybertours.com/whs/pole10.html
-diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
-index ff81978bc47..6a048c3ad28 100644
---- a/make/data/tzdata/asia
-+++ b/make/data/tzdata/asia
-@@ -2714,6 +2714,40 @@ Zone	Asia/Pyongyang	8:23:00 -	LMT	1908 Apr  1
- 
- 
- # Lebanon
-+#
-+# From Saadallah Itani (2023-03-23):
-+# Lebanon ... announced today delay of Spring forward from March 25 to April 20.
-+#
-+# From Paul Eggert (2023-03-27):
-+# This announcement was by the Lebanese caretaker prime minister Najib Mikati.
-+# https://www.mtv.com.lb/en/News/Local/1352516/lebanon-postpones-daylight-saving-time-adoption
-+# A video was later leaked to the media of parliament speaker Nabih Berri
-+# asking Mikati to postpone DST to aid observance of Ramadan, Mikati objecting
-+# that this would cause problems such as scheduling airline flights, to which
-+# Berri interjected, "What flights?"
-+#
-+# The change was controversial and led to a partly-sectarian divide.
-+# Many Lebanese institutions, including the education ministry, the Maronite
-+# church, and two news channels LCBI and MTV, ignored the announcement and
-+# went ahead with the long-scheduled spring-forward on March 25/26, some
-+# arguing that the prime minister had not followed the law because the change
-+# had not been approved by the cabinet.  Google went with the announcement;
-+# Apple ignored it.  At least one bank followed the announcement for its doors,
-+# but ignored the announcement in internal computer systems.
-+# Beirut international airport listed two times for each departure.
-+# Dan Azzi wrote "My view is that this whole thing is a Dumb and Dumber movie."
-+# Eventually the prime minister backed down, said the cabinet had decided to
-+# stick with its 1998 decision, and that DST would begin midnight March 29/30.
-+# https://www.nna-leb.gov.lb/en/miscellaneous/604093/lebanon-has-two-times-of-day-amid-daylight-savings
-+# https://www.cnbc.com/2023/03/27/lebanon-in-two-different-time-zones-as-government-disagrees-on-daylight-savings.html
-+#
-+# Although we could model the chaos with two Zones, that would likely cause
-+# more trouble than it would cure.  Since so many manual clocks and
-+# computer-based timestamps ignored the announcement, stick with official
-+# cabinet resolutions in the data while recording the prime minister's
-+# announcement as a comment.  This is how we treated a similar situation in
-+# Rio de Janeiro in spring 1993.
-+#
- # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
- Rule	Lebanon	1920	only	-	Mar	28	0:00	1:00	S
- Rule	Lebanon	1920	only	-	Oct	25	0:00	0	-
-@@ -2739,6 +2773,10 @@ Rule	Lebanon	1992	only	-	Oct	4	0:00	0	-
- Rule	Lebanon	1993	max	-	Mar	lastSun	0:00	1:00	S
- Rule	Lebanon	1993	1998	-	Sep	lastSun	0:00	0	-
- Rule	Lebanon	1999	max	-	Oct	lastSun	0:00	0	-
-+# This one-time rule, announced by the prime minister first for April 21
-+# then for March 30, is commented out for reasons described above.
-+#Rule	Lebanon	2023	only	-	Mar	30	0:00	1:00	S
-+
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
- Zone	Asia/Beirut	2:22:00 -	LMT	1880
- 			2:00	Lebanon	EE%sT
-@@ -2977,7 +3015,7 @@ Zone	Asia/Kathmandu	5:41:16 -	LMT	1920
- # 9pm and moving clocks forward by one hour for the next three months. ...."
- #
- # http://www.worldtimezone.com/dst_news/dst_news_pakistan01.html
--# http://www.dailytimes.com.pk/default.asp?page=2008%5C05%5C15%5Cstory_15-5-2008_pg1_4
-+# http://www.dailytimes.com.pk/default.asp?page=2008\05\15\story_15-5-2008_pg1_4
- 
- # From Arthur David Olson (2008-05-19):
- # XXX--midnight transitions is a guess; 2008 only is a guess.
-@@ -3300,7 +3338,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
- # Some of many sources in Arabic:
- # http://www.samanews.com/index.php?act=Show&id=122638
- #
--# http://safa.ps/details/news/74352/%D8%A8%D8%AF%D8%A1-%D8%A7%D9%84%D8%AA%D9%88%D9%82%D9%8A%D8%AA-%D8%A7%D9%84%D8%B5%D9%8A%D9%81%D9%8A-%D8%A8%D8%A7%D9%84%D8%B6%D9%81%D8%A9-%D9%88%D8%BA%D8%B2%D8%A9-%D9%84%D9%8A%D9%84%D8%A9-%D8%A7%D9%84%D8%AC%D9%85%D8%B9%D8%A9.html
-+# http://safa.ps/details/news/74352/بدء-التوقيت-الصيفي-بالضفة-وغزة-ليلة-الجمعة.html
- #
- # Our brief summary:
- # https://www.timeanddate.com/news/time/gaza-west-bank-dst-2012.html
-@@ -3310,7 +3348,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
- # time from midnight on Friday, March 29, 2013" (translated).
- # [These are in Arabic and are for Gaza and for Ramallah, respectively.]
- # http://www.samanews.com/index.php?act=Show&id=154120
--# http://safa.ps/details/news/99844/%D8%B1%D8%A7%D9%85-%D8%A7%D9%84%D9%84%D9%87-%D8%A8%D8%AF%D8%A1-%D8%A7%D9%84%D8%AA%D9%88%D9%82%D9%8A%D8%AA-%D8%A7%D9%84%D8%B5%D9%8A%D9%81%D9%8A-29-%D8%A7%D9%84%D8%AC%D8%A7%D8%B1%D9%8A.html
-+# http://safa.ps/details/news/99844/رام-الله-بدء-التوقيت-الصيفي-29-الجاري.html
- 
- # From Steffen Thorsen (2013-09-24):
- # The Gaza and West Bank are ending DST Thursday at midnight
-@@ -3408,9 +3446,41 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
- # (2022-08-31): ... the Saturday before the last Sunday in March and October
- # at 2:00 AM ,for the years from 2023 to 2026.
- # (2022-09-05): https://mtit.pna.ps/Site/New/1453
--#
--# From Paul Eggert (2022-08-31):
--# For now, assume that this rule will also be used after 2026.
-+
-+# From Heba Hamad (2023-03-22):
-+# ... summer time will begin in Palestine from Saturday 04-29-2023,
-+# 02:00 AM by 60 minutes forward.
-+#
-+# From Paul Eggert (2023-03-22):
-+# For now, guess that spring and fall transitions will normally
-+# continue to use 2022's rules, that during DST Palestine will switch
-+# to standard time at 02:00 the last Saturday before Ramadan and back
-+# to DST at 02:00 the first Saturday after Ramadan, and that
-+# if the normal spring-forward or fall-back transition occurs during
-+# Ramadan the former is delayed and the latter advanced.
-+# To implement this, I predicted Ramadan-oriented transition dates for
-+# 2023 through 2086 by running the following program under GNU Emacs 28.2,
-+# with the results integrated by hand into the table below.
-+# Predictions after 2086 are approximated without Ramadan.
-+#
-+# (let ((islamic-year 1444))
-+#   (require 'cal-islam)
-+#   (while (< islamic-year 1510)
-+#     (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year)))
-+#           (b (+ 1 (calendar-islamic-to-absolute (list 10 1 islamic-year))))
-+#           (saturday 6))
-+#       (while (/= saturday (mod (setq a (1- a)) 7)))
-+#       (while (/= saturday (mod b 7))
-+#         (setq b (1+ b)))
-+#       (setq a (calendar-gregorian-from-absolute a))
-+#       (setq b (calendar-gregorian-from-absolute b))
-+#       (insert
-+#        (format
-+#         (concat "Rule Palestine\t%d\tonly\t-\t%s\t%2d\t2:00\t0\t-\n"
-+#                 "Rule Palestine\t%d\tonly\t-\t%s\t%2d\t2:00\t1:00\tS\n")
-+#         (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a))
-+#         (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b)))))
-+#     (setq islamic-year (+ 1 islamic-year))))
- 
- # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
- Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
-@@ -3450,8 +3520,86 @@ Rule Palestine	2020	2021	-	Mar	Sat<=30	0:00	1:00	S
- Rule Palestine	2020	only	-	Oct	24	1:00	0	-
- Rule Palestine	2021	only	-	Oct	29	1:00	0	-
- Rule Palestine	2022	only	-	Mar	27	0:00	1:00	S
--Rule Palestine	2022	max	-	Oct	Sat<=30	2:00	0	-
--Rule Palestine	2023	max	-	Mar	Sat<=30	2:00	1:00	S
-+Rule Palestine	2022	2035	-	Oct	Sat<=30	2:00	0	-
-+Rule Palestine	2023	only	-	Apr	29	2:00	1:00	S
-+Rule Palestine	2024	only	-	Apr	13	2:00	1:00	S
-+Rule Palestine	2025	only	-	Apr	 5	2:00	1:00	S
-+Rule Palestine	2026	2054	-	Mar	Sat<=30	2:00	1:00	S
-+Rule Palestine	2036	only	-	Oct	18	2:00	0	-
-+Rule Palestine	2037	only	-	Oct	10	2:00	0	-
-+Rule Palestine	2038	only	-	Sep	25	2:00	0	-
-+Rule Palestine	2039	only	-	Sep	17	2:00	0	-
-+Rule Palestine	2039	only	-	Oct	22	2:00	1:00	S
-+Rule Palestine	2039	2067	-	Oct	Sat<=30	2:00	0	-
-+Rule Palestine	2040	only	-	Sep	 1	2:00	0	-
-+Rule Palestine	2040	only	-	Oct	13	2:00	1:00	S
-+Rule Palestine	2041	only	-	Aug	24	2:00	0	-
-+Rule Palestine	2041	only	-	Sep	28	2:00	1:00	S
-+Rule Palestine	2042	only	-	Aug	16	2:00	0	-
-+Rule Palestine	2042	only	-	Sep	20	2:00	1:00	S
-+Rule Palestine	2043	only	-	Aug	 1	2:00	0	-
-+Rule Palestine	2043	only	-	Sep	12	2:00	1:00	S
-+Rule Palestine	2044	only	-	Jul	23	2:00	0	-
-+Rule Palestine	2044	only	-	Aug	27	2:00	1:00	S
-+Rule Palestine	2045	only	-	Jul	15	2:00	0	-
-+Rule Palestine	2045	only	-	Aug	19	2:00	1:00	S
-+Rule Palestine	2046	only	-	Jun	30	2:00	0	-
-+Rule Palestine	2046	only	-	Aug	11	2:00	1:00	S
-+Rule Palestine	2047	only	-	Jun	22	2:00	0	-
-+Rule Palestine	2047	only	-	Jul	27	2:00	1:00	S
-+Rule Palestine	2048	only	-	Jun	 6	2:00	0	-
-+Rule Palestine	2048	only	-	Jul	18	2:00	1:00	S
-+Rule Palestine	2049	only	-	May	29	2:00	0	-
-+Rule Palestine	2049	only	-	Jul	 3	2:00	1:00	S
-+Rule Palestine	2050	only	-	May	21	2:00	0	-
-+Rule Palestine	2050	only	-	Jun	25	2:00	1:00	S
-+Rule Palestine	2051	only	-	May	 6	2:00	0	-
-+Rule Palestine	2051	only	-	Jun	17	2:00	1:00	S
-+Rule Palestine	2052	only	-	Apr	27	2:00	0	-
-+Rule Palestine	2052	only	-	Jun	 1	2:00	1:00	S
-+Rule Palestine	2053	only	-	Apr	12	2:00	0	-
-+Rule Palestine	2053	only	-	May	24	2:00	1:00	S
-+Rule Palestine	2054	only	-	Apr	 4	2:00	0	-
-+Rule Palestine	2054	only	-	May	16	2:00	1:00	S
-+Rule Palestine	2055	only	-	May	 1	2:00	1:00	S
-+Rule Palestine	2056	only	-	Apr	22	2:00	1:00	S
-+Rule Palestine	2057	only	-	Apr	 7	2:00	1:00	S
-+Rule Palestine	2058	max	-	Mar	Sat<=30	2:00	1:00	S
-+Rule Palestine	2068	only	-	Oct	20	2:00	0	-
-+Rule Palestine	2069	only	-	Oct	12	2:00	0	-
-+Rule Palestine	2070	only	-	Oct	 4	2:00	0	-
-+Rule Palestine	2071	only	-	Sep	19	2:00	0	-
-+Rule Palestine	2072	only	-	Sep	10	2:00	0	-
-+Rule Palestine	2072	only	-	Oct	15	2:00	1:00	S
-+Rule Palestine	2073	only	-	Sep	 2	2:00	0	-
-+Rule Palestine	2073	only	-	Oct	 7	2:00	1:00	S
-+Rule Palestine	2074	only	-	Aug	18	2:00	0	-
-+Rule Palestine	2074	only	-	Sep	29	2:00	1:00	S
-+Rule Palestine	2075	only	-	Aug	10	2:00	0	-
-+Rule Palestine	2075	only	-	Sep	14	2:00	1:00	S
-+Rule Palestine	2075	max	-	Oct	Sat<=30	2:00	0	-
-+Rule Palestine	2076	only	-	Jul	25	2:00	0	-
-+Rule Palestine	2076	only	-	Sep	 5	2:00	1:00	S
-+Rule Palestine	2077	only	-	Jul	17	2:00	0	-
-+Rule Palestine	2077	only	-	Aug	28	2:00	1:00	S
-+Rule Palestine	2078	only	-	Jul	 9	2:00	0	-
-+Rule Palestine	2078	only	-	Aug	13	2:00	1:00	S
-+Rule Palestine	2079	only	-	Jun	24	2:00	0	-
-+Rule Palestine	2079	only	-	Aug	 5	2:00	1:00	S
-+Rule Palestine	2080	only	-	Jun	15	2:00	0	-
-+Rule Palestine	2080	only	-	Jul	20	2:00	1:00	S
-+Rule Palestine	2081	only	-	Jun	 7	2:00	0	-
-+Rule Palestine	2081	only	-	Jul	12	2:00	1:00	S
-+Rule Palestine	2082	only	-	May	23	2:00	0	-
-+Rule Palestine	2082	only	-	Jul	 4	2:00	1:00	S
-+Rule Palestine	2083	only	-	May	15	2:00	0	-
-+Rule Palestine	2083	only	-	Jun	19	2:00	1:00	S
-+Rule Palestine	2084	only	-	Apr	29	2:00	0	-
-+Rule Palestine	2084	only	-	Jun	10	2:00	1:00	S
-+Rule Palestine	2085	only	-	Apr	21	2:00	0	-
-+Rule Palestine	2085	only	-	Jun	 2	2:00	1:00	S
-+Rule Palestine	2086	only	-	Apr	13	2:00	0	-
-+Rule Palestine	2086	only	-	May	18	2:00	1:00	S
- 
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
- Zone	Asia/Gaza	2:17:52	-	LMT	1900 Oct
-@@ -3655,7 +3803,7 @@ Zone	Asia/Singapore	6:55:25 -	LMT	1901 Jan  1
- # standard time is SLST.
- #
- # From Paul Eggert (2016-10-18):
--# "SLST" seems to be reasonably recent and rarely-used outside time
-+# "SLST" seems to be reasonably recent and rarely used outside time
- # zone nerd sources.  I searched Google News and found three uses of
- # it in the International Business Times of India in February and
- # March of this year when discussing cricket match times, but nothing
-diff --git a/make/data/tzdata/australasia b/make/data/tzdata/australasia
-index fbe3b8a6d72..893d7055eab 100644
---- a/make/data/tzdata/australasia
-+++ b/make/data/tzdata/australasia
-@@ -346,7 +346,7 @@ Zone Antarctica/Macquarie 0	-	-00	1899 Nov
- 
- # From Steffen Thorsen (2013-01-10):
- # Fiji will end DST on 2014-01-19 02:00:
--# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVINGS-TO-END-THIS-MONTH-%281%29.aspx
-+# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVINGS-TO-END-THIS-MONTH-(1).aspx
- 
- # From Ken Rylander (2014-10-20):
- # DST will start Nov. 2 this year.
-@@ -746,7 +746,7 @@ Zone Pacific/Pago_Pago	 12:37:12 -	LMT	1892 Jul  5
- #
- # Samoa's Daylight Saving Time Act 2009 is available here, but does not
- # contain any dates:
--# http://www.parliament.gov.ws/documents/acts/Daylight%20Saving%20Act%20%202009%20%28English%29%20-%20Final%207-7-091.pdf
-+# http://www.parliament.gov.ws/documents/acts/Daylight%20Saving%20Act%20%202009%20(English)%20-%20Final%207-7-091.pdf
- 
- # From Laupue Raymond Hughes (2010-10-07):
- # Please see
-@@ -1831,7 +1831,7 @@ Zone	Pacific/Efate	11:13:16 -	LMT	1912 Jan 13 # Vila
- # period.  It would probably be reasonable to assume Guam use GMT+9 during
- # that period of time like the surrounding area.
- 
--# From Paul Eggert (2018-11-18):
-+# From Paul Eggert (2023-01-23):
- # Howse writes (p 153) "The Spaniards, on the other hand, reached the
- # Philippines and the Ladrones from America," and implies that the Ladrones
- # (now called the Marianas) kept American date for quite some time.
-@@ -1844,7 +1844,7 @@ Zone	Pacific/Efate	11:13:16 -	LMT	1912 Jan 13 # Vila
- # they did as that avoids the need for a separate zone due to our 1970 cutoff.
- #
- # US Public Law 106-564 (2000-12-23) made UT +10 the official standard time,
--# under the name "Chamorro Standard Time".  There is no official abbreviation,
-+# under the name "Chamorro standard time".  There is no official abbreviation,
- # but Congressman Robert A. Underwood, author of the bill that became law,
- # wrote in a press release (2000-12-27) that he will seek the use of "ChST".
- 
-@@ -2222,24 +2222,18 @@ Zone	Pacific/Efate	11:13:16 -	LMT	1912 Jan 13 # Vila
- # an international standard, there are some places on the high seas where the
- # correct date is ambiguous.
- 
--# From Wikipedia  (2005-08-31):
--# Before 1920, all ships kept local apparent time on the high seas by setting
--# their clocks at night or at the morning sight so that, given the ship's
--# speed and direction, it would be 12 o'clock when the Sun crossed the ship's
--# meridian (12 o'clock = local apparent noon).  During 1917, at the
--# Anglo-French Conference on Time-keeping at Sea, it was recommended that all
--# ships, both military and civilian, should adopt hourly standard time zones
--# on the high seas.  Whenever a ship was within the territorial waters of any
--# nation it would use that nation's standard time.  The captain was permitted
--# to change his ship's clocks at a time of his choice following his ship's
--# entry into another zone time - he often chose midnight.  These zones were
--# adopted by all major fleets between 1920 and 1925 but not by many
--# independent merchant ships until World War II.
--
--# From Paul Eggert, using references suggested by Oscar van Vlijmen
--# (2005-03-20):
--#
--# The American Practical Navigator (2002)
--# http://pollux.nss.nima.mil/pubs/pubs_j_apn_sections.html?rid=187
--# talks only about the 180-degree meridian with respect to ships in
--# international waters; it ignores the international date line.
-+# From Wikipedia  (2023-01-23):
-+# The nautical time zone system is analogous to the terrestrial time zone
-+# system for use on high seas.  Under the system time changes are required for
-+# changes of longitude in one-hour steps.  The one-hour step corresponds to a
-+# time zone width of 15° longitude.  The 15° gore that is offset from GMT or
-+# UT1 (not UTC) by twelve hours is bisected by the nautical date line into two
-+# 7°30' gores that differ from GMT by ±12 hours.  A nautical date line is
-+# implied but not explicitly drawn on time zone maps.  It follows the 180th
-+# meridian except where it is interrupted by territorial waters adjacent to
-+# land, forming gaps: it is a pole-to-pole dashed line.
-+
-+# From Paul Eggert (2023-01-23):
-+# The American Practical Navigator ,
-+# 2019 edition, merely says that the International Date Line
-+# "coincides with the 180th meridian over most of its length."
-diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward
-index fa44f655009..c0746d6dd1b 100644
---- a/make/data/tzdata/backward
-+++ b/make/data/tzdata/backward
-@@ -297,6 +297,7 @@ Link	America/Argentina/Cordoba	America/Rosario
- Link	America/Tijuana		America/Santa_Isabel
- Link	America/Denver		America/Shiprock
- Link	America/Toronto		America/Thunder_Bay
-+Link	America/Edmonton	America/Yellowknife
- Link	Pacific/Auckland	Antarctica/South_Pole
- Link	Asia/Shanghai		Asia/Chongqing
- Link	Asia/Shanghai		Asia/Harbin
-diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
-index acc5da3ec79..446d2e1e658 100644
---- a/make/data/tzdata/europe
-+++ b/make/data/tzdata/europe
-@@ -540,9 +540,7 @@ Zone	Europe/London	-0:01:15 -	LMT	1847 Dec  1
- # other form with a traditional approximation for Irish timestamps
- # after 1971-10-31 02:00 UTC; although this approximation has tm_isdst
- # flags that are reversed, its UTC offsets are correct and this often
--# suffices.  This source file currently uses only nonnegative SAVE
--# values, but this is intended to change and downstream code should
--# not rely on it.
-+# suffices....
- #
- # The following is like GB-Eire and EU, except with standard time in
- # summer and negative daylight saving time in winter.  It is for when
-@@ -1136,19 +1134,18 @@ Zone Atlantic/Faroe	-0:27:04 -	LMT	1908 Jan 11 # Tórshavn
- #
- # From Jürgen Appel (2022-11-25):
- # https://ina.gl/samlinger/oversigt-over-samlinger/samling/dagsordener/dagsorden.aspx?lang=da&day=24-11-2022
--# If I understand this correctly, from the next planned switch to
--# summer time, Greenland will permanently stay at that time, i.e. no
--# switch back to winter time in 2023 will occur.
--#
--# From Paul Eggert (2022-11-28):
--# The official document in Danish
--# https://naalakkersuisut.gl/-/media/naalakkersuisut/filer/kundgoerelser/2022/11/2511/31_da_inatsisartutlov-om-tidens-bestemmelse.pdf?la=da&hash=A33597D8A38CC7038465241119EF34F3
--# says standard time for Greenland is -02, that Naalakkersuisut can lay down
--# rules for DST and can require some areas to use a different time zone,
--# and that this all takes effect 2023-03-25 22:00.  The abovementioned
--# "bekymringer" URL says the intent is no transition March 25, that
--# Greenland will not go back to winter time in fall 2023, and that
--# only America/Nuuk is affected (though further changes may occur).
-+#
-+# From Thomas M. Steenholdt (2022-12-02):
-+# - The bill to move America/Nuuk from UTC-03 to UTC-02 passed.
-+# - The bill to stop observing DST did not (Greenland will stop observing DST
-+#   when EU does).
-+# Details on the implementation are here (section 6):
-+# https://ina.gl/dvd/EM%202022/pdf/media/2553529/pkt17_em2022_tidens_bestemmelse_bem_da.pdf
-+# This is how the change will be implemented:
-+# 1. The shift *to* DST in 2023 happens as normal.
-+# 2. The shift *from* DST in 2023 happens as normal, but coincides with the
-+#    shift to UTC-02 normaltime (people will not change their clocks here).
-+# 3. After this, DST is still observed, but as -02/-01 instead of -03/-02.
- 
- # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
- Rule	Thule	1991	1992	-	Mar	lastSun	2:00	1:00	D
-@@ -1172,8 +1169,8 @@ Zone America/Scoresbysund -1:27:52 -	LMT	1916 Jul 28 # Ittoqqortoormiit
- 			-1:00	EU	-01/+00
- Zone America/Nuuk	-3:26:56 -	LMT	1916 Jul 28 # Godthåb
- 			-3:00	-	-03	1980 Apr  6  2:00
--			-3:00	EU	-03/-02	2023 Mar 25 22:00
--			-2:00	-	-02
-+			-3:00	EU	-03/-02	2023 Oct 29  1:00u
-+			-2:00	EU	-02/-01
- Zone America/Thule	-4:35:08 -	LMT	1916 Jul 28 # Pituffik
- 			-4:00	Thule	A%sT
- 
-@@ -1509,9 +1506,9 @@ Zone	Europe/Paris	0:09:21 -	LMT	1891 Mar 16
- Rule	Germany	1946	only	-	Apr	14	2:00s	1:00	S
- Rule	Germany	1946	only	-	Oct	 7	2:00s	0	-
- Rule	Germany	1947	1949	-	Oct	Sun>=1	2:00s	0	-
--# http://www.ptb.de/de/org/4/44/441/salt.htm says the following transition
--# occurred at 3:00 MEZ, not the 2:00 MEZ given in Shanks & Pottenger.
--# Go with the PTB.
-+# https://www.ptb.de/cms/en/ptb/fachabteilungen/abt4/fb-44/ag-441/realisation-of-legal-time-in-germany/dst-and-midsummer-dst-in-germany-until-1979.html
-+# says the following transition occurred at 3:00 MEZ, not the 2:00 MEZ
-+# given in Shanks & Pottenger. Go with the PTB.
- Rule	Germany	1947	only	-	Apr	 6	3:00s	1:00	S
- Rule	Germany	1947	only	-	May	11	2:00s	2:00	M
- Rule	Germany	1947	only	-	Jun	29	3:00	1:00	S
-@@ -2272,7 +2269,7 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
- # the State Duma has approved ... the draft bill on returning to
- # winter time standard and return Russia 11 time zones.  The new
- # regulations will come into effect on October 26, 2014 at 02:00 ...
--# http://asozd2.duma.gov.ru/main.nsf/%28Spravka%29?OpenAgent&RN=431985-6&02
-+# http://asozd2.duma.gov.ru/main.nsf/(Spravka)?OpenAgent&RN=431985-6&02
- # Here is a link where we put together table (based on approved Bill N
- # 431985-6) with proposed 11 Russian time zones and corresponding
- # areas/cities/administrative centers in the Russian Federation (in English):
-@@ -2682,13 +2679,13 @@ Zone Europe/Volgograd	 2:57:40 -	LMT	1920 Jan  3
- 			 3:00	-	+03	1930 Jun 21
- 			 4:00	-	+04	1961 Nov 11
- 			 4:00	Russia	+04/+05	1988 Mar 27  2:00s
--			 3:00	Russia	+03/+04	1991 Mar 31  2:00s
-+			 3:00	Russia	MSK/MSD	1991 Mar 31  2:00s
- 			 4:00	-	+04	1992 Mar 29  2:00s
--			 3:00	Russia	+03/+04	2011 Mar 27  2:00s
--			 4:00	-	+04	2014 Oct 26  2:00s
--			 3:00	-	+03	2018 Oct 28  2:00s
-+			 3:00	Russia	MSK/MSD	2011 Mar 27  2:00s
-+			 4:00	-	MSK	2014 Oct 26  2:00s
-+			 3:00	-	MSK	2018 Oct 28  2:00s
- 			 4:00	-	+04	2020 Dec 27  2:00s
--			 3:00	-	+03
-+			 3:00	-	MSK
- 
- # From Paul Eggert (2016-11-11):
- # Europe/Saratov covers:
-@@ -2719,11 +2716,11 @@ Zone Europe/Saratov	 3:04:18 -	LMT	1919 Jul  1  0:00u
- Zone Europe/Kirov	 3:18:48 -	LMT	1919 Jul  1  0:00u
- 			 3:00	-	+03	1930 Jun 21
- 			 4:00	Russia	+04/+05	1989 Mar 26  2:00s
--			 3:00	Russia	+03/+04	1991 Mar 31  2:00s
-+			 3:00	Russia	MSK/MSD	1991 Mar 31  2:00s
- 			 4:00	-	+04	1992 Mar 29  2:00s
--			 3:00	Russia	+03/+04	2011 Mar 27  2:00s
--			 4:00	-	+04	2014 Oct 26  2:00s
--			 3:00	-	+03
-+			 3:00	Russia	MSK/MSD	2011 Mar 27  2:00s
-+			 4:00	-	MSK	2014 Oct 26  2:00s
-+			 3:00	-	MSK
- 
- # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2001-08-25):
- # Europe/Samara covers...
-diff --git a/make/data/tzdata/iso3166.tab b/make/data/tzdata/iso3166.tab
-index fbfb74bec45..cea17732dd1 100644
---- a/make/data/tzdata/iso3166.tab
-+++ b/make/data/tzdata/iso3166.tab
-@@ -261,7 +261,7 @@ SY	Syria
- SZ	Eswatini (Swaziland)
- TC	Turks & Caicos Is
- TD	Chad
--TF	French Southern Territories
-+TF	French S. Terr.
- TG	Togo
- TH	Thailand
- TJ	Tajikistan
-diff --git a/make/data/tzdata/leapseconds b/make/data/tzdata/leapseconds
-index d6fb840f512..89ce8b89cd2 100644
---- a/make/data/tzdata/leapseconds
-+++ b/make/data/tzdata/leapseconds
-@@ -95,11 +95,11 @@ Leap	2016	Dec	31	23:59:60	+	S
- # Any additional leap seconds will come after this.
- # This Expires line is commented out for now,
- # so that pre-2020a zic implementations do not reject this file.
--#Expires 2023	Jun	28	00:00:00
-+#Expires 2023	Dec	28	00:00:00
- 
- # POSIX timestamps for the data in this file:
- #updated 1467936000 (2016-07-08 00:00:00 UTC)
--#expires 1687910400 (2023-06-28 00:00:00 UTC)
-+#expires 1703721600 (2023-12-28 00:00:00 UTC)
- 
--#	Updated through IERS Bulletin C64
--#	File expires on:  28 June 2023
-+#	Updated through IERS Bulletin C65
-+#	File expires on:  28 December 2023
-diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica
-index a5fd701f88c..e240cf35103 100644
---- a/make/data/tzdata/northamerica
-+++ b/make/data/tzdata/northamerica
-@@ -1,4 +1,3 @@
--#
- # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- #
- # This code is free software; you can redistribute it and/or modify it
-@@ -299,9 +298,10 @@ Zone	PST8PDT		 -8:00	US	P%sT
- #  -10	Standard Alaska Time (AST)	Alaska-Hawaii standard time (AHST)
- #  -11	(unofficial) Nome (NST)		Bering standard time (BST)
- #
--# From Paul Eggert (2000-01-08), following a heads-up from Rives McDow:
--# Public law 106-564 (2000-12-23) introduced ... "Chamorro Standard Time"
-+# From Paul Eggert (2023-01-23), from a 2001-01-08 heads-up from Rives McDow:
-+# Public law 106-564 (2000-12-23) introduced "Chamorro standard time"
- # for time in Guam and the Northern Marianas.  See the file "australasia".
-+# Also see 15 U.S.C. §263 .
- #
- # From Paul Eggert (2015-04-17):
- # HST and HDT are standardized abbreviations for Hawaii-Aleutian
-@@ -618,7 +618,7 @@ Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 20:00u
- # local times of other Alaskan locations so that they change simultaneously.
- 
- # From Paul Eggert (2014-07-18):
--# One opinion of the early-1980s turmoil in Alaska over time zones and
-+# One opinion of the early 1980s turmoil in Alaska over time zones and
- # daylight saving time appeared as graffiti on a Juneau airport wall:
- # "Welcome to Juneau.  Please turn your watch back to the 19th century."
- # See: Turner W. Alaska's four time zones now two. NY Times 1983-11-01.
-@@ -690,6 +690,10 @@ Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 20:00u
- # So they won't be waiting for Alaska to join them on 2019-03-10, but will
- # rather change their clocks twice in seven weeks.
- 
-+# From Paul Eggert (2023-01-23):
-+# America/Adak is for the Aleutian Islands that are part of Alaska
-+# and are west of 169.5° W.
-+
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
- Zone America/Juneau	 15:02:19 -	LMT	1867 Oct 19 15:33:32
- 			 -8:57:41 -	LMT	1900 Aug 20 12:00
-@@ -2148,10 +2152,6 @@ Zone America/Fort_Nelson	-8:10:47 -	LMT	1884
- # Nunavut ... moved ... to incorporate the whole territory into one time zone.
- # Nunavut moves to single time zone Oct. 31
- # http://www.nunatsiaq.com/nunavut/nvt90903_13.html
--#
--# From Antoine Leca (1999-09-06):
--# We then need to create a new timezone for the Kitikmeot region of Nunavut
--# to differentiate it from the Yellowknife region.
- 
- # From Paul Eggert (1999-09-20):
- # Basic Facts: The New Territory
-@@ -2345,9 +2345,6 @@ Zone America/Cambridge_Bay 0	-	-00	1920 # trading post est.?
- 			-5:00	-	EST	2000 Nov  5  0:00
- 			-6:00	-	CST	2001 Apr  1  3:00
- 			-7:00	Canada	M%sT
--Zone America/Yellowknife 0	-	-00	1935 # Yellowknife founded?
--			-7:00	NT_YK	M%sT	1980
--			-7:00	Canada	M%sT
- Zone America/Inuvik	0	-	-00	1953 # Inuvik founded
- 			-8:00	NT_YK	P%sT	1979 Apr lastSun  2:00
- 			-7:00	NT_YK	M%sT	1980
-@@ -2584,7 +2581,7 @@ Zone America/Dawson	-9:17:40 -	LMT	1900 Aug 20
- # and in addition changes all of Chihuahua to -06 with no DST.
- 
- # From Heitor David Pinto (2022-11-28):
--# Now the northern municipalities want to have the same time zone as the
-+# Now the northern [municipios] want to have the same time zone as the
- # respective neighboring cities in the US, for example Juárez in UTC-7 with
- # DST, matching El Paso, and Ojinaga in UTC-6 with DST, matching Presidio....
- # the president authorized the publication of the decree for November 29,
-@@ -2621,7 +2618,7 @@ Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  6:00u
- 			-5:00	-	EST	1982 Dec  2
- 			-6:00	Mexico	C%sT
- # Coahuila, Nuevo León, Tamaulipas (near US border)
--# This includes the following municipalities:
-+# This includes the following municipios:
- #   in Coahuila: Acuña, Allende, Guerrero, Hidalgo, Jiménez, Morelos, Nava,
- #     Ocampo, Piedras Negras, Villa Unión, Zaragoza
- #   in Nuevo León: Anáhuac
-@@ -2647,8 +2644,8 @@ Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  7:00u
- 			-6:00	-	CST	2002 Feb 20
- 			-6:00	Mexico	C%sT
- # Chihuahua (near US border - western side)
--# This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
--# and Práxedis G Guerrero.
-+# This includes the municipios of Janos, Ascensión, Juárez, Guadalupe, and
-+# Práxedis G Guerrero.
- # http://gaceta.diputados.gob.mx/PDF/65/2a022/nov/20221124-VII.pdf
- Zone America/Ciudad_Juarez -7:05:56 -	LMT	1922 Jan  1  7:00u
- 			-7:00	-	MST	1927 Jun 10 23:00
-@@ -2662,7 +2659,8 @@ Zone America/Ciudad_Juarez -7:05:56 -	LMT	1922 Jan  1  7:00u
- 			-6:00	-	CST	2022 Nov 30  0:00
- 			-7:00	US	M%sT
- # Chihuahua (near US border - eastern side)
--# The municipalities of Coyame del Sotol, Ojinaga, and Manuel Benavides.
-+# This includes the municipios of Coyame del Sotol, Ojinaga, and Manuel
-+# Benavides.
- # http://gaceta.diputados.gob.mx/PDF/65/2a022/nov/20221124-VII.pdf
- Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  7:00u
- 			-7:00	-	MST	1927 Jun 10 23:00
-@@ -3083,7 +3081,7 @@ Zone America/Costa_Rica	-5:36:13 -	LMT	1890        # San José
- #
- # He supplied these references:
- #
--# http://www.prensalatina.com.mx/article.asp?ID=%7B4CC32C1B-A9F7-42FB-8A07-8631AFC923AF%7D&language=ES
-+# http://www.prensalatina.com.mx/article.asp?ID={4CC32C1B-A9F7-42FB-8A07-8631AFC923AF}&language=ES
- # http://actualidad.terra.es/sociedad/articulo/cuba_llama_ahorrar_energia_cambio_1957044.htm
- #
- # From Alex Krivenyshev (2007-10-25):
-diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica
-index 81fdd793df4..4024e7180cd 100644
---- a/make/data/tzdata/southamerica
-+++ b/make/data/tzdata/southamerica
-@@ -231,7 +231,7 @@ Rule	Arg	2008	only	-	Oct	Sun>=15	0:00	1:00	-
- # Hora de verano para la República Argentina
- # http://buenasiembra.com.ar/esoterismo/astrologia/hora-de-verano-de-la-republica-argentina-27.html
- # says that standard time in Argentina from 1894-10-31
--# to 1920-05-01 was -4:16:48.25.  Go with this more-precise value
-+# to 1920-05-01 was -4:16:48.25.  Go with this more precise value
- # over Shanks & Pottenger.  It is upward compatible with Milne, who
- # says Córdoba time was -4:16:48.2.
- 
-diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab
-index 939432d3456..3edb0d61c80 100644
---- a/make/data/tzdata/zone.tab
-+++ b/make/data/tzdata/zone.tab
-@@ -144,9 +144,8 @@ CA	+744144-0944945	America/Resolute	Central - NU (Resolute)
- CA	+624900-0920459	America/Rankin_Inlet	Central - NU (central)
- CA	+5024-10439	America/Regina	CST - SK (most areas)
- CA	+5017-10750	America/Swift_Current	CST - SK (midwest)
--CA	+5333-11328	America/Edmonton	Mountain - AB; BC (E); SK (W)
-+CA	+5333-11328	America/Edmonton	Mountain - AB; BC (E); NT (E); SK (W)
- CA	+690650-1050310	America/Cambridge_Bay	Mountain - NU (west)
--CA	+6227-11421	America/Yellowknife	Mountain - NT (central)
- CA	+682059-1334300	America/Inuvik	Mountain - NT (west)
- CA	+4906-11631	America/Creston	MST - BC (Creston)
- CA	+5546-12014	America/Dawson_Creek	MST - BC (Dawson Cr, Ft St John)
-@@ -162,7 +161,7 @@ CG	-0416+01517	Africa/Brazzaville
- CH	+4723+00832	Europe/Zurich
- CI	+0519-00402	Africa/Abidjan
- CK	-2114-15946	Pacific/Rarotonga
--CL	-3327-07040	America/Santiago	Chile (most areas)
-+CL	-3327-07040	America/Santiago	most of Chile
- CL	-5309-07055	America/Punta_Arenas	Region of Magallanes
- CL	-2709-10926	Pacific/Easter	Easter Island
- CM	+0403+00942	Africa/Douala
-@@ -174,10 +173,10 @@ CU	+2308-08222	America/Havana
- CV	+1455-02331	Atlantic/Cape_Verde
- CW	+1211-06900	America/Curacao
- CX	-1025+10543	Indian/Christmas
--CY	+3510+03322	Asia/Nicosia	Cyprus (most areas)
-+CY	+3510+03322	Asia/Nicosia	most of Cyprus
- CY	+3507+03357	Asia/Famagusta	Northern Cyprus
- CZ	+5005+01426	Europe/Prague
--DE	+5230+01322	Europe/Berlin	Germany (most areas)
-+DE	+5230+01322	Europe/Berlin	most of Germany
- DE	+4742+00841	Europe/Busingen	Busingen
- DJ	+1136+04309	Africa/Djibouti
- DK	+5540+01235	Europe/Copenhagen
-@@ -210,7 +209,7 @@ GF	+0456-05220	America/Cayenne
- GG	+492717-0023210	Europe/Guernsey
- GH	+0533-00013	Africa/Accra
- GI	+3608-00521	Europe/Gibraltar
--GL	+6411-05144	America/Nuuk	Greenland (most areas)
-+GL	+6411-05144	America/Nuuk	most of Greenland
- GL	+7646-01840	America/Danmarkshavn	National Park (east coast)
- GL	+7029-02158	America/Scoresbysund	Scoresbysund/Ittoqqortoormiit
- GL	+7634-06847	America/Thule	Thule/Pituffik
-@@ -258,7 +257,7 @@ KP	+3901+12545	Asia/Pyongyang
- KR	+3733+12658	Asia/Seoul
- KW	+2920+04759	Asia/Kuwait
- KY	+1918-08123	America/Cayman
--KZ	+4315+07657	Asia/Almaty	Kazakhstan (most areas)
-+KZ	+4315+07657	Asia/Almaty	most of Kazakhstan
- KZ	+4448+06528	Asia/Qyzylorda	Qyzylorda/Kyzylorda/Kzyl-Orda
- KZ	+5312+06337	Asia/Qostanay	Qostanay/Kostanay/Kustanay
- KZ	+5017+05710	Asia/Aqtobe	Aqtobe/Aktobe
-@@ -282,12 +281,12 @@ MD	+4700+02850	Europe/Chisinau
- ME	+4226+01916	Europe/Podgorica
- MF	+1804-06305	America/Marigot
- MG	-1855+04731	Indian/Antananarivo
--MH	+0709+17112	Pacific/Majuro	Marshall Islands (most areas)
-+MH	+0709+17112	Pacific/Majuro	most of Marshall Islands
- MH	+0905+16720	Pacific/Kwajalein	Kwajalein
- MK	+4159+02126	Europe/Skopje
- ML	+1239-00800	Africa/Bamako
- MM	+1647+09610	Asia/Yangon
--MN	+4755+10653	Asia/Ulaanbaatar	Mongolia (most areas)
-+MN	+4755+10653	Asia/Ulaanbaatar	most of Mongolia
- MN	+4801+09139	Asia/Hovd	Bayan-Olgiy, Govi-Altai, Hovd, Uvs, Zavkhan
- MN	+4804+11430	Asia/Choibalsan	Dornod, Sukhbaatar
- MO	+221150+1133230	Asia/Macau
-@@ -325,7 +324,7 @@ NO	+5955+01045	Europe/Oslo
- NP	+2743+08519	Asia/Kathmandu
- NR	-0031+16655	Pacific/Nauru
- NU	-1901-16955	Pacific/Niue
--NZ	-3652+17446	Pacific/Auckland	New Zealand (most areas)
-+NZ	-3652+17446	Pacific/Auckland	most of New Zealand
- NZ	-4357-17633	Pacific/Chatham	Chatham Islands
- OM	+2336+05835	Asia/Muscat
- PA	+0858-07932	America/Panama
-@@ -333,7 +332,7 @@ PE	-1203-07703	America/Lima
- PF	-1732-14934	Pacific/Tahiti	Society Islands
- PF	-0900-13930	Pacific/Marquesas	Marquesas Islands
- PF	-2308-13457	Pacific/Gambier	Gambier Islands
--PG	-0930+14710	Pacific/Port_Moresby	Papua New Guinea (most areas)
-+PG	-0930+14710	Pacific/Port_Moresby	most of Papua New Guinea
- PG	-0613+15534	Pacific/Bougainville	Bougainville
- PH	+1435+12100	Asia/Manila
- PK	+2452+06703	Asia/Karachi
-@@ -379,7 +378,7 @@ RU	+4310+13156	Asia/Vladivostok	MSK+07 - Amur River
- RU	+643337+1431336	Asia/Ust-Nera	MSK+07 - Oymyakonsky
- RU	+5934+15048	Asia/Magadan	MSK+08 - Magadan
- RU	+4658+14242	Asia/Sakhalin	MSK+08 - Sakhalin Island
--RU	+6728+15343	Asia/Srednekolymsk	MSK+08 - Sakha (E); North Kuril Is
-+RU	+6728+15343	Asia/Srednekolymsk	MSK+08 - Sakha (E); N Kuril Is
- RU	+5301+15839	Asia/Kamchatka	MSK+09 - Kamchatka
- RU	+6445+17729	Asia/Anadyr	MSK+09 - Bering Sea
- RW	-0157+03004	Africa/Kigali
-@@ -420,7 +419,7 @@ TT	+1039-06131	America/Port_of_Spain
- TV	-0831+17913	Pacific/Funafuti
- TW	+2503+12130	Asia/Taipei
- TZ	-0648+03917	Africa/Dar_es_Salaam
--UA	+5026+03031	Europe/Kyiv	Ukraine (most areas)
-+UA	+5026+03031	Europe/Kyiv	most of Ukraine
- UG	+0019+03225	Africa/Kampala
- UM	+2813-17722	Pacific/Midway	Midway Islands
- UM	+1917+16637	Pacific/Wake	Wake Island
-@@ -443,7 +442,7 @@ US	+465042-1012439	America/North_Dakota/New_Salem	Central - ND (Morton rural)
- US	+471551-1014640	America/North_Dakota/Beulah	Central - ND (Mercer)
- US	+394421-1045903	America/Denver	Mountain (most areas)
- US	+433649-1161209	America/Boise	Mountain - ID (south); OR (east)
--US	+332654-1120424	America/Phoenix	MST - Arizona (except Navajo)
-+US	+332654-1120424	America/Phoenix	MST - AZ (except Navajo)
- US	+340308-1181434	America/Los_Angeles	Pacific
- US	+611305-1495401	America/Anchorage	Alaska (most areas)
- US	+581807-1342511	America/Juneau	Alaska - Juneau area
-@@ -451,7 +450,7 @@ US	+571035-1351807	America/Sitka	Alaska - Sitka area
- US	+550737-1313435	America/Metlakatla	Alaska - Annette Island
- US	+593249-1394338	America/Yakutat	Alaska - Yakutat
- US	+643004-1652423	America/Nome	Alaska (west)
--US	+515248-1763929	America/Adak	Aleutian Islands
-+US	+515248-1763929	America/Adak	Alaska - western Aleutians
- US	+211825-1575130	Pacific/Honolulu	Hawaii
- UY	-345433-0561245	America/Montevideo
- UZ	+3940+06648	Asia/Samarkand	Uzbekistan (west)
-diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
-index ef278203182..3762eb820bb 100644
---- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
-+++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
-@@ -608,6 +608,17 @@ public final class ZoneInfoFile {
-                 params[8] = endRule.secondOfDay * 1000;
-                 params[9] = toSTZTime[endRule.timeDefinition];
-                 dstSavings = (startRule.offsetAfter - startRule.offsetBefore) * 1000;
-+
-+                // Note: known mismatching -> Africa/Cairo
-+                // ZoneInfo :      startDayOfWeek=5     <= Thursday
-+                //                 startTime=86400000   <= 24:00
-+                // This:           startDayOfWeek=6     <= Friday
-+                //                 startTime=0          <= 0:00
-+                if (zoneId.equals("Africa/Cairo") &&
-+                        params[7] == Calendar.FRIDAY && params[8] == 0) {
-+                    params[7] = Calendar.THURSDAY;
-+                    params[8] = SECONDS_PER_DAY * 1000;
-+                }
-             } else if (nTrans > 0) {  // only do this if there is something in table already
-                 if (lastyear < LASTYEAR) {
-                     // ZoneInfo has an ending entry for 2037
-diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
-index bf7918659ae..2763ac30ca7 100644
---- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
-+++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -845,9 +845,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
--            {"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00",
--                                           "Kirov Daylight Time", "GMT+03:00",
--                                           "Kirov Time", "GMT+03:00"}},
-+            {"Europe/Kirov", MSK},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
-index 0f66ee12c94..c5483b48512 100644
---- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
-+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
-@@ -1 +1 @@
--tzdata2022g
-+tzdata2023c
-diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
-index d495743b268..07c5edbafee 100644
---- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
-+++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
-@@ -211,6 +211,7 @@ Link	America/Argentina/Cordoba	America/Rosario
- Link	America/Tijuana		America/Santa_Isabel
- Link	America/Denver		America/Shiprock
- Link	America/Toronto		America/Thunder_Bay
-+Link	America/Edmonton	America/Yellowknife
- Link	Pacific/Auckland	Antarctica/South_Pole
- Link	Asia/Shanghai		Asia/Chongqing
- Link	Asia/Shanghai		Asia/Harbin
-diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
-index 44db4dbdb81..03f5305e65e 100644
---- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
-+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
-@@ -92,7 +92,6 @@ America/Vancouver PST PDT
- America/Whitehorse MST
- America/Winnipeg CST CDT
- America/Yakutat AKST AKDT
--America/Yellowknife MST MDT
- Antarctica/Macquarie AEST AEDT
- Asia/Beirut EET EEST
- Asia/Famagusta EET EEST
-@@ -144,6 +143,7 @@ Europe/Dublin IST/GMT IST/GMT
- Europe/Gibraltar CET CEST
- Europe/Helsinki EET EEST
- Europe/Kaliningrad EET
-+Europe/Kirov MSK
- Europe/Kyiv EET EEST
- Europe/Lisbon WET WEST
- Europe/London GMT/BST GMT/BST
-@@ -160,6 +160,7 @@ Europe/Tallinn EET EEST
- Europe/Tirane CET CEST
- Europe/Vienna CET CEST
- Europe/Vilnius EET EEST
-+Europe/Volgograd MSK
- Europe/Warsaw CET CEST
- Europe/Zurich CET CEST
- HST HST
-diff --git a/test/jdk/java/util/TimeZone/TimeZoneTest.java b/test/jdk/java/util/TimeZone/TimeZoneTest.java
-index d31d1722b7b..8e5d403f87b 100644
---- a/test/jdk/java/util/TimeZone/TimeZoneTest.java
-+++ b/test/jdk/java/util/TimeZone/TimeZoneTest.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -25,7 +25,7 @@
-  * @test
-  * @bug 4028006 4044013 4096694 4107276 4107570 4112869 4130885 7039469 7126465 7158483
-  *      8008577 8077685 8098547 8133321 8138716 8148446 8151876 8159684 8166875 8181157
-- *      8228469 8274407
-+ *      8228469 8274407 8305113
-  * @modules java.base/sun.util.resources
-  * @library /java/text/testlib
-  * @summary test TimeZone
-@@ -121,7 +121,7 @@ public class TimeZoneTest extends IntlTest
-             new ZoneDescriptor("GMT", 0, false),
-             new ZoneDescriptor("UTC", 0, false),
-             new ZoneDescriptor("ECT", 60, true),
--            new ZoneDescriptor("ART", 120, false),
-+            new ZoneDescriptor("ART", 120, true),
-             new ZoneDescriptor("EET", 120, true),
-             new ZoneDescriptor("EAT", 180, false),
-             new ZoneDescriptor("MET", 60, true),
diff --git a/SOURCES/nss.cfg.in b/SOURCES/nss.cfg.in
deleted file mode 100644
index 377a39c..0000000
--- a/SOURCES/nss.cfg.in
+++ /dev/null
@@ -1,5 +0,0 @@
-name = NSS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssDbMode = noDb
-attributes = compatibility
-handleStartupErrors = ignoreMultipleInitialisation
diff --git a/SOURCES/openjdk-devkit.specfile b/SOURCES/openjdk-devkit.specfile
new file mode 100644
index 0000000..ffb09c1
--- /dev/null
+++ b/SOURCES/openjdk-devkit.specfile
@@ -0,0 +1,230 @@
+# Spec file for building a devkit for OpenJDK builds
+
+# We do not want debug packages
+%global debug_package %{nil}
+# Arch definitions from java-*-openjdk RPM
+%global aarch64         aarch64 arm64 armv8
+# x86 is not supported by OpenJDK 17
+ExcludeArch: %{ix86}
+
+# New Version-String scheme-style defines
+%global featurever 21
+%global interimver 0
+%global updatever 5
+%global patchver 0
+%global buildver 11
+# Define JDK versions
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver         %{featurever}
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga           1
+%if %{is_ga}
+%global build_type GA
+%global ea_designator ""
+%global ea_designator_zip %{nil}
+%global extraver %{nil}
+%global eaprefix %{nil}
+%else
+%global build_type EA
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
+%global eaprefix 0.
+%endif
+
+# Date devkit RPMs were download
+%global rpm_download_date 20250117
+
+Name: openjdk-devkit
+Version: 1.0
+Release: 9%{?dist}
+License: GPLv2
+URL: http://openjdk.java.net/
+Summary: OpenJDK Devkit
+
+# The source tarball, generated using generate_source_tarball.sh
+Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz
+# The buildroot RPMs for each architecture
+Source1: devkit-rpms-aarch64-%{rpm_download_date}.tar.xz
+Source2: devkit-rpms-ppc64le-%{rpm_download_date}.tar.xz
+Source3: devkit-rpms-s390x-%{rpm_download_date}.tar.xz
+Source4: devkit-rpms-x86_64-%{rpm_download_date}.tar.xz
+# Toolchain sources
+Source5: binutils-2.39.tar.gz
+Source6: gcc-11.3.0.tar.xz
+Source7: gmp-6.2.1.tar.bz2
+Source8: mpc-1.2.1.tar.gz
+Source9: mpfr-4.1.1.tar.bz2
+Source10: gdb-11.2.tar.xz
+
+# Devkit patches; see https://github.com/rh-openjdk/jdk/tree/devkit
+# To regenerate, use git format-patch -N jdk21u/master
+# Add RHEL RPM URLs and turn off robots
+Patch0: 0001-Allow-devkit-to-work-with-RHEL.patch
+# Turn off multilib on x86_64
+Patch1: 0002-Disable-multilib-on-x86_64.patch
+# Improve build logging (OPENJDK-3071)
+Patch2: 0003-Log-devkit-build-to-stdout.patch
+# Remove .comment sections from sysroot objects
+Patch3: 0004-devkit-Remove-.comment-sections-from-sysroot-objects.patch
+# Configure binutils with --enable-deterministic-archives
+Patch4: 0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch
+# Configure gcc with --enable-linker-build-id (OPENJDK-3068)
+Patch5: 0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch
+# Exclude systemtap-sdt-devel on s390x & ppc64* (OPENJDK-3070)
+Patch6: 0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch
+# Use update repository on RHEL rather than GA (OPENJDK-3589)
+Patch7: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch
+
+BuildRequires: make autoconf automake libtool gcc gcc-c++ wget glibc-devel texinfo tar bison
+
+# Setup variables to reference correct sources
+%ifarch %{aarch64}
+%global rpmtarball %{SOURCE1}
+%endif
+%ifarch ppc64le
+%global rpmtarball %{SOURCE2}
+%endif
+%ifarch s390x
+%global rpmtarball %{SOURCE3}
+%endif
+%ifarch x86_64
+%global rpmtarball %{SOURCE4}
+%endif
+
+%description
+OpenJDK Devkit
+
+%prep
+
+# Unpack OpenJDK sources only in build directory
+%setup -q -T -c -a 0
+
+# This syntax is deprecated:
+#    %patchN [...]
+# and should be replaced with:
+#    %patch -PN [...]
+# For example:
+#    %patch1001 -p1
+# becomes:
+#    %patch -P1001 -p1
+# The replacement format suggested by recent (circa Fedora 38) RPM
+# deprecation messages:
+#    %patch N [...]
+# is not backward-compatible with prior (circa RHEL-8) versions of
+# rpmbuild.
+pushd jdk-*
+%patch -P0 -p1
+%patch -P1 -p1
+%patch -P2 -p1
+%patch -P3 -p1
+%patch -P4 -p1
+%patch -P5 -p1
+%patch -P6 -p1
+%patch -P7 -p1
+popd
+
+mkdir -p devkit/download
+pushd devkit/download
+tar -xJf %{rpmtarball}
+ln -s %{SOURCE5}
+ln -s %{SOURCE6}
+ln -s %{SOURCE7}
+ln -s %{SOURCE8}
+ln -s %{SOURCE9}
+ln -s %{SOURCE10}
+
+%build
+
+devkit_dir=$(pwd)/devkit
+today=$(date +%Y%m%d)
+arch=%{_target_cpu}
+result_name=${arch}-linux-gnu-to-${arch}-linux-gnu
+result_path=result/${result_name}
+
+pushd jdk-*/make/devkit
+
+# Build devkit first using the native toolchain,
+# than again using itself
+for variant in bootstrap product ; do
+    if [ -e ${devkit_dir}-bootstrap/${result_path}/bin/gcc ] ; then
+        ROOTDIR=${devkit_dir}-bootstrap/${result_path};
+        BINDIR=${ROOTDIR}/bin;
+        TOOLS="CC=${BINDIR}/gcc CXX=${BINDIR}/g++ LD=${BINDIR}/ld \
+               AR=${BINDIR}/ar AS=${BINDIR}/as RANLIB=${BINDIR}/ranlib \
+               OBJDUMP=${BINDIR}/objdump"
+        LIBPATH="${ROOTDIR}/lib64:${ROOTDIR}/lib"
+    else
+        TOOLS="CC=$(which gcc) CXX=$(which g++) LD=$(which ld) \
+               AR=$(which ar) AS=$(which as) RANLIB=$(which ranlib) \
+               OBJDUMP=$(which objdump)"
+    fi
+    mkdir -p ${devkit_dir}-${variant}
+    ln -s ${devkit_dir}/download ${devkit_dir}-${variant}
+    LD_LIBRARY_PATH="${LIBPATH}" \
+        make -f Tools.gmk all ${TOOLS} \
+        HOST=${arch}-linux-gnu \
+        BUILD=${arch}-linux-gnu \
+        RESULT=${devkit_dir}-${variant}/result \
+        OUTPUT_ROOT=${devkit_dir}-${variant} \
+        TARGET=${arch}-linux-gnu \
+        PREFIX=${devkit_dir}-${variant}/${result_path} \
+        BASE_OS=RHEL
+done
+
+make -r -f Tars.gmk \
+     SRC_DIR=${devkit_dir}-product/${result_path} \
+     TAR_FILE=${devkit_dir}-product/result/sdk-${result_name}-${today}.tar.gz
+popd
+
+%install
+mkdir -p %{buildroot}%{_datadir}/%{name}
+cp -p devkit-product/result/*.tar.gz %{buildroot}%{_datadir}/%{name}/
+
+%files
+%{_datadir}/%{name}
+
+%changelog
+* Fri Jan 17 2025 Andrew Hughes  - 1.0-9
+- Update devkit RPMs to latest updates
+- Exclude SystemTap RPMs from s390x and ppc64le
+- Add a date stamp to the RPM bundles
+- Resolves: OPENJDK-3070
+= Resolves: OPENJDK-3589
+
+* Wed Nov 27 2024 Andrew Hughes  - 1.0-8
+- Add --enable-linker-build-id to gcc build
+- Resolves: OPENJDK-3068
+
+* Wed Oct 30 2024 Andrew Hughes  - 1.0-7
+- Improve build logging by also writing to stdout
+- Cleanup patches and rebase on jdk-21.0.5-ga
+- Drop JDK-8323671 patch which is upstream as of 21.0.3+3
+- Resolves: OPENJDK-3071
+
+* Tue Jun 11 2024 Andrew Hughes  - 1.0-6
+- Fix typo where 'as' binary is accidentally capitalised in AS=/as
+
+* Wed May 01 2024 Andrew Hughes  - 1.0-5
+- Bootstrap the devkit, building it again with itself
+
+* Mon Apr 08 2024 Andrew Hughes  - 1.0-4
+- Include Thomas' patches to drop .comment sections and build binutils with deterministic archives
+- Use backward-compatible patch syntax
+
+* Tue Feb 06 2024 Andrew Hughes  - 1.0-3
+- Include JDK-8323671 patch so the binaries don't contain the full source path
+
+* Fri Dec 08 2023 Andrew Hughes  - 1.0-2
+- Try to turn off multlib on x86_64 as we don't have the dependencies for it
+
+* Tue Dec 05 2023 Andrew Hughes  - 1.0-1
+- Create RHEL 7 based devkit for building OpenJDK
diff --git a/SOURCES/openjdk_news.sh b/SOURCES/openjdk_news.sh
deleted file mode 100755
index 560b356..0000000
--- a/SOURCES/openjdk_news.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2022 Red Hat, Inc.
-# Written by Andrew John Hughes , 2012-2022
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see .
-
-OLD_RELEASE=$1
-NEW_RELEASE=$2
-SUBDIR=$3
-REPO=$4
-SCRIPT_DIR=$(dirname ${0})
-
-if test "x${SUBDIR}" = "x"; then
-    echo "No subdirectory specified; using .";
-    SUBDIR=".";
-fi
-
-if test "x$REPO" = "x"; then
-    echo "No repository specified; using ${PWD}"
-    REPO=${PWD}
-fi
-
-if test x${TMPDIR} = x; then
-    TMPDIR=/tmp;
-fi
-
-echo "Repository: ${REPO}"
-
-if [ -e ${REPO}/.git ] ; then
-    TYPE=git;
-elif [ -e ${REPO}/.hg ] ; then
-    TYPE=hg;
-else
-    echo "No Mercurial or Git repository detected.";
-    exit 1;
-fi
-
-if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then
-    echo "ERROR: Need to specify old and new release";
-    exit 2;
-fi
-
-echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO"
-rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes
-for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO});
-do
-    if test "x$TYPE" = "xhg"; then
-	hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
-	    egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])#  - JDK-\1#'| \
-	    sed 's#^[o:| ]*summary:\W*#  - #' >> ${TMPDIR}/fixes2;
-	hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
-	    egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})#  - JDK-\1#' >> ${TMPDIR}/fixes3;
-    else
-	git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \
-	    sed -r 's#^([0-9])#  - JDK-\1#' >> ${TMPDIR}/fixes2;
-	touch ${TMPDIR}/fixes3 ; # unused
-    fi
-done
-
-sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes
-rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3
-
-echo "In ${TMPDIR}/fixes:"
-cat ${TMPDIR}/fixes
diff --git a/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
deleted file mode 100644
index 3042186..0000000
--- a/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
---- a/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jun 13 19:37:49 2019 +0200
-+++ b/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jul 04 10:35:42 2019 +0200
-@@ -595,7 +595,11 @@
-                 toolkit = new HeadlessToolkit(toolkit);
-             }
-             if (!GraphicsEnvironment.isHeadless()) {
--                loadAssistiveTechnologies();
-+                try {
-+                    loadAssistiveTechnologies();
-+                } catch (AWTError error) {
-+                    // ignore silently
-+                }
-             }
-         }
-         return toolkit;
diff --git a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
deleted file mode 100644
index 6d2342a..0000000
--- a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index adfaf57d29e..abf89bbf327 100644
---- a/src/java.base/share/conf/security/java.security
-+++ b/src/java.base/share/conf/security/java.security
-@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
- security.provider.tbd=Apple
- #endif
- security.provider.tbd=SunPKCS11
-+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
- 
- #
- # Security providers used when FIPS mode support is active
diff --git a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
deleted file mode 100644
index 53026ad..0000000
--- a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- openjdk/src/java.base/share/conf/security/java.security
-+++ openjdk/src/java.base/share/conf/security/java.security
-@@ -304,6 +304,8 @@
- #
- package.access=sun.misc.,\
-                sun.reflect.,\
-+               org.GNOME.Accessibility.,\
-+               org.GNOME.Bonobo.,\
- 
- #
- # List of comma-separated packages that start with or equal this string
-@@ -316,6 +318,8 @@
- #
- package.definition=sun.misc.,\
-                    sun.reflect.,\
-+                   org.GNOME.Accessibility.,\
-+                   org.GNOME.Bonobo.,\
- 
- #
- # Determines whether this properties file can be appended to
diff --git a/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
deleted file mode 100644
index 5e2b254..0000000
--- a/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:12.038189968 +0100
-+++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:11.913188505 +0100
-@@ -48,8 +48,8 @@
- 
-     private final static String PROP_NAME = "sun.security.smartcardio.library";
- 
--    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
--    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
-+    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
-+    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
-     private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
- 
-     PlatformPCSC() {
diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch
deleted file mode 100644
index 88f5e5a..0000000
--- a/SOURCES/rh1750419-redhat_alt_java.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
-index 700ddefda49..2882de68eb2 100644
---- openjdk.orig/make/modules/java.base/Launcher.gmk
-+++ openjdk/make/modules/java.base/Launcher.gmk
-@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
-     OPTIMIZATION := HIGH, \
- ))
- 
-+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
-+$(eval $(call SetupBuildLauncher, alt-java, \
-+    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
-+    EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
-+    VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
-+    OPTIMIZATION := HIGH, \
-+))
-+
- ifeq ($(call isTargetOs, windows), true)
-   $(eval $(call SetupBuildLauncher, javaw, \
-       CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
-diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
-new file mode 100644
-index 00000000000..697df2898ac
---- /dev/null
-+++ openjdk/src/java.base/share/native/launcher/alt_main.h
-@@ -0,0 +1,73 @@
-+/*
-+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#ifdef REDHAT_ALT_JAVA
-+
-+#include 
-+
-+
-+/* Per task speculation control */
-+#ifndef PR_GET_SPECULATION_CTRL
-+# define PR_GET_SPECULATION_CTRL    52
-+#endif
-+#ifndef PR_SET_SPECULATION_CTRL
-+# define PR_SET_SPECULATION_CTRL    53
-+#endif
-+/* Speculation control variants */
-+#ifndef PR_SPEC_STORE_BYPASS
-+# define PR_SPEC_STORE_BYPASS          0
-+#endif
-+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
-+
-+#ifndef PR_SPEC_NOT_AFFECTED
-+# define PR_SPEC_NOT_AFFECTED          0
-+#endif
-+#ifndef PR_SPEC_PRCTL
-+# define PR_SPEC_PRCTL                 (1UL << 0)
-+#endif
-+#ifndef PR_SPEC_ENABLE
-+# define PR_SPEC_ENABLE                (1UL << 1)
-+#endif
-+#ifndef PR_SPEC_DISABLE
-+# define PR_SPEC_DISABLE               (1UL << 2)
-+#endif
-+#ifndef PR_SPEC_FORCE_DISABLE
-+# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
-+#endif
-+#ifndef PR_SPEC_DISABLE_NOEXEC
-+# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
-+#endif
-+
-+static void set_speculation() __attribute__((constructor));
-+static void set_speculation() {
-+  if ( prctl(PR_SET_SPECULATION_CTRL,
-+             PR_SPEC_STORE_BYPASS,
-+             PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
-+    return;
-+  }
-+  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
-+}
-+
-+#endif // REDHAT_ALT_JAVA
-diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
-index b734fe2ba78..79dc8307650 100644
---- openjdk.orig/src/java.base/share/native/launcher/main.c
-+++ openjdk/src/java.base/share/native/launcher/main.c
-@@ -34,6 +34,14 @@
- #include "jli_util.h"
- #include "jni.h"
- 
-+#ifdef REDHAT_ALT_JAVA
-+#if defined(__linux__) && defined(__x86_64__)
-+#include "alt_main.h"
-+#else
-+#warning alt-java requested but SSB mitigation not available on this platform.
-+#endif
-+#endif
-+
- #ifdef _MSC_VER
- #if _MSC_VER > 1400 && _MSC_VER < 1600
- 
diff --git a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
deleted file mode 100644
index 1b706a1..0000000
--- a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Remove uses of FAR in jpeg code
-
-Upstream libjpeg-trubo removed the (empty) FAR macro:
-http://sourceforge.net/p/libjpeg-turbo/code/1312/
-
-Adjust our code to not use the undefined FAR macro anymore.
-
-diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
---- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
-+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
-@@ -1385,7 +1385,7 @@
-     /* and fill it in */
-     dst_ptr = icc_data;
-     for (seq_no = first; seq_no < last; seq_no++) {
--        JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
-+        JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
-         unsigned int length =
-             icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
- 
diff --git a/SOURCES/rpminspect.yaml b/SOURCES/rpminspect.yaml
deleted file mode 100644
index 8b4fa58..0000000
--- a/SOURCES/rpminspect.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-inspections:
-    javabytecode: off
diff --git a/SPECS/java-21-openjdk.spec b/SPECS/java-21-openjdk.spec
index 439481a..606a4ed 100644
--- a/SPECS/java-21-openjdk.spec
+++ b/SPECS/java-21-openjdk.spec
@@ -1,3 +1,8 @@
+# To rebuild this RPM, you must first rebuild the portable
+# RPM using the java-21-openjdk-portable.specfile, install
+# it and then adjust portablerelease and portablesuffix
+# to match the new portable.
+
 # RPM conditionals so as to be able to dynamically produce
 # slowdebug/release builds. See:
 # http://rpm.org/user_doc/conditional_builds.html
@@ -21,8 +26,6 @@
 %bcond_without release
 # Enable static library builds by default.
 %bcond_without staticlibs
-# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
-%bcond_without fresh_libjvm
 # Build with system libraries
 %bcond_with system_libs
 
@@ -34,13 +37,6 @@
 %global include_staticlibs 0
 %endif
 
-# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
-%if %{with fresh_libjvm}
-%global build_hotspot_first 1
-%else
-%global build_hotspot_first 0
-%endif
-
 %if %{with system_libs}
 %global system_libs 1
 %global link_type system
@@ -133,9 +129,9 @@
 # Set of architectures which support the serviceability agent
 %global sa_arches       %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
 # Set of architectures which support class data sharing
-# See https://bugzilla.redhat.com/show_bug.cgi?id=513605
-# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT
-%global share_arches    %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x
+# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific
+# However, it does segfault on the Zero assembler port, so currently JIT only
+%global share_arches    %{jit_arches}
 # Set of architectures for which we build the Shenandoah garbage collector
 %global shenandoah_arches x86_64 %{aarch64}
 # Set of architectures for which we build the Z garbage collector
@@ -146,6 +142,8 @@
 %global svml_arches x86_64
 # Set of architectures where we verify backtraces with gdb
 %global gdb_arches %{jit_arches} %{zero_arches}
+# Architecture on which we run Java only tests
+%global jdk_test_arch x86_64
 
 # By default, we build a debug build during main build on JIT architectures
 %if %{with slowdebug}
@@ -223,11 +221,14 @@
 # Target to use to just build HotSpot
 %global hotspot_target hotspot
 
-# JDK to use for bootstrapping
-%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
-
 # debugedit tool for rewriting ELF file paths
+%if 0%{?rhel} >= 10
+# From RHEL 10, the tool is in its own package installed in the usual location
+%global debugedit %{_bindir}/debugedit
+%else
+# On earlier versions of RHEL, it is part of the rpm package
 %global debugedit %{_rpmconfigdir}/debugedit
+%endif
 
 # Filter out flags from the optflags macro that cause problems with the OpenJDK build
 # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
@@ -238,12 +239,6 @@
 %global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
 %global ourldflags %{__global_ldflags}
 
-# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
-# the initialization must be here. Later the pkg-config have buggy behavior
-# looks like openjdk RPM specific bug
-# Always set this so the nss.cfg file is not broken
-%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
-
 # In some cases, the arch used by the JDK does
 # not match _arch.
 # Also, in some cases, the machine name used by SystemTap
@@ -311,23 +306,18 @@
 %endif
 
 # New Version-String scheme-style defines
-%global featurever 17
-%global fakefeaturever 21
+%global featurever 21
 %global interimver 0
-%global updatever 7
+%global updatever 6
 %global patchver 0
-# buildjdkver is usually same as %%{featurever},
-# but in time of bootstrap of next jdk, it is featurever-1,
-# and this it is better to change it here, on single place
-%global buildjdkver 17
 # We don't add any LTS designator for STS packages (Fedora and EPEL).
 # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
 %if 0%{?rhel} && !0%{?epel}
   %global lts_designator "LTS"
   %global lts_designator_zip -%{lts_designator}
 %else
- %global lts_designator ""
- %global lts_designator_zip ""
+  %global lts_designator ""
+  %global lts_designator_zip ""
 %endif
 
 # Define vendor information used by OpenJDK
@@ -343,7 +333,7 @@
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
 %else
 %if 0%{?rhel}
-%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%global oj_vendor_bug_url https://access.redhat.com/support/cases/
 %else
 %global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi
 %endif
@@ -354,18 +344,37 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver bf363eecce3
+%global fipsver 0a42e29b391
+# Define JDK versions
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver         %{featurever}
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
+# Define the OS the portable JDK is built on
+# This is undefined for CentOS & openjdk-portable-rhel-8 builds and
+# equals 'rhel7' for openjdk-portable-rhel-7 builds
+%if 0
+%global pkgos rhel7
+%endif
 
 # Standard JPackage naming and versioning defines
 %global origin          openjdk
 %global origin_nice     OpenJDK
-%global top_level_dir_name   %{origin}
+%global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        7
-%global rpmrelease      4
+%global rpmrelease      2
 # Settings used by the portable build
-%global portablerelease 2
-%global portablesuffix el8
+%global portablerelease 1
+# Portable suffix differs between RHEL and CentOS
+%if 0%{?centos} == 0
+%global portablesuffix %{?pkgos:el7_9}%{!?pkgos:el8}
+%else
+%global portablesuffix el9
+%endif
 %global portablebuilddir /builddir/build/BUILD
 
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@@ -380,15 +389,6 @@
 # for techpreview, using 1, so slowdebugs can have 0
 %global priority %( printf '%08d' 1 )
 %endif
-%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-# Force 21 until we are actually ready to build that JDK version
-%global javaver         %{fakefeaturever}
-
-# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
-%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
-
-# The tag used to create the OpenJDK tarball
-%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
 
 # Define milestone (EA for pre-releases, GA for releases)
 # Release will be (where N is usually a number starting at 1):
@@ -398,7 +398,7 @@
 %if %{is_ga}
 %global build_type GA
 %global ea_designator ""
-%global ea_designator_zip ""
+%global ea_designator_zip %{nil}
 %global extraver %{nil}
 %global eaprefix %{nil}
 %else
@@ -410,13 +410,13 @@
 %endif
 
 # parametrized macros are order-sensitive
-%global compatiblename  java-%{fakefeaturever}-%{origin}
+%global compatiblename  java-%{featurever}-%{origin}
 %global fullversion     %{compatiblename}-%{version}-%{release}
 # images directories from upstream build
 %global jdkimage                jdk
 %global static_libs_image       static-libs
 # output dir stub
-%define installoutputdir() %{expand:install/jdk%{fakefeaturever}.install%{?1}}
+%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
 # we can copy the javadoc to not arched dir, or make it not noarch
 %define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
 # main id and dir of this jdk
@@ -426,7 +426,7 @@
 # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
 #         https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
 #         https://bugzilla.redhat.com/show_bug.cgi?id=1655938
-%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|lible[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
 %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
 %if %is_system_jdk
 %global __provides_exclude ^(%{_privatelibs})$
@@ -442,6 +442,12 @@
 %global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
 %endif
 
+# VM variant being built
+%ifarch %{zero_arches}
+%global vm_variant zero
+%else
+%global vm_variant server
+%endif
 
 %global etcjavasubdir     %{_sysconfdir}/java/java-%{javaver}-%{origin}
 %define etcjavadir()      %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
@@ -550,12 +556,15 @@ alternatives \\
   --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY  --family %{family} \\
   --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
   --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+  --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
   --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
   --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
   --slave %{_mandir}/man1/java.1$ext java.1$ext \\
   %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
   %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
+  %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
   %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
@@ -575,10 +584,6 @@ alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jre
 }
 
 %define post_headless() %{expand:
-%ifarch %{share_arches}
-%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
-%endif
-
 update-desktop-database %{_datadir}/applications &> /dev/null || :
 /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
 
@@ -644,7 +649,6 @@ alternatives \\
   --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
   --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
   --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
-  --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
   --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
   --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
   --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
@@ -660,6 +664,7 @@ alternatives \\
   --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\
   --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\
   --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\
+  --slave %{_bindir}/jwebserver jwebserver %{sdkbindir -- %{?1}}/jwebserver \\
   --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\
   --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\
   %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\
@@ -671,8 +676,6 @@ alternatives \\
   %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
   %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
-  %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
   %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
@@ -693,6 +696,8 @@ alternatives \\
   %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\
   %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jwebserver.1$ext jwebserver.1$ext \\
+  %{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\
   %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
@@ -750,10 +755,19 @@ PRIORITY=%{priority}
 if [ "%{?1}" == %{debug_suffix} ]; then
   let PRIORITY=PRIORITY-1
 fi
+  for X in %{origin} %{javaver} ; do
+    key=javadocdir_"$X"
+    alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+    %{set_if_needed_alternatives $key %{family_noarch}}
+  done
 
-key=javadocdir
-alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY  --family %{family_noarch}
-%{set_if_needed_alternatives  $key %{family_noarch}}
+  key=javadocdir_%{javaver}_%{origin}
+  alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+  %{set_if_needed_alternatives  $key %{family_noarch}}
+
+  key=javadocdir
+  alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+  %{set_if_needed_alternatives  $key %{family_noarch}}
 exit 0
 }
 
@@ -763,6 +777,9 @@ if [ "x$debug"  == "xtrue" ] ; then
 fi
   post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
   %{save_and_remove_alternatives  javadocdir  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+  %{save_and_remove_alternatives  javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+  %{save_and_remove_alternatives  javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+  %{save_and_remove_alternatives  javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
 exit 0
 }
 
@@ -774,9 +791,20 @@ PRIORITY=%{priority}
 if [ "%{?1}" == %{debug_suffix} ]; then
   let PRIORITY=PRIORITY-1
 fi
-key=javadoczip
-alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY  --family %{family_noarch}
-%{set_if_needed_alternatives  $key %{family_noarch}}
+  for X in %{origin} %{javaver} ; do
+    key=javadoczip_"$X"
+    alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+    %{set_if_needed_alternatives $key %{family_noarch}}
+  done
+
+  key=javadoczip_%{javaver}_%{origin}
+  alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+  %{set_if_needed_alternatives  $key %{family_noarch}}
+
+  # Weird legacy filename for backwards-compatibility
+  key=javadoczip
+  alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY  --family %{family_noarch}
+  %{set_if_needed_alternatives  $key %{family_noarch}}
 exit 0
 }
 
@@ -786,6 +814,9 @@ exit 0
   fi
   post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
   %{save_and_remove_alternatives  javadoczip  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+  %{save_and_remove_alternatives  javadoczip_%{origin}  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+  %{save_and_remove_alternatives  javadoczip_%{javaver}  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+  %{save_and_remove_alternatives  javadoczip_%{javaver}_%{origin}  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
 exit 0
 }
 
@@ -801,7 +832,9 @@ exit 0
 %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
 %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
 %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md
-%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{fakefeaturever}-openjdk-portable.specfile
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/openjdk-devkit.specfile
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/0*.patch
 %dir %{_sysconfdir}/.java/.systemPrefs
 %dir %{_sysconfdir}/.java
 %dir %{_jvmdir}/%{sdkdir -- %{?1}}
@@ -810,6 +843,7 @@ exit 0
 %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
 %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
@@ -846,6 +880,7 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/lible.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so
@@ -873,11 +908,15 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
 %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/
 %ifarch %{share_arches}
-%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa
+%attr(444, root, root) %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/classes.jsa
+%ifnarch %{ix86} %{arm32}
+%attr(444, root, root) %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/classes_nocoops.jsa
+%endif
 %endif
 %dir %{etcjavasubdir}
 %dir %{etcjavadir -- %{?1}}
@@ -902,14 +941,14 @@ exit 0
  %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
 # This is a config template, thus not config-noreplace
 %config  %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
 %config  %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/jaxp.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties
 %{_jvmdir}/%{sdkdir -- %{?1}}/conf
@@ -917,13 +956,11 @@ exit 0
 %if %is_system_jdk
 %if %{is_release_build -- %{?1}}
 %ghost %{_bindir}/java
-%ghost %{_bindir}/%{alt_java_name}
 %ghost %{_jvmdir}/jre
+%ghost %{_bindir}/%{alt_java_name}
+%ghost %{_bindir}/jcmd
 %ghost %{_bindir}/keytool
-%ghost %{_bindir}/pack200
-%ghost %{_bindir}/rmid
 %ghost %{_bindir}/rmiregistry
-%ghost %{_bindir}/unpack200
 %ghost %{_jvmdir}/jre-%{origin}
 %ghost %{_jvmdir}/jre-%{javaver}
 %ghost %{_jvmdir}/jre-%{javaver}-%{origin}
@@ -943,7 +980,6 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan
@@ -967,6 +1003,7 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jwebserver
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver
 %{_jvmdir}/%{sdkdir -- %{?1}}/include
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym
@@ -980,23 +1017,23 @@ exit 0
 %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
 
 %if %{with_systemtap}
 %dir %{tapsetroot}
@@ -1008,7 +1045,6 @@ exit 0
 %if %{is_release_build -- %{?1}}
 %ghost %{_bindir}/javac
 %ghost %{_jvmdir}/java
-%ghost %{_jvmdir}/%{alt_java_name}
 %ghost %{_bindir}/jlink
 %ghost %{_bindir}/jmod
 %ghost %{_bindir}/jhsdb
@@ -1016,20 +1052,22 @@ exit 0
 %ghost %{_bindir}/jarsigner
 %ghost %{_bindir}/javadoc
 %ghost %{_bindir}/javap
-%ghost %{_bindir}/jcmd
 %ghost %{_bindir}/jconsole
 %ghost %{_bindir}/jdb
 %ghost %{_bindir}/jdeps
 %ghost %{_bindir}/jdeprscan
+%ghost %{_bindir}/jfr
 %ghost %{_bindir}/jimage
 %ghost %{_bindir}/jinfo
 %ghost %{_bindir}/jmap
 %ghost %{_bindir}/jps
+%ghost %{_bindir}/jpackage
 %ghost %{_bindir}/jrunscript
 %ghost %{_bindir}/jshell
 %ghost %{_bindir}/jstack
 %ghost %{_bindir}/jstat
 %ghost %{_bindir}/jstatd
+%ghost %{_bindir}/jwebserver
 %ghost %{_bindir}/serialver
 %ghost %{_jvmdir}/java-%{origin}
 %ghost %{_jvmdir}/java-%{javaver}
@@ -1045,7 +1083,6 @@ exit 0
 %define files_demo() %{expand:
 %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
 %{_jvmdir}/%{sdkdir -- %{?1}}/demo
-%{_jvmdir}/%{sdkdir -- %{?1}}/sample
 }
 
 %define files_src() %{expand:
@@ -1066,6 +1103,9 @@ exit 0
 %if %is_system_jdk
 %if %{is_release_build -- %{?1}}
 %ghost %{_javadocdir}/java
+%ghost %{_javadocdir}/java-%{origin}
+%ghost %{_javadocdir}/java-%{javaver}
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}
 %endif
 %endif
 }
@@ -1076,13 +1116,13 @@ exit 0
 %if %is_system_jdk
 %if %{is_release_build -- %{?1}}
 %ghost %{_javadocdir}/java-zip
+%ghost %{_javadocdir}/java-%{origin}.zip
+%ghost %{_javadocdir}/java-%{javaver}.zip
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip
 %endif
 %endif
 }
 
-# x86 is not supported by OpenJDK 17
-ExcludeArch: %{ix86}
-
 # not-duplicated requires/provides/obsoletes for normal/debug packages
 %define java_rpo() %{expand:
 Requires: fontconfig%{?_isa}
@@ -1119,8 +1159,8 @@ Requires: ca-certificates
 # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
 Requires: javapackages-filesystem
 # Require zone-info data provided by tzdata-java sub-package
-# 2022g required as of JDK-8297804
-Requires: tzdata-java >= 2022g
+# 2024b required as of JDK-8339637
+Requires: tzdata-java >= 2024b
 # for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
 Requires: lksctp-tools%{?_isa}
@@ -1241,10 +1281,17 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
 
 # Prevent brp-java-repack-jars from being run
 %global __jar_repack 0
+# Define the root name of the portable packages
+%global pkgnameroot java-%{featurever}-%{origin}-portable%{?pkgos:-%{pkgos}}
+
+# Define the architectures on which we build
+ExclusiveArch: %{aarch64} %{ppc64le} s390x x86_64
 
 Name:    java-%{javaver}-%{origin}
 Version: %{newjavaver}.%{buildver}
 Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# Equivalent for the portable build
+%global prelease %{?eaprefix}%{portablerelease}%{?extraver}
 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
 # and this change was brought into RHEL-4. java-1.5.0-ibm packages
 # also included the epoch in their virtual provides. This created a
@@ -1279,9 +1326,8 @@ Group:   Development/Languages
 License:  ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
 URL:      http://openjdk.java.net/
 
-
 # The source tarball, generated using generate_source_tarball.sh
-Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
+Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz
 
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
@@ -1291,8 +1337,8 @@ Source8: tapsets-icedtea-%{icedteaver}.tar.xz
 # Desktop files. Adapted from IcedTea
 Source9: jconsole.desktop.in
 
-# nss configuration file
-Source11: nss.cfg.in
+# Source code for alt-java
+Source11: alt-java.c
 
 # Removed libraries that we link instead
 Source12: remove-intree-libraries.sh
@@ -1314,17 +1360,37 @@ Source18: TestTranslations.java
 
 # Include portable spec and instructions on how to rebuild
 Source19: README.md
-Source20: java-%{fakefeaturever}-openjdk-portable.specfile
+Source20: java-%{featurever}-openjdk-portable.specfile
+Source21: NEWS
+Source22: openjdk-devkit.specfile
+# Devkit patches; see https://github.com/rh-openjdk/jdk/tree/devkit
+# To regenerate, use git format-patch -N jdk21u/master
+# Add RHEL RPM URLs and turn off robots
+Source23: 0001-Allow-devkit-to-work-with-RHEL.patch
+# Turn off multilib on x86_64
+Source24: 0002-Disable-multilib-on-x86_64.patch
+# Improve build logging (OPENJDK-3071)
+Source25: 0003-Log-devkit-build-to-stdout.patch
+# Remove .comment sections from sysroot objects
+Source26: 0004-devkit-Remove-.comment-sections-from-sysroot-objects.patch
+# Configure binutils with --enable-deterministic-archives
+Source27: 0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch
+# Configure gcc with --enable-linker-build-id (OPENJDK-3068)
+Source28: 0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch
+# Exclude systemtap-sdt-devel on s390x & ppc64* (OPENJDK-3070)
+Source29: 0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch
+# Use update repository on RHEL rather than GA (OPENJDK-3589)
+Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch
 
 # Setup variables to reference correct sources
-%global releasezip %{_jvmdir}/%{name}-%{version}-%{portablerelease}.portable.unstripped.jdk.%{_arch}.tar.xz
-%global staticlibzip %{_jvmdir}/%{name}-%{version}-%{portablerelease}.portable.static-libs.%{_arch}.tar.xz
-%global docszip %{_jvmdir}/%{name}-%{version}-%{portablerelease}.portable.docs.%{_arch}.tar.xz
-%global misczip %{_jvmdir}/%{name}-%{version}-%{portablerelease}.portable.misc.%{_arch}.tar.xz
-%global slowdebugzip %{_jvmdir}/%{name}-%{version}-%{portablerelease}.portable.slowdebug.jdk.%{_arch}.tar.xz
-%global slowdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{portablerelease}.portable.slowdebug.static-libs.%{_arch}.tar.xz
-%global fastdebugzip %{_jvmdir}/%{name}-%{version}-%{portablerelease}.portable.fastdebug.jdk.%{_arch}.tar.xz
-%global fastdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{portablerelease}.portable.fastdebug.static-libs.%{_arch}.tar.xz
+%global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz
+%global staticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.static-libs.%{_arch}.tar.xz
+%global docszip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.docs.%{_arch}.tar.xz
+%global misczip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.misc.%{_arch}.tar.xz
+%global slowdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.jdk.%{_arch}.tar.xz
+%global slowdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.static-libs.%{_arch}.tar.xz
+%global fastdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.jdk.%{_arch}.tar.xz
+%global fastdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.static-libs.%{_arch}.tar.xz
 
 ############################################
 #
@@ -1332,23 +1398,9 @@ Source20: java-%{fakefeaturever}-openjdk-portable.specfile
 #
 ############################################
 
-# NSS via SunPKCS11 Provider (disabled comment
-# due to memory leak).
-Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
-# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
-Patch600: rh1750419-redhat_alt_java.patch
-
-# Ignore AWTError when assistive technologies are loaded
-Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
-# Restrict access to java-atk-wrapper classes
-Patch2:    rh1648644-java_access_bridge_privileged_security.patch
-Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
-Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
-
 # Crypto policy and FIPS support patches
-# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
-# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
+# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
+# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
 # Diff is limited to src and make subdirectories to exclude .github changes
 # Fixes currently included:
 # PR3183, RH1340845: Follow system wide crypto policy
@@ -1372,7 +1424,7 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
 # RH2104724: Avoid import/export of DH private keys
 # RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
 # Build the systemconf library on all platforms
-# RH2048582: Support PKCS#12 keystores
+# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream]
 # RH2020290: Support TLS 1.3 in FIPS mode
 # Add nss.fips.cfg support to OpenJDK tree
 # RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
@@ -1381,8 +1433,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
 # RH2134669: Add missing attributes when registering services in FIPS mode.
 # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
 # RH1940064: Enable XML Signature provider in FIPS mode
-# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
-Patch1001: fips-17u-%{fipsver}.patch
+# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
+Patch1001: fips-%{featurever}u-%{fipsver}.patch
 
 #############################################
 #
@@ -1390,21 +1442,31 @@ Patch1001: fips-17u-%{fipsver}.patch
 #
 #############################################
 
+# Currently empty
+
 #############################################
 #
-# OpenJDK patches targetted for 17.0.8
+# OpenJDK patches which missed last update
 #
 #############################################
-# JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
-Patch2001: jdk8274864-remove_amman_cairo_hacks.patch
-# JDK-8305113: (tz) Update Timezone Data to 2023c
-Patch2002: jdk8305113-tzdata2023c.patch
+
+#############################################
+#
+# Portable build specific patches
+#
+#############################################
+
+# Currently empty
 
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: alsa-lib-devel
 BuildRequires: binutils
 BuildRequires: cups-devel
+# From RHEL 10, debugedit is in its own package
+%if 0%{?rhel} >= 10
+BuildRequires: debugedit
+%endif
 BuildRequires: desktop-file-utils
 # elfutils only are OK for build without AOT
 BuildRequires: elfutils-devel
@@ -1419,7 +1481,7 @@ BuildRequires: libXrandr-devel
 BuildRequires: libXrender-devel
 BuildRequires: libXt-devel
 BuildRequires: libXtst-devel
-# Requirement for setting up nss.cfg and nss.fips.cfg
+# Requirement for setting up nss.fips.cfg
 BuildRequires: nss-devel
 # Requirement for system security property test
 BuildRequires: crypto-policies
@@ -1428,25 +1490,25 @@ BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
 BuildRequires: javapackages-filesystem
 %if %{include_normal_build}
-BuildRequires: java-%{fakefeaturever}-openjdk-portable-unstripped = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
-BuildRequires: java-%{fakefeaturever}-openjdk-portable-static-libs = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-unstripped = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-static-libs = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
 %endif
 %if %{include_fastdebug_build}
-BuildRequires: java-%{fakefeaturever}-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
-BuildRequires: java-%{fakefeaturever}-openjdk-portable-static-libs-fastdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-devel-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-static-libs-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
 %endif
 %if %{include_debug_build}
-BuildRequires: java-%{fakefeaturever}-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
-BuildRequires: java-%{fakefeaturever}-openjdk-portable-static-libs-slowdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-devel-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-static-libs-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
 %endif
-BuildRequires: java-%{fakefeaturever}-openjdk-portable-docs = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
-BuildRequires: java-%{fakefeaturever}-openjdk-portable-misc = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-docs = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-misc = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
 # Zero-assembler build requirement
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2023c required as of JDK-8305113
-BuildRequires: tzdata-java >= 2023c
+# 2024b required as of JDK-8339637
+BuildRequires: tzdata-java >= 2024b
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
 
@@ -1462,19 +1524,22 @@ BuildRequires: harfbuzz-devel
 BuildRequires: lcms2-devel
 BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
+BuildRequires: zlib-devel
 %else
-# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.12.1
+# Version in src/java.desktop/share/legal/freetype.md
+Provides: bundled(freetype) = 2.13.2
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
-Provides: bundled(giflib) = 5.2.1
+Provides: bundled(giflib) = 5.2.2
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 4.4.1
+Provides: bundled(harfbuzz) = 8.2.2
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
-Provides: bundled(lcms2) = 2.12.0
+Provides: bundled(lcms2) = 2.16.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.37
+Provides: bundled(libpng) = 1.6.43
+# Version in src/java.base/share/native/libzip/zlib/zlib.h
+Provides: bundled(zlib) = 1.3.1
 %endif
 
 # this is always built, also during debug-only build
@@ -1787,6 +1852,7 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
 %prep
 
 echo "Preparing %{oj_vendor_version}"
+echo "System is RHEL=%{?rhel}%{!?rhel:0}, CentOS=%{?centos}%{!?centos:0}, EPEL=%{?epel}%{!?epel:0}, Fedora=%{?fedora}%{!?fedora:0}"
 
 # Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
 %if 0%{?stapinstall:1}
@@ -1817,6 +1883,8 @@ if [ %{include_debug_build} -eq 0 -a  %{include_normal_build} -eq 0 -a  %{includ
   echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
   exit 14
 fi
+
+export XZ_OPT="-T0"
 %setup -q -c -n %{uniquesuffix ""} -T -a 0
 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084
 prioritylength=`expr length %{priority}`
@@ -1833,21 +1901,24 @@ sh %{SOURCE12} %{top_level_dir_name}
 %endif
 
 # Patch the JDK
+# This syntax is deprecated:
+#    %patchN [...]
+# and should be replaced with:
+#    %patch -PN [...]
+# For example:
+#    %patch1001 -p1
+# becomes:
+#    %patch -P1001 -p1
+# The replacement format suggested by recent (circa Fedora 38) RPM
+# deprecation messages:
+#    %patch N [...]
+# is not backward-compatible with prior (circa RHEL-8) versions of
+# rpmbuild.
 pushd %{top_level_dir_name}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch6 -p1
 # Add crypto policy and FIPS support
-%patch1001 -p1
-# nss.cfg PKCS11 support; must come last as it also alters java.security
-%patch1000 -p1
-# tzdata update
-%patch2001 -p1
-%patch2002 -p1
+%patch -P1001 -p1
 popd # openjdk
 
-%patch600
 
 # The OpenJDK version file includes the current
 # upstream version information. For some reason,
@@ -1869,35 +1940,6 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
     exit 17
 fi
 
-# Extract systemtap tapsets
-%if %{with_systemtap}
-tar --strip-components=1 -x -I xz -f %{SOURCE8}
-%if %{include_debug_build}
-cp -r tapset tapset%{debug_suffix}
-%endif
-%if %{include_fastdebug_build}
-cp -r tapset tapset%{fastdebug_suffix}
-%endif
-
-for suffix in %{build_loop} ; do
-  for file in "tapset"$suffix/*.in; do
-    OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
-    sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
-    sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2
-# TODO find out which architectures other than i686 have a client vm
-%ifarch %{ix86}
-    sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE
-%else
-    sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE
-%endif
-    sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
-    sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
-    sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
-  done
-done
-# systemtap tapsets ends
-%endif
-
 # Prepare desktop files
 # The _X_ syntax indicates variables that are replaced by make upstream
 # The @X@ syntax indicates variables that are replaced by configure upstream
@@ -1915,9 +1957,6 @@ for file in %{SOURCE9}; do
 done
 done
 
-# Setup nss.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
-
 %build
 
 function customisejdk() {
@@ -1934,6 +1973,18 @@ function customisejdk() {
     fi
 }
 
+export XZ_OPT="-T0"
+
+mkdir -p $(dirname %{installoutputdir})
+
+docdir=%{installoutputdir -- "-docs"}
+tar -xJf %{docszip}
+mv java-%{featurever}-openjdk*.docs.* ${docdir}
+
+miscdir=%{installoutputdir -- "-misc"}
+tar -xJf %{misczip}
+mv java-%{featurever}-openjdk*.misc.* ${miscdir}
+
 for suffix in %{build_loop} ; do
 
   if [ "x$suffix" = "x" ] ; then
@@ -1952,17 +2003,32 @@ for suffix in %{build_loop} ; do
   # TODO: should verify checksums when using packages from buildroot
   tar -xJf ${jdkzip}
   tar -xJf ${staticlibzip}
-  mkdir -p $(dirname ${installdir})
-  mv java-%{fakefeaturever}-openjdk* ${installdir}
+  mv java-%{featurever}-openjdk* ${installdir}
 
   # Fix build paths in ELF files so it looks like we built them
-  portablenvr="%{name}-%{VERSION}-%{portablerelease}.%{portablesuffix}.%{_arch}"
+  portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}"
   for file in $(find ${installdir} -type f) ; do
       if file ${file} | grep -q 'ELF'; then
-	  %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file}
+          %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file}
       fi
   done
 
+  # Set tapset variables to match this build
+%if %{with_systemtap}
+  for file in ${miscdir}/tapset${suffix}/*.in; do
+    OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
+    sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/%{vm_variant}/libjvm.so:g" $file > ${OUTPUT_FILE}
+# TODO find out which architectures other than i686 have a client vm
+%ifarch %{ix86}
+    sed -i -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" ${OUTPUT_FILE}
+%else
+    sed -i -e "/@ABS_CLIENT_LIBJVM_SO@/d" ${OUTPUT_FILE}
+%endif
+    sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
+    sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
+  done
+%endif
+
   # Final setup on the main image
   customisejdk ${installdir}
 
@@ -1972,14 +2038,6 @@ for suffix in %{build_loop} ; do
 # build cycles
 done # end of release / debug cycle loop
 
-docdir=%{installoutputdir -- "-docs"}
-tar -xJf %{docszip}
-mv java-%{fakefeaturever}-openjdk*.docs.* ${docdir}
-
-miscdir=%{installoutputdir -- "-misc"}
-tar -xJf %{misczip}
-mv java-%{fakefeaturever}-openjdk*.misc.* ${miscdir}
-
 %check
 
 # We test debug first as it will give better diagnostics on a crash
@@ -1994,47 +2052,80 @@ export JAVA_HOME=$(pwd)/%{installoutputdir -- ${suffix}}
 $JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
 %endif
 
-# Check unlimited policy has been used
-$JAVA_HOME/bin/javac -d . %{SOURCE13}
-$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+# Only test on one architecture (the fastest) for Java only tests
+%ifarch %{jdk_test_arch}
 
-# Check ECC is working
-$JAVA_HOME/bin/javac -d . %{SOURCE14}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+  # Check unlimited policy has been used
+  $JAVA_HOME/bin/javac -d . %{SOURCE13}
+  $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
 
-# Check system crypto (policy) is active and can be disabled
-# Test takes a single argument - true or false - to state whether system
-# security properties are enabled or not.
-$JAVA_HOME/bin/javac -d . %{SOURCE15}
-export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
-export SEC_DEBUG="-Djava.security.debug=properties"
-$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
-$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+  # Check ECC is working
+  $JAVA_HOME/bin/javac -d . %{SOURCE14}
+  $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+  # Check system crypto (policy) is active and can be disabled
+  # Test takes a single argument - true or false - to state whether system
+  # security properties are enabled or not.
+  $JAVA_HOME/bin/javac -d . %{SOURCE15}
+  export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+  export SEC_DEBUG="-Djava.security.debug=properties"
+  $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+  $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+  # Check correct vendor values have been set
+  $JAVA_HOME/bin/javac -d . %{SOURCE16}
+  $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+
+%if ! 0%{?flatpak}
+  # Check translations are available for new timezones (during flatpak builds, the
+  # tzdb.dat used by this test is not where the test expects it, so this is
+  # disabled for flatpak builds)
+  # Disable test until we are on the latest JDK
+  $JAVA_HOME/bin/javac -d . %{SOURCE18}
+  $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+  $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+%endif
+
+  # Check src.zip has all sources. See RHBZ#1130490
+  unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
+
+  # Check class files include useful debugging information
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
+
+  # Check generated class files include useful debugging information
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+
+%else
+
+  # Just run a basic java -version test on other architectures
+  $JAVA_HOME/bin/java -version
+
+%endif
 
 # Check java launcher has no SSB mitigation
 if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
 
 # Check alt-java launcher has SSB mitigation on supported architectures
+# set_speculation function exists in both cases, so check for prctl call
+alt_java_binary=$RPM_BUILD_ROOT%{jrebindir -- $suffix}/%{alt_java_name}
 %ifarch %{ssbd_arches}
-nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+nm ${alt_java_binary} | grep prctl
 %else
-if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
-%endif
-
-%if ! 0%{?flatpak}
-# Check translations are available for new timezones (during flatpak builds, the
-# tzdb.dat used by this test is not where the test expects it, so this is
-# disabled for flatpak builds)
-$JAVA_HOME/bin/javac -d . %{SOURCE18}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
-$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+if ! nm ${alt_java_binary} | grep prctl ; then true ; else false; fi
 %endif
 
 %if %{include_staticlibs}
 # Check debug symbols in static libraries (smoke test)
+# Temporary workaround for debuginfo failure on x86_64 with devkit build
+%ifnarch x86_64
 export STATIC_LIBS_HOME=${JAVA_HOME}/lib/static/linux-%{archinstall}/glibc
-readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
-readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet4AddressImpl.c
+readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet6AddressImpl.c
+%endif
 %endif
 
 so_suffix="so"
@@ -2104,19 +2195,6 @@ EOF
 grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
 %endif
 
-# Check src.zip has all sources. See RHBZ#1130490
-unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
-
-# Check class files include useful debugging information
-$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
-$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
-$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
-
-# Check generated class files include useful debugging information
-$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
-$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
-$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
-
 # build cycles check
 done
 
@@ -2128,25 +2206,28 @@ for suffix in %{build_loop} ; do
 jdk_image=$(pwd)/%{installoutputdir -- ${suffix}}
 # Should match same definitions in build section
 docdir=$(pwd)/%{installoutputdir -- "-docs"}
-miscdir=%{installoutputdir -- "-misc"}
+miscdir=$(pwd)/%{installoutputdir -- "-misc"}
 
 # Install release notes and rebuild instructions
 commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
 install -d -m 755 ${commondocdir}
 mv ${jdk_image}/NEWS ${commondocdir}
-cp -a %{SOURCE19} %{SOURCE20} ${commondocdir}
+# Copy portable and devkit specfiles and README.md
+cp -a %{SOURCE19} %{SOURCE20} %{SOURCE22} ${commondocdir}
+# Copy devkit patches
+cp -a  %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} \
+       %{SOURCE27} %{SOURCE28} %{SOURCE29} %{SOURCE30} ${commondocdir}
 
 # Install the jdk
 mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
 cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
-
-pushd ${jdk_image}
+# Install %{alt_java_name} binary
+install -D -p -m 755 ${miscdir}/%{alt_java_name} $RPM_BUILD_ROOT%{jrebindir -- $suffix}
 
 %if %{with_systemtap}
   # Install systemtap support files
   install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset
-  # note, that uniquesuffix  is in BUILD dir in this case
-  cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
+  cp -a ${miscdir}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
   pushd  $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
    tapsetFiles=`ls *.stp`
   popd
@@ -2169,8 +2250,11 @@ pushd ${jdk_image}
     ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
   popd
 
+  # Copy alt-java man page into image so it gets installed with the others
+  cp -a ${miscdir}/%{alt_java_name}.1 ${jdk_image}/man/man1
   # Install man pages
   install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1
+  pushd ${jdk_image}
   for manpage in man/man1/*
   do
     # Convert man pages to UTF8 encoding
@@ -2181,8 +2265,7 @@ pushd ${jdk_image}
   done
   # Remove man pages from jdk image
   rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
-
-popd
+  popd
 
 if ! echo $suffix | grep -q "debug" ; then
     # Install Javadoc documentation
@@ -2213,9 +2296,6 @@ done
 # See https://bugzilla.redhat.com/show_bug.cgi?id=741821
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs
 
-# copy samples next to demos; samples are mostly js files
-cp -r ${miscdir}/sample  $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/
-
 # moving config files to /etc
 mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
 mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
@@ -2481,6 +2561,308 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Thu Feb 06 2025 Andrew Hughes  - 1:21.0.6.0.7-2
+- Bump tzdata requirement to 2024b for JDK-8339637
+- Resolves: RHEL-74001
+
+* Sat Jan 18 2025 Andrew Hughes  - 1:21.0.6.0.7-1
+- Update to jdk-21.0.6+7 (GA)
+- Update release notes to 21.0.6+7
+- Sync the copy of the portable & devkit specfiles with the latest update
+- Include the latest devkit patches
+- Update README.md to list an easier way of disabling the devkit
+- ** This tarball is embargoed until 2025-01-21 @ 1pm PT. **
+- Resolves: RHEL-73562
+
+* Fri Jan 17 2025 Andrew Hughes  - 1:21.0.5.0.11-3
+- Transition to the devkit build by not defining pkgos
+- Exempt x86_64 from the static libs debuginfo test until portable uses an older DWARF version
+- Sync the copy of the portable specfile with the devkit version
+- Include the devkit specfile and patches
+- Document the devkit in README.md
+- Resolves: RHEL-74403
+
+* Wed Oct 16 2024 Andrew Hughes  - 1:21.0.5.0.11-2
+- Update to jdk-21.0.5+11 (GA)
+- Update release notes to 21.0.5+11
+- Remove local JDK-8327501 & JDK-8328366 backport as this is now upstream.
+- Sync the copy of the portable specfile with the latest update
+- Related: RHEL-61344
+
+* Sun Oct 13 2024 Andrew Hughes  - 1:21.0.5.0.10-3
+- Sync the copy of the portable specfile with the latest update
+- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. **
+- Related: RHEL-61344
+
+* Sat Oct 12 2024 Andrew Hughes  - 1:21.0.5.0.10-2
+- Update to jdk-21.0.5+10 (GA)
+- Update release notes to 21.0.5+10
+- Switch to GA mode.
+- Revert JDK-8327501 & JDK-8328366 backport until more mature.
+- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. **
+- Resolves: RHEL-61344
+
+* Fri Oct 11 2024 Andrew Hughes  - 1:21.0.5.0.9-0.2.ea
+- Update to jdk-21.0.5+9 (EA)
+- Update release notes to 21.0.5+9
+- Switch to EA mode
+- Bump giflib version to 5.2.2 following JDK-8328999
+- Bump libpng version to 1.6.43 following JDK-8329004
+- Sync with RHEL 7 portable build:
+  - Use ExclusiveArch over ExcludeArch
+  - pkgos definition needs to be early enough to be used in portablesuffix
+- Make build scripts executable
+- Sync the copy of the portable specfile with the latest update
+- Resolves: RHEL-58797
+- Resolves: RHEL-17191
+
+* Mon Oct 07 2024 Andrew Hughes  - 1:21.0.4.0.7-2
+- Vary portablesuffix depending on whether we are on RHEL ('el8') or CentOS ('el9')
+- Handle debugedit being a separate package installed in /usr on RHEL/CentOS 10
+- Add build scripts to repository to ease remembering all CentOS & RHEL targets and options
+- Related: RHEL-58797
+
+* Fri Jul 12 2024 Andrew Hughes  - 1:21.0.4.0.7-1
+- Update to jdk-21.0.4+7 (GA)
+- Update release notes to 21.0.4+7
+- Switch to GA mode.
+- Sync the copy of the portable specfile with the latest update
+- Add missing section headers in NEWS
+- ** This tarball is embargoed until 2024-07-16 @ 1pm PT. **
+- Resolves: RHEL-47023
+
+* Wed Jun 26 2024 Andrew Hughes  - 1:21.0.4.0.5-0.1.ea
+- Update to jdk-21.0.4+5 (EA)
+- Update release notes to 21.0.4+5
+- Limit Java only tests to one architecture using jdk_test_arch
+- Actually require tzdata 2024a now it is available in the buildroot
+- Resolves: RHEL-45355
+- Resolves: RHEL-47395
+
+* Sat Jun 22 2024 Andrew Hughes  - 1:21.0.4.0.1-0.1.ea
+- Update to jdk-21.0.4+1 (EA)
+- Update release notes to 21.0.4+1
+- Switch to EA mode
+- Bump LCMS 2 version to 2.16.0 following JDK-8321489
+- Add zlib build requirement or bundled version (1.3.1), depending on system_libs setting
+- Restore NEWS file so portable can be rebuilt
+- Sync the copy of the portable specfile with the latest update
+- Related: RHEL-45355
+- Resolves: RHEL-46029
+
+* Sun Apr 14 2024 Andrew Hughes  - 1:21.0.3.0.9-1
+- Update to jdk-21.0.3+9 (GA)
+- Update release notes to 21.0.3+9
+- Switch to GA mode.
+- Sync the copy of the portable specfile with the latest update
+- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. **
+- Resolves: RHEL-32424
+
+* Sun Apr 14 2024 Andrew Hughes  - 1:21.0.3.0.7-0.1.ea
+- Update to jdk-21.0.3+7 (EA)
+- Update release notes to 21.0.3+7
+- Require tzdata 2024a due to upstream inclusion of JDK-8322725
+- Only require tzdata 2023d for now as 2024a is unavailable in buildroot
+- Drop JDK-8009550 which is now available upstream
+- Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254
+- Resolves: RHEL-30946
+
+* Sun Apr 14 2024 Thomas Fitzsimmons  - 1:21.0.3.0.1-0.2.ea
+- Invoke xz in multi-threaded mode
+- generate_source_tarball.sh: Add WITH_TEMP environment variable
+- generate_source_tarball.sh: Multithread xz on all available cores
+- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable
+- generate_source_tarball.sh: Update comment about tarball naming
+- generate_source_tarball.sh: Reformat comment header
+- generate_source_tarball.sh: Reformat and update help output
+- generate_source_tarball.sh: Do a shallow clone, for speed
+- generate_source_tarball.sh: Append -ea designator when required
+- generate_source_tarball.sh: Eliminate some removal prompting
+- generate_source_tarball.sh: Make tarball reproducible
+- generate_source_tarball.sh: Prefix temporary directory with temp-
+- generate_source_tarball.sh: Remove temporary directory exit conditions
+- generate_source_tarball.sh: Fix -ea logic to add dash
+- generate_source_tarball.sh: Set compile-command in Emacs
+- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT
+- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks
+- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- generate_source_tarball.sh: shellcheck: Double-quote variable references (SC2086)
+- generate_source_tarball.sh: shellcheck: Do not use -a (SC2166)
+- generate_source_tarball.sh: shellcheck: Do not use $ on arithmetic variables (SC2004)
+- Use backward-compatible patch syntax
+- generate_source_tarball.sh: Ignore -ga tags with OPENJDK_LATEST
+- generate_source_tarball.sh: Fix whitespace
+- generate_source_tarball.sh: Remove trailing period in echo
+- generate_source_tarball.sh: Use long-style argument to grep
+- generate_source_tarball.sh: Add license
+- generate_source_tarball.sh: Add indentation instructions for Emacs
+- Related: RHEL-30946
+
+* Sun Apr 14 2024 Andrew Hughes  - 1:21.0.3.0.1-0.2.ea
+- Install alt-java man page from the misc tarball as it is no longer in the JDK image
+- generate_source_tarball.sh: Update examples in header for clarity
+- generate_source_tarball.sh: Cleanup message issued when checkout already exists
+- generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP
+- generate_source_tarball.sh: Only add --depth=1 on non-local repositories
+- Move maintenance scripts to a scripts subdirectory
+- discover_trees.sh: Set compile-command and indentation instructions for Emacs
+- discover_trees.sh: shellcheck: Do not use -o (SC2166)
+- discover_trees.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- discover_trees.sh: shellcheck: Double-quote variable references (SC2086)
+- generate_source_tarball.sh: Add authorship
+- icedtea_sync.sh: Set compile-command and indentation instructions for Emacs
+- icedtea_sync.sh: shellcheck: Double-quote variable references (SC2086)
+- icedtea_sync.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- openjdk_news.sh: Set compile-command and indentation instructions for Emacs
+- openjdk_news.sh: shellcheck: Double-quote variable references (SC2086)
+- openjdk_news.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- openjdk_news.sh: shellcheck: Remove deprecated egrep usage (SC2196)
+- generate_source_tarball.sh: Output values of new options WITH_TEMP and OPENJDK_LATEST
+- generate_source_tarball.sh: Double-quote DEPTH reference (SC2086)
+- generate_source_tarball.sh: Avoid empty DEPTH reference while still appeasing shellcheck
+- Related: RHEL-30946
+
+* Sun Apr 14 2024 Andrew Hughes  - 1:21.0.3.0.1-0.1.ea
+- Update to jdk-21.0.3+1 (EA)
+- Update release notes to 21.0.3+1
+- Switch to EA mode
+- Require tzdata 2023d due to upstream inclusion of JDK-8322725
+- Bump FreeType version to 2.13.2 following JDK-8316028
+- Related: RHEL-30946
+
+* Fri Apr 12 2024 Andrew Hughes  - 1:21.0.2.0.13-2
+- Define portablesuffix according to whether pkgos is defined or not
+- Related: RHEL-30946
+
+* Tue Jan 09 2024 Andrew Hughes  - 1:21.0.2.0.13-1
+- Update to jdk-21.0.2+13 (GA)
+- Sync the copy of the portable specfile with the latest update
+- Bump libpng version to 1.6.40 following JDK-8316030
+- Bump HarfBuzz version to 8.2.2 following JDK-8313643
+- Drop local JDK-8311630 patch which is now upstream
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+- Resolves: RHEL-20999
+
+* Mon Nov 06 2023 Andrew Hughes  - 1:21.0.1.0.12-3
+- Include JDK-8311630 patch to implement Foreign Function & Memory preview API on s390x
+- Sync the copy of the portable specfile with the latest update
+- Resolves: RHEL-16290
+
+* Mon Oct 30 2023 Andrew Hughes  - 1:21.0.1.0.12-2
+- Define pkgnameroot to simplify build requirements and allow '-rhel7' suffix on RHEL
+- Related: RHEL-12998
+
+* Fri Oct 27 2023 Andrew Hughes  - 1:21.0.1.0.12-1
+- Update to jdk-21.0.1.0+12 (GA)
+- Update release notes to 21.0.1.0+12
+- Sync the copy of the portable specfile with the latest update
+- Update openjdk_news script to specify subdirectory last
+- Add missing discover_trees script required by openjdk_news
+- Synchronise bundled versions with 21u sources (FreeType, LCMS, HarfBuzz, libpng)
+- Sync generate_tarball.sh with 11u & 17u version
+- Update bug URL for RHEL to point to the Red Hat customer portal
+- Fix upstream release URL for OpenJDK source
+- Following JDK-8005165, class data sharing can be enabled on all JIT architectures
+- Use tapsets from the misc tarball
+- Introduce 'prelease' for the portable release versioning, to handle EA builds
+- Make sure root installation directory is created first
+- Use in-place substitution for all but the first of the tapset changes
+- Synchronise runtime and buildtime tzdata requirements
+- Remove ghosts for binaries not in java-21-openjdk (pack200, rmid, unpack200)
+- Add missing jfr, jpackage and jwebserver alternative ghosts
+- Move jcmd to the headless package
+- Revert alt-java binary location to being within the JDK tree
+- Resolves: RHEL-12998
+- Resolves: RHEL-14953
+- Resolves: RHEL-13925
+- Resolves: RHEL-14957
+- Related: RHEL-14945
+- Resolves: RHEL-11321
+- Resolves: RHEL-14947
+
+* Fri Oct 27 2023 Jiri Vanek  - 1:21.0.1.0.12-1
+- Exclude classes_nocoops.jsa on i686 and arm32
+- Related: RHEL-14945
+
+* Fri Oct 27 2023 Severin Gehwolf  - 1:21.0.1.0.12-1
+- Fix packaging of CDS archives
+- Resolves: RHEL-14945
+
+* Thu Aug 24 2023 Andrew Hughes  - 1:21.0.0.0.35-2
+- Update documentation (README.md)
+- Replace alt-java patch with a binary separate from the JDK
+- Drop stale patches that are of little use any more:
+- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
+- * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more
+- * No use of system libjpeg turbo to warrant RH649512 patch any more
+- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
+- Adapt alt-java test to new binary where there is always a set_speculation function
+- Related: RHEL-12998
+
+* Mon Aug 21 2023 Andrew Hughes  - 1:21.0.0.0.35-1
+- Update to jdk-21.0.0+35
+- Update system crypto policy & FIPS patch from new fips-21u tree
+- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal
+- Drop fakefeaturever now it is no longer needed
+- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
+- Use upstream release URL for OpenJDK source
+- Re-enable tzdata tests now we are on the latest JDK and things are back in sync
+- Install jaxp.properties introduced by JDK-8303530
+- Install lible.so introduced by JDK-8306983
+- Related: RHEL-12998
+- Resolves: RHEL-41087
+
+* Mon Aug 21 2023 Petra Alice Mikova  - 1:21.0.0.0.35-1
+- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798
+- Related: RHEL-12998
+
+* Wed Aug 16 2023 Andrew Hughes  - 1:20.0.0.0.36-1
+- Update to jdk-20.0.2+9
+- Update release notes to 20.0.2+9
+- Update system crypto policy & FIPS patch from new fips-20u tree
+- Update generate_tarball.sh ICEDTEA_VERSION
+- Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit)
+- Related: RHEL-12998
+
+* Wed Aug 16 2023 Jiri Vanek  - 1:20.0.0.0.36-1
+- Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream
+- Adapted rh1750419-redhat_alt_java.patch
+- Related: RHEL-12998
+
+* Tue Aug 15 2023 Andrew Hughes  - 1:19.0.1.0.10-1
+- Update to jdk-19.0.2 release
+- Update release notes to 19.0.2
+- Rebase FIPS patches from fips-19u branch
+- Remove references to sample directory removed by JDK-8284999
+- Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag
+- Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases
+- Related: RHEL-12998
+
+* Thu Aug 10 2023 Andrew Hughes  - 1:18.0.2.0.9-1
+- Update to jdk-18.0.2 release
+- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory
+- Rebase FIPS patches from fips-18u branch
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Drop now unused fresh_libjvm, build_hotspot_first, bootjdk and buildjdkver variables, as we don't build a JDK here
+- Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21
+- Disable tzdata tests until we are on the latest JDK and things are back in sync
+- Use empty nss.fips.cfg until it is again available via the FIPS patch
+- Related: RHEL-12998
+
+* Thu Aug 10 2023 Petra Alice Mikova  - 1:18.0.2.0.9-1
+- Update to ea version of jdk18
+- Add new slave jwebserver and corresponding manpage
+- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+- Related: RHEL-12998
+
+* Thu Aug 10 2023 FeRD (Frank Dana)  - 1:18.0.2.0.9-1
+- Add javaver- and origin-specific javadoc and javadoczip alternatives.
+- Related: RHEL-12998
+
+* Tue Aug 08 2023 Andrew Hughes  - 1:17.0.7.0.7-4
+- Set portablerelease and portablerhel to use the CentOS 9 build
+- Related: RHEL-12998
+
 * Tue Aug 08 2023 Andrew Hughes  - 1:17.0.7.0.7-4
 - Add files missed by centpkg import.
 - Related: rhbz#2192748