From 82db2fdb6ffc397ed97d813c96e916d36bf066b4 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Tue, 23 Sep 2025 14:04:18 +0100 Subject: [PATCH] Update to jdk-22.0.2+9 (GA) - Update release notes with features of JDK 22 - Remove 21u FIPS patch and disable use until we are ready for the 25 version Related: RHEL-100678 --- .gitignore | 1 + NEWS | 3547 +----------------------------- fips-21u-9203d50836c.patch | 4234 ------------------------------------ java-25-openjdk.spec | 19 +- sources | 2 +- 5 files changed, 127 insertions(+), 7676 deletions(-) delete mode 100644 fips-21u-9203d50836c.patch diff --git a/.gitignore b/.gitignore index a26ed1b..e2d328c 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,4 @@ /openjdk-21.0.8+2-ea.tar.xz /openjdk-21.0.8+8-ea.tar.xz /openjdk-21.0.8+9.tar.xz +/openjdk-22.0.2+9.tar.xz diff --git a/NEWS b/NEWS index 86b331e..196660d 100644 --- a/NEWS +++ b/NEWS @@ -3,3235 +3,11 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release OpenJDK 21.0.8 (2025-07-15): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk2108 - -* CVEs - - CVE-2025-30749 - - CVE-2025-30754 - - CVE-2025-50059 - - CVE-2025-50106 -* Changes - - JDK-6956385: URLConnection.getLastModified() leaks file handles for jar:file and file: URLs - - JDK-8051591: Test javax/swing/JTabbedPane/8007563/Test8007563.java fails - - JDK-8136895: Writer not closed with disk full error, file resource leaked - - JDK-8180450: secondary_super_cache does not scale well - - JDK-8183348: Better cleanup for jdk/test/sun/security/pkcs12/P12SecretKey.java - - JDK-8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails - - JDK-8202100: Merge vm/share/InMemoryJavaCompiler w/ jdk/test/lib/compiler/InMemoryJavaCompiler - - JDK-8210471: GZIPInputStream constructor could leak an un-end()ed Inflater - - JDK-8211400: nsk.share.gc.Memory::getArrayLength returns wrong value - - JDK-8220213: com/sun/jndi/dns/ConfigTests/Timeout.java failed intermittent - - JDK-8249831: Test sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java is marked with @ignore - - JDK-8253440: serviceability/sa/TestJhsdbJstackLineNumbers.java failed with "Didn't find enough line numbers" - - JDK-8256211: assert fired in java/net/httpclient/DependentPromiseActionsTest (infrequent) - - JDK-8258483: [TESTBUG] gtest CollectorPolicy.young_scaled_initial_ergo_vm fails if heap is too small - - JDK-8267174: Many test files have the wrong Copyright header - - JDK-8270269: Desktop.browse method fails if earlier CoInitialize call as COINIT_MULTITHREADED - - JDK-8276995: Bug in jdk.jfr.event.gc.collection.TestSystemGC - - JDK-8279016: JFR Leak Profiler is broken with Shenandoah - - JDK-8280991: [XWayland] No displayChanged event after setDisplayMode call - - JDK-8281511: java/net/ipv6tests/UdpTest.java fails with checkTime failed - - JDK-8282726: java/net/vthread/BlockingSocketOps.java timeout/hang intermittently on Windows - - JDK-8286204: [Accessibility,macOS,VoiceOver] VoiceOver reads the spinner value 10 as 1 when user iterates to 10 for the first time on macOS - - JDK-8286789: Test forceEarlyReturn002.java timed out - - JDK-8286875: ProgrammableUpcallHandler::on_entry/on_exit access thread fields from native - - JDK-8294155: Exception thrown before awaitAndCheck hangs PassFailJFrame - - JDK-8295804: javax/swing/JFileChooser/JFileChooserSetLocationTest.java failed with "setLocation() is not working properly" - - JDK-8297692: Avoid sending per-region GCPhaseParallel JFR events in G1ScanCollectionSetRegionClosure - - JDK-8303770: Remove Baltimore root certificate expiring in May 2025 - - JDK-8305010: Test vmTestbase/nsk/jvmti/scenarios/sampling/SP05/sp05t003/TestDescription.java timed out: thread not suspended - - JDK-8307318: Test serviceability/sa/ClhsdbCDSJstackPrintAll.java failed: ArrayIndexOutOfBoundsException - - JDK-8307824: Clean up Finalizable.java and finalize terminology in vmTestbase/nsk/share - - JDK-8308033: The jcmd thread dump related tests should test virtual threads - - JDK-8308966: Add intrinsic for float/double modulo for x86 AVX2 and AVX512 - - JDK-8309667: TLS handshake fails because of ConcurrentModificationException in PKCS12KeyStore.engineGetEntry - - JDK-8309841: Jarsigner should print a warning if an entry is removed - - JDK-8309978: [x64] Fix useless padding - - JDK-8310066: Improve test coverage for JVMTI GetThreadState on carrier and mounted vthread - - JDK-8310525: DynamicLauncher for JDP test needs to try harder to find a free port - - JDK-8310643: Misformatted copyright messages in FFM - - JDK-8312246: NPE when HSDB visits bad oop - - JDK-8312475: org.jline.util.PumpReader signed byte problem - - JDK-8313290: Misleading exception message from STS.Subtask::get when task forked after shutdown - - JDK-8313430: [JVMCI] fatal error: Never compilable: in JVMCI shutdown - - JDK-8313654: Test WaitNotifySuspendedVThreadTest.java timed out - - JDK-8314056: Remove runtime platform check from frem/drem - - JDK-8314136: Test java/net/httpclient/CancelRequestTest.java failed: WARNING: tracker for HttpClientImpl(42) has outstanding operations - - JDK-8314236: Overflow in Collections.rotate - - JDK-8314319: LogCompilation doesn't reset lateInlining when it encounters a failure. - - JDK-8314840: 3 gc/epsilon tests ignore external vm options - - JDK-8314842: zgc/genzgc tests ignore vm flags - - JDK-8315128: jdk/jfr/event/runtime/TestResidentSetSizeEvent.java fails with "The size should be less than or equal to peak" - - JDK-8315484: java/awt/dnd/RejectDragDropActionTest.java timed out - - JDK-8315669: Open source several Swing PopupMenu related tests - - JDK-8315742: Open source several Swing Scroll related tests - - JDK-8315827: Kitchensink.java and RenaissanceStressTest.java time out with jvmti module errors - - JDK-8315871: Opensource five more Swing regression tests - - JDK-8315876: Open source several Swing CSS related tests - - JDK-8315951: Open source several Swing HTMLEditorKit related tests - - JDK-8315981: Opensource five more random Swing tests - - JDK-8316061: Open source several Swing RootPane and Slider related tests - - JDK-8316324: Opensource five miscellaneous Swing tests - - JDK-8316388: Opensource five Swing component related regression tests - - JDK-8316452: java/lang/instrument/modules/AppendToClassPathModuleTest.java ignores VM flags - - JDK-8316497: ColorConvertOp - typo for non-ICC conversions needs one-line fix - - JDK-8316580: HttpClient with StructuredTaskScope does not close when a task fails - - JDK-8316629: j.text.DateFormatSymbols setZoneStrings() exception is unhelpful - - JDK-8317264: Pattern.Bound has `static` fields that should be `static final`. - - JDK-8318509: x86 count_positives intrinsic broken for -XX:AVX3Threshold=0 - - JDK-8318636: Add jcmd to print annotated process memory map - - JDK-8318700: MacOS Zero cannot run gtests due to wrong JVM path - - JDK-8318811: Compiler directives parser swallows a character after line comments - - JDK-8318915: Enhance checks in BigDecimal.toPlainString() - - JDK-8319439: Move BufferNode from PtrQueue files to new files - - JDK-8319572: Test jdk/incubator/vector/LoadJsvmlTest.java ignores VM flags - - JDK-8319690: [AArch64] C2 compilation hits offset_ok_for_immed: assert "c2 compiler bug" - - JDK-8320687: sun.jvmstat.monitor.MonitoredHost.getMonitoredHost() throws unexpected exceptions when invoked concurrently - - JDK-8320948: NPE due to unreported compiler error - - JDK-8321204: C2: assert(false) failed: node should be in igvn hash table - - JDK-8321479: java -D-D crashes - - JDK-8321931: memory_swap_current_in_bytes reports 0 as "unlimited" - - JDK-8322141: SequenceInputStream.transferTo should not return as soon as Long.MAX_VALUE bytes have been transferred - - JDK-8322475: Extend printing for System.map - - JDK-8323795: jcmd Compiler.codecache should print total size of code cache - - JDK-8324345: Stack overflow during C2 compilation when splitting memory phi - - JDK-8324678: Replace NULL with nullptr in HotSpot gtests - - JDK-8324681: Replace NULL with nullptr in HotSpot jtreg test native code files - - JDK-8324799: Use correct extension for C++ test headers - - JDK-8324880: Rename get_stack_trace.h - - JDK-8325055: Rename Injector.h - - JDK-8325180: Rename jvmti_FollowRefObjects.h - - JDK-8325347: Rename native_thread.h - - JDK-8325367: Rename nsk_list.h - - JDK-8325435: [macos] Menu or JPopupMenu not closed when main window is resized - - JDK-8325456: Rename nsk_mutex.h - - JDK-8325458: Rename mlvmJvmtiUtils.h - - JDK-8325680: Uninitialised memory in deleteGSSCB of GSSLibStub.c:179 - - JDK-8325682: Rename nsk_strace.h - - JDK-8325910: Rename jnihelper.h - - JDK-8326090: Rename jvmti_aod.h - - JDK-8326389: [test] improve assertEquals failure output - - JDK-8326524: Rename agent_common.h - - JDK-8326586: Improve Speed of System.map - - JDK-8327071: [Testbug] g-tests for cgroup leave files in /tmp on linux - - JDK-8327169: serviceability/dcmd/vm/SystemMapTest.java and SystemDumpMapTest.java may fail after JDK-8326586 - - JDK-8327370: (ch) sun.nio.ch.Poller.register throws AssertionError - - JDK-8327461: KeyStore getEntry is not thread-safe - - JDK-8328107: Shenandoah/C2: TestVerifyLoopOptimizations test failure - - JDK-8328301: Convert Applet test ManualHTMLDataFlavorTest.java to main program - - JDK-8328482: Convert and Open source few manual applet test to main based - - JDK-8328484: Convert and Opensource few JFileChooser applet test to main - - JDK-8328648: Remove applet usage from JFileChooser tests bug4150029 - - JDK-8328670: Automate and open source few closed manual applet test - - JDK-8328673: Convert closed text/html/CSS manual applet test to main - - JDK-8328864: NullPointerException in sun.security.jca.ProviderList.getService() - - JDK-8329261: G1: interpreter post-barrier x86 code asserts index size of wrong buffer - - JDK-8329729: java/util/Properties/StoreReproducibilityTest.java times out - - JDK-8330106: C2: VectorInsertNode::make() shouldn't call ConINode::make() directly - - JDK-8330158: C2: Loop strip mining uses ABS with min int - - JDK-8330534: Update nsk/jdwp tests to use driver instead of othervm - - JDK-8330598: java/net/httpclient/Http1ChunkedTest.java fails with java.util.MissingFormatArgumentException: Format specifier '%s' - - JDK-8330936: [ubsan] exclude function BilinearInterp and ShapeSINextSpan in libawt java2d from ubsan checks - - JDK-8331088: Incorrect TraceLoopPredicate output - - JDK-8331735: UpcallLinker::on_exit races with GC when copying frame anchor - - JDK-8332252: Clean up vmTestbase/vm/share - - JDK-8332506: SIGFPE In ObjectSynchronizer::is_async_deflation_needed() - - JDK-8332631: Update nsk.share.jpda.BindServer to don't use finalization - - JDK-8332641: Update nsk.share.jpda.Jdb to don't use finalization - - JDK-8332880: JFR GCHelper class recognizes "Archive" regions as valid - - JDK-8332921: Ctrl+C does not call shutdown hooks after JLine upgrade - - JDK-8333013: Update vmTestbase/nsk/share/LocalProcess.java to don't use finalization - - JDK-8333117: Remove support of remote and manual debuggee launchers - - JDK-8333680: com/sun/tools/attach/BasicTests.java fails with "SocketException: Permission denied: connect" - - JDK-8333805: Replaying compilation with null static final fields results in a crash - - JDK-8333890: Fatal error in auto-vectorizer with float16 kernel. - - JDK-8334644: Automate javax/print/attribute/PageRangesException.java - - JDK-8334780: Crash: assert(h_array_list.not_null()) failed: invariant - - JDK-8334895: OpenJDK fails to configure on linux aarch64 when CDS is disabled after JDK-8331942 - - JDK-8335181: Incorrect handling of HTTP/2 GOAWAY frames in HttpClient - - JDK-8335643: serviceability/dcmd/vm tests fail for ZGC after JDK-8322475 - - JDK-8335662: [AArch64] C1: guarantee(val < (1ULL << nbits)) failed: Field too big for insn - - JDK-8335684: Test ThreadCpuTime.java should pause like ThreadCpuTimeArray.java - - JDK-8335710: serviceability/dcmd/vm/SystemDumpMapTest.java and SystemMapTest.java fail on Linux Alpine after 8322475 - - JDK-8335836: serviceability/jvmti/StartPhase/AllowedFunctions/AllowedFunctions.java fails with unexpected exit code: 112 - - JDK-8335860: compiler/vectorization/TestFloat16VectorConvChain.java fails with non-standard AVX/SSE settings - - JDK-8336042: Caller/callee param size mismatch in deoptimization causes crash - - JDK-8336499: Failure when creating non-CRT RSA private keys in SunPKCS11 - - JDK-8336587: failure_handler lldb command times out on macosx-aarch64 core file - - JDK-8336827: compiler/vectorization/TestFloat16VectorConvChain.java timeouts on ppc64 platforms after JDK-8335860 - - JDK-8337221: CompileFramework: test library to conveniently compile java and jasm sources for fuzzing - - JDK-8337299: vmTestbase/nsk/jdb/stop_at/stop_at002/stop_at002.java failure goes undetected - - JDK-8337681: PNGImageWriter uses much more memory than necessary - - JDK-8337795: Type annotation attached to incorrect type during class reading - - JDK-8337958: Out-of-bounds array access in secondary_super_cache - - JDK-8337981: ShenandoahHeap::is_in should check for alive regions - - JDK-8337998: CompletionFailure in getEnclosingType attaching type annotations - - JDK-8338010: WB_IsFrameDeoptimized miss ResourceMark - - JDK-8338064: Give better error for ConcurrentHashTable corruption - - JDK-8338136: Hotspot should support multiple large page sizes on Windows - - JDK-8338154: Fix -Wzero-as-null-pointer-constant warnings in gtest framework - - JDK-8338202: Shenandoah: Improve handshake closure labels - - JDK-8338314: JFR: Split JFRCheckpoint VM operation - - JDK-8339148: Make os::Linux::active_processor_count() public - - JDK-8339288: Improve diagnostic logging runtime/cds/DeterministicDump.java - - JDK-8339300: CollectorPolicy.young_scaled_initial_ergo_vm gtest fails on ppc64 based platforms - - JDK-8339538: Wrong timeout computations in DnsClient - - JDK-8339639: Opensource few AWT PopupMenu tests - - JDK-8339678: Update runtime/condy tests to be executed with VM flags - - JDK-8339727: Open source several AWT focus tests - series 1 - - JDK-8339769: Incorrect error message during startup if working directory does not exist - - JDK-8339794: Open source closed choice tests #1 - - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract - - JDK-8339836: Open source several AWT Mouse tests - Batch 1 - - JDK-8339842: Open source several AWT focus tests - series 2 - - JDK-8339895: Open source several AWT focus tests - series 3 - - JDK-8339906: Open source several AWT focus tests - series 4 - - JDK-8339935: Open source several AWT focus tests - series 5 - - JDK-8339982: Open source several AWT Mouse tests - Batch 2 - - JDK-8339984: Open source AWT MenuItem related tests - - JDK-8339995: Open source several AWT focus tests - series 6 - - JDK-8340024: In ClassReader, extract a constant for the superclass supertype_index - - JDK-8340077: Open source few Checkbox tests - Set2 - - JDK-8340084: Open source AWT Frame related tests - - JDK-8340143: Open source several Java2D rendering loop tests. - - JDK-8340146: ZGC: TestAllocateHeapAt.java should not run with UseLargePages - - JDK-8340164: Open source few Component tests - Set1 - - JDK-8340173: Open source some Component/Panel/EventQueue tests - Set2 - - JDK-8340176: Replace usage of -noclassgc with -Xnoclassgc in test/jdk/java/lang/management/MemoryMXBean/LowMemoryTest2.java - - JDK-8340193: Open source several AWT Dialog tests - Batch 1 - - JDK-8340228: Open source couple more miscellaneous AWT tests - - JDK-8340271: Open source several AWT Robot tests - - JDK-8340279: Open source several AWT Dialog tests - Batch 2 - - JDK-8340332: Open source mixed AWT tests - Set3 - - JDK-8340366: Open source several AWT Dialog tests - Batch 3 - - JDK-8340367: Opensource few AWT image tests - - JDK-8340393: Open source closed choice tests #2 - - JDK-8340407: Open source a few more Component related tests - - JDK-8340417: Open source some MenuBar tests - Set1 - - JDK-8340432: Open source some MenuBar tests - Set2 - - JDK-8340433: Open source closed choice tests #3 - - JDK-8340437: Open source few more AWT Frame related tests - - JDK-8340458: Open source additional Component tests (part 2) - - JDK-8340555: Open source DnD tests - Set4 - - JDK-8340560: Open Source several AWT/2D font and rendering tests - - JDK-8340605: Open source several AWT PopupMenu tests - - JDK-8340621: Open source several AWT List tests - - JDK-8340625: Open source additional Component tests (part 3) - - JDK-8340639: Open source few more AWT List tests - - JDK-8340713: Open source DnD tests - Set5 - - JDK-8340784: Remove PassFailJFrame constructor with screenshots - - JDK-8340790: Open source several AWT Dialog tests - Batch 4 - - JDK-8340809: Open source few more AWT PopupMenu tests - - JDK-8340874: Open source some of the AWT Geometry/Button tests - - JDK-8340907: Open source closed frame tests # 2 - - JDK-8340966: Open source few Checkbox and Cursor tests - Set1 - - JDK-8340967: Open source few Cursor tests - Set2 - - JDK-8340978: Open source few DnD tests - Set6 - - JDK-8340985: Open source some Desktop related tests - - JDK-8341000: Open source some of the AWT Window tests - - JDK-8341004: Open source AWT FileDialog related tests - - JDK-8341072: Open source several AWT Canvas and Rectangle related tests - - JDK-8341128: open source some 2d graphics tests - - JDK-8341148: Open source several Choice related tests - - JDK-8341162: Open source some of the AWT window test - - JDK-8341170: Open source several Choice related tests (part 2) - - JDK-8341177: Opensource few List and a Window test - - JDK-8341191: Open source few more AWT FileDialog tests - - JDK-8341239: Open source closed frame tests # 3 - - JDK-8341257: Open source few DND tests - Set1 - - JDK-8341258: Open source few various AWT tests - Set1 - - JDK-8341278: Open source few TrayIcon tests - Set7 - - JDK-8341298: Open source more AWT window tests - - JDK-8341373: Open source closed frame tests # 4 - - JDK-8341378: Open source few TrayIcon tests - Set8 - - JDK-8341447: Open source closed frame tests # 5 - - JDK-8341535: sun/awt/font/TestDevTransform.java fails with RuntimeException: Different rendering - - JDK-8341637: java/net/Socket/UdpSocket.java fails with "java.net.BindException: Address already in use" (macos-aarch64) - - JDK-8341779: [REDO BACKPORT] type annotations are not visible to javac plugins across compilation boundaries (JDK-8225377) - - JDK-8341972: java/awt/dnd/DnDRemoveFocusOwnerCrashTest.java timed out after JDK-8341257 - - JDK-8342075: HttpClient: improve HTTP/2 flow control checks - - JDK-8342376: More reliable OOM handling in ExceptionDuringDumpAtObjectsInitPhase test - - JDK-8342524: Use latch in AbstractButton/bug6298940.java instead of delay - - JDK-8342633: javax/management/security/HashedPasswordFileTest.java creates tmp file in src dir - - JDK-8342958: Use jvmArgs consistently in microbenchmarks - - JDK-8343019: Primitive caches must use boxed instances from the archive - - JDK-8343037: Missing @since tag on JColorChooser.showDialog overload - - JDK-8343103: Enable debug logging for vmTestbase/nsk/jvmti/scenarios/sampling/SP05/sp05t003/TestDescription.java - - JDK-8343124: Tests fails with java.lang.IllegalAccessException: class com.sun.javatest.regtest.agent.MainWrapper$MainTask cannot access - - JDK-8343144: UpcallLinker::on_entry racingly clears pending exception with GC safepoints - - JDK-8343170: java/awt/Cursor/JPanelCursorTest/JPanelCursorTest.java does not show the default cursor - - JDK-8343224: print/Dialog/PaperSizeError.java fails with MediaSizeName is not A4: A4 - - JDK-8343342: java/io/File/GetXSpace.java fails on Windows with CD-ROM drive - - JDK-8343345: Use -jvmArgsPrepend when running microbenchmarks in RunTests.gmk - - JDK-8343529: serviceability/sa/ClhsdbWhere.java fails AssertionFailure: Corrupted constant pool - - JDK-8343754: Problemlist jdk/jfr/event/oldobject/TestShenandoah.java after JDK-8279016 - - JDK-8343855: HTTP/2 ConnectionWindowUpdateSender may miss some unprocessed DataFrames from closed streams - - JDK-8343891: Test javax/swing/JTabbedPane/TestJTabbedPaneBackgroundColor.java failed - - JDK-8343936: Adjust timeout in test javax/management/monitor/DerivedGaugeMonitorTest.java - - JDK-8344316: security/auth/callback/TextCallbackHandler/Password.java make runnable with JTReg and add the UI - - JDK-8344346: java/net/httpclient/ShutdownNow.java fails with java.lang.AssertionError: client was still running, but exited after further delay: timeout should be adjusted - - JDK-8344361: Restore null return for invalid services from legacy providers - - JDK-8344414: ZGC: Another division by zero in rule_major_allocation_rate - - JDK-8344925: translet-name ignored when package-name is also set - - JDK-8345133: Test sun/security/tools/jarsigner/TsacertOptionTest.java failed: Warning found in stdout - - JDK-8345134: Test sun/security/tools/jarsigner/ConciseJarsigner.java failed: unable to find valid certification path to requested target - - JDK-8345146: [PPC64] Make intrinsic conversions between bit representations of half precision values and floats - - JDK-8345341: Fix incorrect log message in JDI stop002t test - - JDK-8345357: test/jdk/javax/swing/JRadioButton/8033699/bug8033699.java fails in ubuntu22.04 - - JDK-8345447: test/jdk/javax/swing/JToolBar/4529206/bug4529206.java fails in ubuntu22.04 - - JDK-8345547: test/jdk/javax/swing/text/DefaultEditorKit/4278839/bug4278839.java fails in ubuntu22.04 - - JDK-8345598: Upgrade NSS binaries for interop tests - - JDK-8345625: Better HTTP connections - - JDK-8345728: [Accessibility,macOS,Screen Magnifier]: JCheckbox unchecked state does not magnify but works for checked state - - JDK-8345838: Remove the appcds/javaldr/AnonVmClassesDuringDump.java test - - JDK-8346049: jdk/test/lib/security/timestamp/TsaServer.java warnings - - JDK-8346082: Output JVMTI agent information in hserr files - - JDK-8346264: "Total compile time" counter should include time spent in failing/bailout compiles - - JDK-8346581: JRadioButton/ButtonGroupFocusTest.java fails in CI on Linux - - JDK-8346888: [ubsan] block.cpp:1617:30: runtime error: 9.97582e+36 is outside the range of representable values of type 'int' - - JDK-8347000: Bug in com/sun/net/httpserver/bugs/B6361557.java test - - JDK-8347019: Test javax/swing/JRadioButton/8033699/bug8033699.java still fails: Focus is not on Radio Button Single as Expected - - JDK-8347083: Incomplete logging in nsk/jvmti/ResourceExhausted/resexhausted00* tests - - JDK-8347126: gc/stress/TestStressG1Uncommit.java gets OOM-killed - - JDK-8347173: java/net/DatagramSocket/InterruptibleDatagramSocket.java fails with virtual thread factory - - JDK-8347286: (fs) Remove some extensions from java/nio/file/Files/probeContentType/Basic.java - - JDK-8347296: WinInstallerUiTest fails in local test runs if the path to test work directory is longer that regular - - JDK-8347373: HTTP/2 flow control checks may count unprocessed data twice - - JDK-8347506: Compatible OCSP readtimeout property with OCSP timeout - - JDK-8347596: Update HSS/LMS public key encoding - - JDK-8347629: Test FailOverDirectExecutionControlTest.java fails with -Xcomp - - JDK-8347995: Race condition in jdk/java/net/httpclient/offline/FixedResponseHttpClient.java - - JDK-8348107: test/jdk/java/net/httpclient/HttpsTunnelAuthTest.java fails intermittently - - JDK-8348110: Update LCMS to 2.17 - - JDK-8348299: Update List/ItemEventTest/ItemEventTest.java - - JDK-8348323: Corrupted timezone string in JVM crash log - - JDK-8348596: Update FreeType to 2.13.3 - - JDK-8348597: Update HarfBuzz to 10.4.0 - - JDK-8348598: Update Libpng to 1.6.47 - - JDK-8348600: Update PipeWire to 1.3.81 - - JDK-8348865: JButton/bug4796987.java never runs because Windows XP is unavailable - - JDK-8348936: [Accessibility,macOS,VoiceOver] VoiceOver doesn't announce untick on toggling the checkbox with "space" key on macOS - - JDK-8348989: Better Glyph drawing - - JDK-8349111: Enhance Swing supports - - JDK-8349200: [JMH] time.format.ZonedDateTimeFormatterBenchmark fails - - JDK-8349348: Refactor ClassLoaderDeadlock.sh and Deadlock.sh to run fully in java - - JDK-8349358: [JMH] Cannot access class jdk.internal.vm.ContinuationScope - - JDK-8349492: Update sun/security/pkcs12/KeytoolOpensslInteropTest.java to use a recent Openssl version - - JDK-8349501: Relocate supporting classes in security/testlibrary to test/lib/jdk tree - - JDK-8349594: Enhance TLS protocol support - - JDK-8349623: [ASAN] Gtest os_linux.glibc_mallinfo_wrapper_vm fails - - JDK-8349637: Integer.numberOfLeadingZeros outputs incorrectly in certain cases - - JDK-8349751: AIX build failure after upgrade pipewire to 1.3.81 - - JDK-8350201: Out of bounds access on Linux aarch64 in os::print_register_info - - JDK-8350211: CTW: Attempt to preload all classes in constant pool - - JDK-8350224: Test javax/swing/JComboBox/TestComboBoxComponentRendering.java fails in ubuntu 23.x and later - - JDK-8350260: Improve HTML instruction formatting in PassFailJFrame - - JDK-8350313: Include timings for leaving safepoint in safepoint logging - - JDK-8350383: Test: add more test case for string compare (UL case) - - JDK-8350386: Test TestCodeCacheFull.java fails with option -XX:-UseCodeCacheFlushing - - JDK-8350412: [21u] AArch64: Ambiguous frame layout leads to incorrect traces in JFR - - JDK-8350483: AArch64: turn on signum intrinsics by default on Ampere CPUs - - JDK-8350498: Remove two Camerfirma root CA certificates - - JDK-8350546: Several java/net/InetAddress tests fails UnknownHostException - - JDK-8350616: Skip ValidateHazardPtrsClosure in non-debug builds - - JDK-8350650: Bump update version for OpenJDK: jdk-21.0.8 - - JDK-8350682: [JMH] vector.IndexInRangeBenchmark failed with IndexOutOfBoundsException for size=1024 - - JDK-8350786: Some java/lang jtreg tests miss requires vm.hasJFR - - JDK-8350924: javax/swing/JMenu/4213634/bug4213634.java fails - - JDK-8350991: Improve HTTP client header handling - - JDK-8351086: (fc) Make java/nio/channels/FileChannel/BlockDeviceSize.java test manual - - JDK-8351500: G1: NUMA migrations cause crashes in region allocation - - JDK-8351665: Remove unused UseNUMA in os_aix.cpp - - JDK-8351933: Inaccurate masking of TC subfield decrement in ForkJoinPool - - JDK-8352076: [21u] Problem list tests that fail in 21 and would be fixed by 8309622 - - JDK-8352109: java/awt/Desktop/MailTest.java fails in platforms where Action.MAIL is not supported - - JDK-8352302: Test sun/security/tools/jarsigner/TimestampCheck.java is failing - - JDK-8352512: TestVectorZeroCount: counter not reset between iterations - - JDK-8352676: Opensource JMenu tests - series1 - - JDK-8352680: Opensource few misc swing tests - - JDK-8352684: Opensource JInternalFrame tests - series1 - - JDK-8352706: httpclient HeadTest does not run on HTTP2 - - JDK-8352716: (tz) Update Timezone Data to 2025b - - JDK-8352908: Open source several swing tests batch1 - - JDK-8352942: jdk/jfr/startupargs/TestMemoryOptions.java fails with 32-bit build - - JDK-8353070: Clean up and open source couple AWT Graphics related tests (Part 1) - - JDK-8353138: Screen capture for test TaskbarPositionTest.java, failure case - - JDK-8353190: Use "/native" Run Option for TestAvailableProcessors Execution - - JDK-8353237: [AArch64] Incorrect result of VectorizedHashCode intrinsic on Cortex-A53 - - JDK-8353320: Open source more Swing text tests - - JDK-8353446: Open source several AWT Menu tests - Batch 2 - - JDK-8353475: Open source two Swing DefaultCaret tests - - JDK-8353685: Open some JComboBox bugs 4 - - JDK-8353709: Debug symbols bundle should contain full debug files when building --with-external-symbols-in-bundles=public - - JDK-8353787: Increased number of SHA-384-Digest java.util.jar.Attributes$Name instances leading to higher memory footprint - - JDK-8353942: Open source Swing Tests - Set 5 - - JDK-8354255: [jittester] Remove TempDir debug output - - JDK-8354530: AIX: sporadic unexpected errno when calling setsockopt in Net.joinOrDrop - - JDK-8354554: Open source several clipboard tests batch1 - - JDK-8354802: MAX_SECS definition is unused in os_linux - - JDK-8354893: [REDO BACKPORT] javac crashes while adding type annotations to the return type of a constructor (JDK-8320001) - - JDK-8355498: [AIX] Adapt code for C++ VLA rule - - JDK-8356053: Test java/awt/Toolkit/Headless/HeadlessToolkit.java fails by timeout - - JDK-8356096: ISO 4217 Amendment 179 Update - - JDK-8356571: Re-enable -Wtype-limits for GCC in LCMS - - JDK-8357105: C2: compilation fails with "assert(false) failed: empty program detected during loop optimization" - - JDK-8357193: [VS 2022 17.14] Warning C5287 in debugInit.c: enum type mismatch during build - - JDK-8359170: Add 2 TLS and 2 CS Sectigo roots - - JDK-8360147: Better Glyph drawing redux - - JDK-8360406: [21u] Disable logic for attaching type annotations to class files until 8359336 is fixed - - JDK-8361672: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.8 - -Notes on individual issues: -=========================== - -tools/javac: - -JDK-8341779: [REDO BACKPORT] type annotations are not visible to javac plugins across compilation boundaries (JDK-8225377) -========================================================================================================================== -The compiler in previous releases of OpenJDK 21 would only provide -access to type annotations on types loaded from source code files. If -the type was instead loaded from bytecode, then any type annotations -would be absent. - -With this release, `TypeMirror` now provides access to annotations for -types loaded from bytecode. These type annotations can be obtained -using `AnnotationMirror#getAnnotationMirrors` and will be included in -the output of `AnnotationMirror#toString`. - -Programs that rely on type annotations being absent from elements -loaded from bytecode will need to be updated accordingly. Due to -ongoing issues with this new feature (see JDK-8360406), it is not -enabled by default and the option `-XDaddTypeAnnotationsToSymbol=true` -must be specified in order for bytecode type annotations to be -included. - -core-libs/java.net: - -JDK-8342075: HttpClient: improve HTTP/2 flow control checks -=========================================================== -This release of OpenJDK 21 enhances the HTTP/2 client implementation -in `java.net.http.HttpClient` to report flow control errors back to -the server. While this should be transparent in most cases, it may -lead to streams being reset or connections being closed if connecting -to a HTTP/2 server that does not correctly handle these errors. - -Flow control limits can be adjusted using the following existing -properties: - -* `jdk.httpclient.connectionWindowSize` - - Specifies the HTTP/2 client connection window size in bytes. - - Default value: `2^26` - - Range: `2^16-1` to `2^31-1`. - -* `jdk.httpclient.windowSize` - - Specifies the HTTP/2 client stream window size in bytes. - - Default value: `16777216` (16MB) - - Range: `2^14` to `2^31-1` - -Specifying an invalid value leads to the default value being used. -The implementation guarantees that the actual value used for the -connection window size will be no smaller than the stream window size. - -hotspot/runtime: - -JDK-8318636: Add jcmd to print annotated process memory map -=========================================================== -Two new diagnostic commands have been added to `jcmd`, which print the -virtual memory map of the JVM either to standard output or a file. If -Native Memory Tracking (NMT) is enabled, NMT information about the -virtual memory segments will be included. - -The new commands are: - -* `jcmd System.map` -- prints the virtual memory map of the JVM -identified by `` to the standard output. - -* `jcmd System.dump_map` -- prints the virtual memory map of the -JVM identified by `` to a file `vm_memory_map_.txt` in the -current directory. - -security-libs/java.security: - -JDK-8303770: Remove Baltimore root certificate expiring in May 2025 -=================================================================== -The following root certificate from Baltimore has been removed from -the `cacerts` keystore: - -Alias Name: baltimorecybertrustca [jdk] -Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE - -JDK-8347506: Compatible OCSP readtimeout property with OCSP timeout -=================================================================== -The initial release of OpenJDK 21 introduced the -`com.sun.security.ocsp.readtimeout` property, which was paired with -the existing `com.sun.security.ocsp.timeout` to give greater control -over the timeouts for OCSP connections and certificate retrieval. The -existence of two separate properties allows the timeout for reading -data to be set separately from the timeout for the transport layer. - -When `com.sun.security.ocsp.readtimeout` was backported to OpenJDK -17.0.15, the default value of `com.sun.security.ocsp.readtimeout` was -changed from 15 seconds to the value of -`com.sun.security.ocsp.timeout`, which itself has a default of 15 -seconds. This change is brought forward to OpenJDK 21 with this -release. - -If neither property is set, both will default to 15 seconds as in -previous OpenJDK 21 releases. If only `com.sun.security.ocsp.timeout` -is set, `com.sun.security.ocsp.readtimeout` will use the same value -which retains the behaviour from before the -`com.sun.security.ocsp.readtimeout` property was introduced. - -JDK-8347596: Update HSS/LMS public key encoding -=============================================== -The X.509 encoding format for HSS/LMS public keys has been updated to -align with the latest standard outlined in RFC 9708 [0]. Notably, the -OCTET_STRING wrapping around the public key value has been removed. -For compatibility, the JDK will still detect the presence of DER -encoding when reading keys encoded by earlier releases. - -[0] https://www.rfc-editor.org/rfc/rfc9708.html#name-hss-lms-public-key-identifi - -JDK-8350498: Remove two Camerfirma root CA certificates -======================================================= -The following expired root certificates from Camerfirma have been -removed from the `cacerts` keystore: - -Alias name: camerfirmachamberscommerceca [jdk] -CN=Chambers of Commerce Root -OU=http://www.chambersign.org -O=AC Camerfirma SA CIF A82743287 -C=EU -SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3 - -Alias name: camerfirmachambersignca [jdk] -CN=Global Chambersign Root - 2008 -O=AC Camerfirma S.A. -SERIALNUMBER=A82743287 -L=Madrid (see current address at www.camerfirma.com/address) -C=EU -SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA - -JDK-8359170: Add 2 TLS and 2 CS Sectigo roots -============================================= -The following root certificates have been added to the cacerts -truststore: - -Name: Sectigo Limited -Alias Name: sectigocodesignroote46 -Distinguished Name: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB - -Name: Sectigo Limited -Alias Name: sectigocodesignrootr46 -Distinguished Name: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB - -Name: Sectigo Limited -Alias Name: sectigotlsroote46 -Distinguished Name: Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB - -Name: Sectigo Limited -Alias Name: sectigotlsrootr46 -Distinguished Name: Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB - -New in release OpenJDK 21.0.7 (2025-04-15): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk2107 - -* CVEs - - CVE-2025-21587 - - CVE-2025-30691 - - CVE-2025-30698 -* Changes - - JDK-8198237: [macos] Test java/awt/Frame/ExceptionOnSetExtendedStateTest/ExceptionOnSetExtendedStateTest.java fails - - JDK-8211851: (ch) java/nio/channels/AsynchronousSocketChannel/StressLoopback.java times out (aix) - - JDK-8226933: [TEST_BUG]GTK L&F: There is no swatches or RGB tab in JColorChooser - - JDK-8226938: [TEST_BUG]GTK L&F: There is no Details button in FileChooser Dialog - - JDK-8227529: With malformed --app-image the error messages are awful - - JDK-8277240: java/awt/Graphics2D/ScaledTransform/ScaledTransform.java dialog does not get disposed - - JDK-8283664: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintTextTest.java - - JDK-8286875: ProgrammableUpcallHandler::on_entry/on_exit access thread fields from native - - JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic - - JDK-8294316: SA core file support is broken on macosx-x64 starting with macOS 12.x - - JDK-8295159: DSO created with -ffast-math breaks Java floating-point arithmetic - - JDK-8302111: Serialization considerations - - JDK-8304701: Request with timeout aborts later in-flight request on HTTP/1.1 cxn - - JDK-8309841: Jarsigner should print a warning if an entry is removed - - JDK-8311546: Certificate name constraints improperly validated with leading period - - JDK-8312570: [TESTBUG] Jtreg compiler/loopopts/superword/TestDependencyOffsets.java fails on 512-bit SVE - - JDK-8313633: [macOS] java/awt/dnd/NextDropActionTest/NextDropActionTest.java fails with java.lang.RuntimeException: wrong next drop action! - - JDK-8313905: Checked_cast assert in CDS compare_by_loader - - JDK-8314752: Use google test string comparison macros - - JDK-8314909: tools/jpackage/windows/Win8282351Test.java fails with java.lang.AssertionError: Expected [0]. Actual [1618]: - - JDK-8315486: vmTestbase/nsk/jdwp/ThreadReference/ForceEarlyReturn/forceEarlyReturn002/forceEarlyReturn002.java timed out - - JDK-8315825: Open some swing tests - - JDK-8315882: Open some swing tests 2 - - JDK-8315883: Open source several Swing JToolbar tests - - JDK-8315952: Open source several Swing JToolbar JTooltip JTree tests - - JDK-8316056: Open source several Swing JTree tests - - JDK-8316146: Open some swing tests 4 - - JDK-8316149: Open source several Swing JTree JViewport KeyboardManager tests - - JDK-8316218: Open some swing tests 5 - - JDK-8316371: Open some swing tests 6 - - JDK-8316627: JViewport Test headless failure - - JDK-8316885: jcmd: Compiler.CodeHeap_Analytics cmd does not inform about missing aggregate - - JDK-8317283: jpackage tests run osx-specific checks on windows and linux - - JDK-8317636: Improve heap walking API tests to verify correctness of field indexes - - JDK-8317808: HTTP/2 stream cancelImpl may leave subscriber registered - - JDK-8317919: pthread_attr_init handle return value and destroy pthread_attr_t object - - JDK-8319233: AArch64: Build failure with clang due to -Wformat-nonliteral warning - - JDK-8320372: test/jdk/sun/security/x509/DNSName/LeadingPeriod.java validity check failed - - JDK-8320676: Manual printer tests have no Pass/Fail buttons, instructions close set 1 - - JDK-8320691: Timeout handler on Windows takes 2 hours to complete - - JDK-8320706: RuntimePackageTest.testUsrInstallDir test fails on Linux - - JDK-8320916: jdk/jfr/event/gc/stacktrace/TestParallelMarkSweepAllocationPendingStackTrace.java failed with "OutOfMemoryError: GC overhead limit exceeded" - - JDK-8321818: vmTestbase/nsk/stress/strace/strace015.java failed with 'Cannot read the array length because "" is null' - - JDK-8322983: Virtual Threads: exclude 2 tests - - JDK-8324672: Update jdk/java/time/tck/java/time/TCKInstant.java now() to be more robust - - JDK-8324807: Manual printer tests have no Pass/Fail buttons, instructions close set 2 - - JDK-8324838: test_nmt_locationprinting.cpp broken in the gcc windows build - - JDK-8325042: Remove unused JVMDITools test files - - JDK-8325529: Remove unused imports from `ModuleGenerator` test file - - JDK-8325659: Normalize Random usage by incubator vector tests - - JDK-8325937: runtime/handshake/HandshakeDirectTest.java causes "monitor end should be strictly below the frame pointer" assertion failure on AArch64 - - JDK-8326421: Add jtreg test for large arrayCopy disjoint case. - - JDK-8326525: com/sun/tools/attach/BasicTests.java does not verify AgentLoadException case - - JDK-8327098: GTest needs larger combination limit - - JDK-8327390: JitTester: Implement temporary folder functionality - - JDK-8327460: Compile tests with the same visibility rules as product code - - JDK-8327476: Upgrade JLine to 3.26.1 - - JDK-8327505: Test com/sun/jmx/remote/NotificationMarshalVersions/TestSerializationMismatch.java fails - - JDK-8327857: Remove applet usage from JColorChooser tests Test4222508 - - JDK-8327859: Remove applet usage from JColorChooser tests Test4319113 - - JDK-8327986: ASAN reports use-after-free in DirectivesParserTest.empty_object_vm - - JDK-8327994: Update code gen in CallGeneratorHelper - - JDK-8328005: Convert java/awt/im/JTextFieldTest.java applet test to main - - JDK-8328085: C2: Use after free in PhaseChaitin::Register_Allocate() - - JDK-8328121: Remove applet usage from JColorChooser tests Test4759306 - - JDK-8328130: Remove applet usage from JColorChooser tests Test4759934 - - JDK-8328185: Convert java/awt/image/MemoryLeakTest/MemoryLeakTest.java applet test to main - - JDK-8328227: Remove applet usage from JColorChooser tests Test4887836 - - JDK-8328368: Convert java/awt/image/multiresolution/MultiDisplayTest/MultiDisplayTest.java applet test to main - - JDK-8328370: Convert java/awt/print/Dialog/PrintApplet.java applet test to main - - JDK-8328380: Remove applet usage from JColorChooser tests Test6348456 - - JDK-8328387: Convert java/awt/Frame/FrameStateTest/FrameStateTest.html applet test to main - - JDK-8328403: Remove applet usage from JColorChooser tests Test6977726 - - JDK-8328553: Get rid of JApplet in test/jdk/sanity/client/lib/SwingSet2/src/DemoModule.java - - JDK-8328558: Convert javax/swing/JCheckBox/8032667/bug8032667.java applet test to main - - JDK-8328717: Convert javax/swing/JColorChooser/8065098/bug8065098.java applet test to main - - JDK-8328719: Convert java/awt/print/PageFormat/SetOrient.html applet test to main - - JDK-8328730: Convert java/awt/print/bug8023392/bug8023392.html applet test to main - - JDK-8328753: Open source few Undecorated Frame tests - - JDK-8328819: Remove applet usage from JFileChooser tests bug6698013 - - JDK-8328827: Convert java/awt/print/PrinterJob/PrinterDialogsModalityTest/PrinterDialogsModalityTest.html applet test to main - - JDK-8329210: Delete Redundant Printer Dialog Modality Test - - JDK-8329320: Simplify awt/print/PageFormat/NullPaper.java test - - JDK-8329322: Convert PageFormat/Orient.java to use PassFailJFrame - - JDK-8329692: Add more details to FrameStateTest.java test instructions - - JDK-8330647: Two CDS tests fail with -UseCompressedOops and UseSerialGC/UseParallelGC - - JDK-8330702: Update failure handler to don't generate Error message if cores actions are empty - - JDK-8331735: UpcallLinker::on_exit races with GC when copying frame anchor - - JDK-8331959: Update PKCS#11 Cryptographic Token Interface to v3.1 - - JDK-8331977: Crash: SIGSEGV in dlerror() - - JDK-8331993: Add counting leading/trailing zero tests for Integer - - JDK-8332158: [XWayland] test/jdk/java/awt/Mouse/EnterExitEvents/ResizingFrameTest.java - - JDK-8332494: java/util/zip/EntryCount64k.java failing with java.lang.RuntimeException: '\\A\\Z' missing from stderr - - JDK-8332917: failure_handler should execute gdb "info threads" command on linux - - JDK-8333116: test/jdk/tools/jpackage/share/ServiceTest.java test fails - - JDK-8333360: PrintNullString.java doesn't use float arguments - - JDK-8333391: Test com/sun/jdi/InterruptHangTest.java failed: Thread was never interrupted during sleep - - JDK-8333403: Write a test to check various components events are triggered properly - - JDK-8333647: C2 SuperWord: some additional PopulateIndex tests - - JDK-8334305: Remove all code for nsk.share.Log verbose mode - - JDK-8334371: [AIX] Beginning with AIX 7.3 TL1 mmap() supports 64K memory pages - - JDK-8334490: Normalize string with locale invariant `toLowerCase()` - - JDK-8334777: Test javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java failed with NullPointerException - - JDK-8335288: SunPKCS11 initialization will call C_GetMechanismInfo on unsupported mechanisms - - JDK-8335468: [XWayland] JavaFX hangs when calling java.awt.Robot.getPixelColor - - JDK-8335789: [TESTBUG] XparColor.java test fails with Error. Parse Exception: Invalid or unrecognized bugid: @ - - JDK-8336012: Fix usages of jtreg-reserved properties - - JDK-8336498: [macos] [build]: install-file macro may run into permission denied error - - JDK-8336692: Redo fix for JDK-8284620 - - JDK-8336942: Improve test coverage for class loading elements with annotations of different retentions - - JDK-8337222: gc/TestDisableExplicitGC.java fails due to unexpected CodeCache GC - - JDK-8337494: Clarify JarInputStream behavior - - JDK-8337660: C2: basic blocks with only BoxLock nodes are wrongly treated as empty - - JDK-8337692: Better TLS connection support - - JDK-8337886: java/awt/Frame/MaximizeUndecoratedTest.java fails in OEL due to a slight color difference - - JDK-8337951: Test sun/security/validator/samedn.sh CertificateNotYetValidException: NotBefore validation - - JDK-8337994: [REDO] Native memory leak when not recording any events - - JDK-8338100: C2: assert(!n_loop->is_member(get_loop(lca))) failed: control must not be back in the loop - - JDK-8338303: Linux ppc64le with toolchain clang - detection failure in early JVM startup - - JDK-8338426: Test java/nio/channels/Selector/WakeupNow.java failed - - JDK-8338430: Improve compiler transformations - - JDK-8338571: [TestBug] DefaultCloseOperation.java test not working as expected wrt instruction after JDK-8325851 fix - - JDK-8338595: Add more linesize for MIME decoder in macro bench test Base64Decode - - JDK-8338668: Test javax/swing/JFileChooser/8080628/bug8080628.java doesn't test for GTK L&F - - JDK-8339154: Cleanups and JUnit conversion of test/jdk/java/util/zip/Available.java - - JDK-8339261: Logs truncated in test javax/net/ssl/DTLS/DTLSRehandshakeTest.java - - JDK-8339356: Test javax/net/ssl/SSLSocket/Tls13PacketSize.java failed with java.net.SocketException: An established connection was aborted by the software in your host machine - - JDK-8339475: Clean up return code handling for pthread calls in library coding - - JDK-8339524: Clean up a few ExtendedRobot tests - - JDK-8339542: compiler/codecache/CheckSegmentedCodeCache.java fails - - JDK-8339687: Rearrange reachabilityFence()s in jdk.test.lib.util.ForceGC - - JDK-8339728: [Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class - - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract - - JDK-8339834: Replace usages of -mx and -ms in some tests - - JDK-8339883: Open source several AWT/2D related tests - - JDK-8339902: Open source couple TextField related tests - - JDK-8339943: Frame not disposed in java/awt/dnd/DropActionChangeTest.java - - JDK-8340078: Open source several 2D tests - - JDK-8340116: test/jdk/sun/security/tools/jarsigner/PreserveRawManifestEntryAndDigest.java can fail due to regex - - JDK-8340313: Crash due to invalid oop in nmethod after C1 patching - - JDK-8340411: open source several 2D imaging tests - - JDK-8340480: Bad copyright notices in changes from JDK-8339902 - - JDK-8340687: Open source closed frame tests #1 - - JDK-8340719: Open source AWT List tests - - JDK-8340824: C2: Memory for TypeInterfaces not reclaimed by hashcons() - - JDK-8340969: jdk/jfr/startupargs/TestStartDuration.java should be marked as flagless - - JDK-8341037: Use standard layouts in DefaultFrameIconTest.java and MenuCrash.java - - JDK-8341111: open source several AWT tests including menu shortcut tests - - JDK-8341135: Incorrect format string after JDK-8339475 - - JDK-8341194: [REDO] Implement C2 VectorizedHashCode on AArch64 - - JDK-8341316: [macos] javax/swing/ProgressMonitor/ProgressMonitorEscapeKeyPress.java fails sometimes in macos - - JDK-8341412: Various test failures after JDK-8334305 - - JDK-8341424: GHA: Collect hs_errs from build time failures - - JDK-8341453: java/awt/a11y/AccessibleJTableTest.java fails in some cases where the test tables are not visible - - JDK-8341715: PPC64: ObjectMonitor::_owner should be reset unconditionally in nmethod unlocking - - JDK-8341820: Check return value of hcreate_r - - JDK-8341862: PPC64: C1 unwind_handler fails to unlock synchronized methods with LM_MONITOR - - JDK-8341881: [REDO] java/nio/file/attribute/BasicFileAttributeView/CreationTime.java#tmp fails on alinux3 - - JDK-8341978: Improve JButton/bug4490179.java - - JDK-8341982: Simplify JButton/bug4323121.java - - JDK-8342098: Write a test to compare the images - - JDK-8342145: File libCreationTimeHelper.c compile fails on Alpine - - JDK-8342270: Test sun/security/pkcs11/Provider/RequiredMechCheck.java needs write access to src tree - - JDK-8342498: Add test for Allocation elimination after use as alignment reference by SuperWord - - JDK-8342508: Use latch in BasicMenuUI/bug4983388.java instead of delay - - JDK-8342541: Exclude List/KeyEventsTest/KeyEventsTest.java from running on macOS - - JDK-8342562: Enhance Deflater operations - - JDK-8342602: Remove JButton/PressedButtonRightClickTest test - - JDK-8342609: jpackage test helper function incorrectly removes a directory instead of its contents only - - JDK-8342634: javax/imageio/plugins/wbmp/WBMPStreamTruncateTest.java creates temp file in src dir - - JDK-8342635: javax/swing/JFileChooser/FileSystemView/WindowsDefaultIconSizeTest.java creates tmp file in src dir - - JDK-8342704: GHA: Report truncation is broken after JDK-8341424 - - JDK-8342811: java/net/httpclient/PlainProxyConnectionTest.java failed: Unexpected connection count: 5 - - JDK-8342858: Make target mac-jdk-bundle fails on chmod command - - JDK-8342988: GHA: Build JTReg in single step - - JDK-8343007: Enhance Buffered Image handling - - JDK-8343100: Consolidate EmptyFolderTest and EmptyFolderPackageTest jpackage tests into single java file - - JDK-8343101: Rework BasicTest.testTemp test cases - - JDK-8343102: Remove `--compress` from jlink command lines from jpackage tests - - JDK-8343118: [TESTBUG] java/awt/PrintJob/PrintCheckboxTest/PrintCheckboxManualTest.java fails with rror. Can't find HTML file PrintCheckboxManualTest.html - - JDK-8343128: PassFailJFrame.java test result: Error. Bad action for script: build} - - JDK-8343129: Disable unstable check of ThreadsListHandle.sanity_vm ThreadList values - - JDK-8343144: UpcallLinker::on_entry racingly clears pending exception with GC safepoints - - JDK-8343149: Cleanup os::print_tos_pc on AIX - - JDK-8343178: Test BasicTest.java javac compile fails cannot find symbol - - JDK-8343205: CompileBroker::possibly_add_compiler_threads excessively polls available memory - - JDK-8343314: Move common properties from jpackage jtreg test declarations to TEST.properties file - - JDK-8343343: Misc crash dump improvements on more platforms after JDK-8294160 - - JDK-8343378: Exceptions in javax/management DeadLockTest.java do not cause test failure - - JDK-8343396: Use OperatingSystem, Architecture, and OSVersion in jpackage tests - - JDK-8343491: javax/management/remote/mandatory/connection/DeadLockTest.java failing with NoSuchObjectException: no such object in table - - JDK-8343599: Kmem limit and max values swapped when printing container information - - JDK-8343882: BasicAnnoTests doesn't handle multiple annotations at the same position - - JDK-8344275: tools/jpackage/windows/Win8301247Test.java fails on localized Windows platform - - JDK-8344326: Move jpackage tests from "jdk.jpackage.tests" package to the default package - - JDK-8344581: [TESTBUG] java/awt/Robot/ScreenCaptureRobotTest.java failing on macOS - - JDK-8344589: Update IANA Language Subtag Registry to Version 2024-11-19 - - JDK-8344646: The libjsig deprecation warning should go to stderr not stdout - - JDK-8345296: AArch64: VM crashes with SIGILL when prctl is disallowed - - JDK-8345368: java/io/File/createTempFile/SpecialTempFile.java fails on Windows Server 2025 - - JDK-8345370: Bump update version for OpenJDK: jdk-21.0.7 - - JDK-8345375: Improve debuggability of test/jdk/java/net/Socket/CloseAvailable.java - - JDK-8345414: Google CAInterop test failures - - JDK-8345468: test/jdk/javax/swing/JScrollBar/4865918/bug4865918.java fails in ubuntu22.04 - - JDK-8345569: [ubsan] adjustments to filemap.cpp and virtualspace.cpp for macOS aarch64 - - JDK-8345614: Improve AnnotationFormatError message for duplicate annotation interfaces - - JDK-8345676: [ubsan] ProcessImpl_md.c:561:40: runtime error: applying zero offset to null pointer on macOS aarch64 - - JDK-8345684: OperatingSystemMXBean.getSystemCpuLoad() throws NPE - - JDK-8345750: Shenandoah: Test TestJcmdHeapDump.java#aggressive intermittent assert(gc_cause() == GCCause::_no_gc) failed: Over-writing cause - - JDK-8346055: javax/swing/text/StyledEditorKit/4506788/bug4506788.java fails in ubuntu22.04 - - JDK-8346108: [21u][BACKOUT] 8337994: [REDO] Native memory leak when not recording any events - - JDK-8346324: javax/swing/JScrollBar/4865918/bug4865918.java fails in CI - - JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs - - JDK-8346671: java/nio/file/Files/probeContentType/Basic.java fails on Windows 2025 - - JDK-8346713: [testsuite] NeverActAsServerClassMachine breaks TestPLABAdaptToMinTLABSize.java TestPinnedHumongousFragmentation.java TestPinnedObjectContents.java - - JDK-8346828: javax/swing/JScrollBar/4865918/bug4865918.java still fails in CI - - JDK-8346847: [s390x] minimal build failure - - JDK-8346880: [aix] java/lang/ProcessHandle/InfoTest.java still fails: "reported cputime less than expected" - - JDK-8346881: [ubsan] logSelection.cpp:154:24 / logSelectionList.cpp:72:94 : runtime error: applying non-zero offset 1 to null pointer - - JDK-8346887: DrawFocusRect() may cause an assertion failure - - JDK-8346972: Test java/nio/channels/FileChannel/LoopingTruncate.java fails sometimes with IOException: There is not enough space on the disk - - JDK-8347038: [JMH] jdk.incubator.vector.SpiltReplicate fails NoClassDefFoundError - - JDK-8347129: cpuset cgroups controller is required for no good reason - - JDK-8347171: (dc) java/nio/channels/DatagramChannel/InterruptibleOrNot.java fails with virtual thread factory - - JDK-8347256: Epsilon: Demote heap size and AlwaysPreTouch warnings to info level - - JDK-8347267: [macOS]: UnixOperatingSystem.c:67:40: runtime error: division by zero - - JDK-8347268: [ubsan] logOutput.cpp:357:21: runtime error: applying non-zero offset 1 to null pointer - - JDK-8347424: Fix and rewrite sun/security/x509/DNSName/LeadingPeriod.java test - - JDK-8347427: JTabbedPane/8134116/Bug8134116.java has no license header - - JDK-8347576: Error output in libjsound has non matching format strings - - JDK-8347740: java/io/File/createTempFile/SpecialTempFile.java failing - - JDK-8347847: Enhance jar file support - - JDK-8347911: Limit the length of inflated text chunks - - JDK-8347965: (tz) Update Timezone Data to 2025a - - JDK-8348562: ZGC: segmentation fault due to missing node type check in barrier elision analysis - - JDK-8348625: [21u, 17u] Revert JDK-8185862 to restore old java.awt.headless behavior on Windows - - JDK-8348675: TrayIcon tests fail in Ubuntu 24.10 Wayland - - JDK-8349039: Adjust exception No type named in database - - JDK-8349603: [21u, 17u, 11u] Update GHA JDKs after Jan/25 updates - - JDK-8349729: [21u] AIX jtreg tests fail to compile with qvisibility=hidden - - JDK-8352097: (tz) zone.tab update missed in 2025a backport - - JDK-8353904: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.7 - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8309841: Jarsigner should print a warning if an entry is removed -==================================================================== -In previous OpenJDK releases, the jarsigner tool did not detect the -case where a file was removed from a signed JAR file but its signature -was still present. With this release, `jarsigner -verify` checks that -every signature has a matching file entry and prints a warning if this -is not the case. The `-verbose` option can also be added to the -command to see the names of the mismatched entries. - -security-libs/javax.net.ssl: - -JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs -============================================================================= -In accordance with similar plans recently announced by Google, -Mozilla, Apple and Microsoft, the JDK will not trust Transport Layer -Security (TLS) certificates issued after the 15th of April 2025 which -are anchored by Camerfirma root certificates. - -Certificates issued on or before April 15th, 2025 will continue to -be trusted until they expire. - -If a server's certificate chain is anchored by an affected -certificate, attempts to negotiate a TLS session will fail with an -Exception that indicates the trust anchor is not trusted. For example, - -"TLS server certificate issued after 2025-04-15 and anchored by a -distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - -2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see -current address at www.camerfirma.com/address), C=EU" - -To check whether a certificate in a JDK keystore is affected by this -change, you can the `keytool` utility: - -keytool -v -list -alias -keystore - -If any of the certificates in the chain are affected by this change, -then you will need to update the certificate or contact the -organisation responsible for managing the certificate. - -These restrictions apply to the following Camerfirma root certificates -included in the JDK: - -Alias name: camerfirmachamberscommerceca [jdk] -CN=Chambers of Commerce Root -OU=http://www.chambersign.org -O=AC Camerfirma SA CIF A82743287 -C=EU -SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3 - -Alias name: camerfirmachambersca [jdk] -CN=Chambers of Commerce Root - 2008 -O=AC Camerfirma S.A. -SERIALNUMBER=A82743287 -L=Madrid (see current address at www.camerfirma.com/address) -C=EU -SHA256: 06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0 - -Alias name: camerfirmachambersignca [jdk] -CN=Global Chambersign Root - 2008 -O=AC Camerfirma S.A. -SERIALNUMBER=A82743287 -L=Madrid (see current address at www.camerfirma.com/address) -C=EU -SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA - -Users can, *at their own risk*, remove this restriction by modifying -the `java.security` configuration file (or override it by using the -`java.security.properties` system property) so "CAMERFIRMA_TLS" is no -longer listed in the `jdk.security.caDistrustPolicies` security -property. - -security-libs/javax.crypto:pkcs11: - -JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic -========================================================================== -In OpenJDK 14, the notion of legacy mechanisms was introduced into the -SunPKCS11 provider. If a mechanism was found to be using a weak -algorithm, it was determined to be legacy and disabled. - -However, this approach has proved inflexible. There was no way for the -user to override the legacy determination and enable the mechanism -anyway. Also, a mechanism being used for signing would be declared -legacy and disabled if it had a weak encryption algorithm, even though -encryption was not being used. Similarly, a weak signing algorithm -would prevent the mechanism's use as a cipher for encryption or -decryption. - -This OpenJDK release resolves these issues. It introduces the PKCS11 -provider configuration attribute "allowLegacy" which can be set to -`true` if the user wishes to override the legacy determination. By -default, it is set to `false`. The legacy determination now also -considers the service type and will only check encryption algorithms -for Ciphers and only signature algorithms for Signatures. - -New in release OpenJDK 21.0.6 (2025-01-21): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk2106 - -* CVEs - - CVE-2025-21502 -* Changes - - JDK-6942632: Hotspot should be able to use more than 64 logical processors on Windows - - JDK-8028127: Regtest java/security/Security/SynchronizedAccess.java is incorrect - - JDK-8195675: Call to insertText with single character from custom Input Method ignored - - JDK-8207908: JMXStatusTest.java fails assertion intermittently - - JDK-8225220: When the Tab Policy is checked,the scroll button direction displayed incorrectly. - - JDK-8240343: JDI stopListening/stoplis001 "FAILED: listening is successfully stopped without starting listening" - - JDK-8283214: [macos] Screen magnifier does not show the magnified text for JComboBox - - JDK-8296787: Unify debug printing format of X.509 cert serial numbers - - JDK-8296972: [macos13] java/awt/Frame/MaximizedToIconified/MaximizedToIconified.java: getExtendedState() != 6 as expected. - - JDK-8306446: java/lang/management/ThreadMXBean/Locks.java transient failures - - JDK-8308429: jvmti/StopThread/stopthrd007 failed with "NoClassDefFoundError: Could not initialize class jdk.internal.misc.VirtualThreads" - - JDK-8309218: java/util/concurrent/locks/Lock/OOMEInAQS.java still times out with ZGC, Generational ZGC, and SerialGC - - JDK-8311301: MethodExitTest may fail with stack buffer overrun - - JDK-8311656: Shenandoah: Unused ShenandoahSATBAndRemarkThreadsClosure::_claim_token - - JDK-8312518: [macos13] setFullScreenWindow() shows black screen on macOS 13 & above - - JDK-8313374: --enable-ccache's CCACHE_BASEDIR breaks builds - - JDK-8313878: Exclude two compiler/rtm/locking tests on ppc64le - - JDK-8315701: [macos] Regression: KeyEvent has different keycode on different keyboard layouts - - JDK-8316428: G1: Nmethod count statistics only count last code root set iterated - - JDK-8316893: Compile without -fno-delete-null-pointer-checks - - JDK-8316895: SeenThread::print_action_queue called on a null pointer - - JDK-8316907: Fix nonnull-compare warnings - - JDK-8317116: Provide layouts for multiple test UI in PassFailJFrame - - JDK-8317575: AArch64: C2_MacroAssembler::fast_lock uses rscratch1 for cmpxchg result - - JDK-8318105: [jmh] the test java.security.HSS failed with 2 active threads - - JDK-8318442: java/net/httpclient/ManyRequests2.java fails intermittently on Linux - - JDK-8319640: ClassicFormat::parseObject (from DateTimeFormatter) does not conform to the javadoc and may leak DateTimeException - - JDK-8319673: Few security tests ignore VM flags - - JDK-8319678: Several tests from corelibs areas ignore VM flags - - JDK-8319960: RISC-V: compiler/intrinsics/TestInteger/LongUnsignedDivMod.java failed with "counts: Graph contains wrong number of nodes" - - JDK-8319970: AArch64: enable tests compiler/intrinsics/Test(Long|Integer)UnsignedDivMod.java on aarch64 - - JDK-8319973: AArch64: Save and restore FPCR in the call stub - - JDK-8320192: SHAKE256 does not work correctly if n >= 137 - - JDK-8320397: RISC-V: Avoid passing t0 as temp register to MacroAssembler:: cmpxchg_obj_header/cmpxchgptr - - JDK-8320575: generic type information lost on mandated parameters of record's compact constructors - - JDK-8320586: update manual test/jdk/TEST.groups - - JDK-8320665: update jdk_core at open/test/jdk/TEST.groups - - JDK-8320673: PageFormat/CustomPaper.java has no Pass/Fail buttons; multiple instructions - - JDK-8320682: [AArch64] C1 compilation fails with "Field too big for insn" - - JDK-8320892: AArch64: Restore FPU control state after JNI - - JDK-8321299: runtime/logging/ClassLoadUnloadTest.java doesn't reliably trigger class unloading - - JDK-8321470: ThreadLocal.nextHashCode can be static final - - JDK-8321474: TestAutoCreateSharedArchiveUpgrade.java should be updated with JDK 21 - - JDK-8321543: Update NSS to version 3.96 - - JDK-8321550: Update several runtime/cds tests to use vm flags or mark as flagless - - JDK-8321616: Retire binary test vectors in test/jdk/java/util/zip/ZipFile - - JDK-8321940: Improve CDSHeapVerifier in handling of interned strings - - JDK-8322166: Files.isReadable/isWritable/isExecutable expensive when file does not exist - - JDK-8322754: click JComboBox when dialog about to close causes IllegalComponentStateException - - JDK-8322809: SystemModulesMap::classNames and moduleNames arrays do not match the order - - JDK-8322830: Add test case for ZipFile opening a ZIP with no entries - - JDK-8323562: SaslInputStream.read() may return wrong value - - JDK-8323688: C2: Fix UB of jlong overflow in PhaseIdealLoop::is_counted_loop() - - JDK-8324841: PKCS11 tests still skip execution - - JDK-8324861: Exceptions::wrap_dynamic_exception() doesn't have ResourceMark - - JDK-8325038: runtime/cds/appcds/ProhibitedPackage.java can fail with UseLargePages - - JDK-8325399: Add tests for virtual threads doing Selector operations - - JDK-8325506: Ensure randomness is only read from provided SecureRandom object - - JDK-8325525: Create jtreg test case for JDK-8325203 - - JDK-8325610: CTW: Add StressIncrementalInlining to stress options - - JDK-8325762: Use PassFailJFrame.Builder.splitUI() in PrintLatinCJKTest.java - - JDK-8325851: Hide PassFailJFrame.Builder constructor - - JDK-8325906: Problemlist vmTestbase/vm/mlvm/meth/stress/compiler/deoptimize/Test.java#id1 until JDK-8320865 is fixed - - JDK-8326100: DeflaterDictionaryTests should use Deflater.getBytesWritten instead of Deflater.getTotalOut - - JDK-8326121: vmTestbase/gc/g1/unloading/tests/unloading_keepRef_rootClass_inMemoryCompilation_keep_cl failed with Full gc happened. Test was useless. - - JDK-8326611: Clean up vmTestbase/nsk/stress/stack tests - - JDK-8326898: NSK tests should listen on loopback addresses only - - JDK-8327924: Simplify TrayIconScalingTest.java - - JDK-8328021: Convert applet test java/awt/List/SetFontTest/SetFontTest.html to main program - - JDK-8328242: Add a log area to the PassFailJFrame - - JDK-8328303: 3 JDI tests timed out with UT enabled - - JDK-8328379: Convert URLDragTest.html applet test to main - - JDK-8328402: Implement pausing functionality for the PassFailJFrame - - JDK-8328619: sun/management/jmxremote/bootstrap/SSLConfigFilePermissionTest.java failed with BindException: Address already in use - - JDK-8328665: serviceability/jvmti/vthread/PopFrameTest failed with a timeout - - JDK-8328723: IP Address error when client enables HTTPS endpoint check on server socket - - JDK-8329353: ResolvedReferencesNotNullTest.java failed with Incorrect resolved references array, quxString should not be archived - - JDK-8329533: TestCDSVMCrash fails on libgraal - - JDK-8330045: Enhance array handling - - JDK-8330278: Have SSLSocketTemplate.doClientSide use loopback address - - JDK-8330621: Make 5 compiler tests use ProcessTools.executeProcess - - JDK-8331391: Enhance the keytool code by invoking the buildTrustedCerts method for essential options - - JDK-8331393: AArch64: u32 _partial_subtype_ctr loaded/stored as 64 - - JDK-8331864: Update Public Suffix List to 1cbd6e7 - - JDK-8332112: Update nsk.share.Log to don't print summary during VM shutdown hook - - JDK-8332340: Add JavacBench as a test case for CDS - - JDK-8332461: ubsan : dependencies.cpp:906:3: runtime error: load of value 4294967295, which is not a valid value for type 'DepType' - - JDK-8332724: x86 MacroAssembler may over-align code - - JDK-8332777: Update JCStress test suite - - JDK-8332866: Crash in ImageIO JPEG decoding when MEM_STATS in enabled - - JDK-8332901: Select{Current,New}ItemTest.java for Choice don't open popup on macOS - - JDK-8333098: ubsan: bytecodeInfo.cpp:318:59: runtime error: division by zero - - JDK-8333108: Update vmTestbase/nsk/share/DebugeeProcess.java to don't use finalization - - JDK-8333144: docker tests do not work when ubsan is configured - - JDK-8333235: vmTestbase/nsk/jdb/kill/kill001/kill001.java fails with C1 - - JDK-8333248: VectorGatherMaskFoldingTest.java failed when maximum vector bits is 64 - - JDK-8333317: Test sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java failed with: Invalid ECDH ServerKeyExchange signature - - JDK-8333427: langtools/tools/javac/newlines/NewLineTest.java is failing on Japanese Windows - - JDK-8333728: ubsan: shenandoahFreeSet.cpp:1347:24: runtime error: division by zero - - JDK-8333754: Add a Test against ECDSA and ECDH NIST Test vector - - JDK-8333824: Unused ClassValue in VarHandles - - JDK-8334057: JLinkReproducibleTest.java support receive test.tool.vm.opts - - JDK-8334405: java/nio/channels/Selector/SelectWithConsumer.java#id0 failed in testWakeupDuringSelect - - JDK-8334475: UnsafeIntrinsicsTest.java#ZGenerationalDebug assert(!assert_on_failure) failed: Has low-order bits set - - JDK-8334560: [PPC64]: postalloc_expand_java_dynamic_call_sched does not copy all fields - - JDK-8334562: Automate com/sun/security/auth/callback/TextCallbackHandler/Default.java test - - JDK-8334567: [test] runtime/os/TestTracePageSizes move ppc handling - - JDK-8334719: (se) Deferred close of SelectableChannel may result in a Selector doing the final close before concurrent I/O on channel has completed - - JDK-8335142: compiler/c1/TestTraceLinearScanLevel.java occasionally times out with -Xcomp - - JDK-8335172: Add manual steps to run security/auth/callback/TextCallbackHandler/Password.java test - - JDK-8335267: [XWayland] move screencast tokens from .awt to .java folder - - JDK-8335344: test/jdk/sun/security/tools/keytool/NssTest.java fails to compile - - JDK-8335428: Enhanced Building of Processes - - JDK-8335449: runtime/cds/DeterministicDump.java fails with File content different at byte ... - - JDK-8335530: Java file extension missing in AuthenticatorTest - - JDK-8335664: Parsing jsr broken: assert(bci>= 0 && bci < c->method()->code_size()) failed: index out of bounds - - JDK-8335709: C2: assert(!loop->is_member(get_loop(useblock))) failed: must be outside loop - - JDK-8335912, JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files - - JDK-8336240: Test com/sun/crypto/provider/Cipher/DES/PerformanceTest.java fails with java.lang.ArithmeticException - - JDK-8336257: Additional tests in jmxremote/startstop to match on PID not app name - - JDK-8336315: tools/jpackage/windows/WinChildProcessTest.java Failed: Check is calculator process is alive - - JDK-8336413: gtk headers : Fix typedef redeclaration of GMainContext and GdkPixbuf - - JDK-8336564: Enhance mask blit functionality redux - - JDK-8336640: Shenandoah: Parallel worker use in parallel_heap_region_iterate - - JDK-8336854: CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout - - JDK-8336911: ZGC: Division by zero in heuristics after JDK-8332717 - - JDK-8337066: Repeated call of StringBuffer.reverse with double byte string returns wrong result - - JDK-8337067: Test runtime/classFileParserBug/Bad_NCDFE_Msg.java won't compile - - JDK-8337320: Update ProblemList.txt with tests known to fail on XWayland - - JDK-8337331: crash: pinned virtual thread will lead to jvm crash when running with the javaagent option - - JDK-8337410: The makefiles should set problemlist and adjust timeout basing on the given VM flags - - JDK-8337780: RISC-V: C2: Change C calling convention for sp to NS - - JDK-8337810: ProblemList BasicDirectoryModel/LoaderThreadCount.java on Windows - - JDK-8337826: Improve logging in OCSPTimeout and SimpleOCSPResponder to help diagnose JDK-8309754 - - JDK-8337851: Some tests have name which confuse jtreg - - JDK-8337876: [IR Framework] Add support for IR tests with @Stable - - JDK-8337966: (fs) Files.readAttributes fails with Operation not permitted on older docker releases - - JDK-8338058: map_or_reserve_memory_aligned Windows enhance remap assertion - - JDK-8338101: remove old remap assertion in map_or_reserve_memory_aligned after JDK-8338058 - - JDK-8338109: java/awt/Mouse/EnterExitEvents/ResizingFrameTest.java duplicate in ProblemList - - JDK-8338110: Exclude Fingerprinter::do_type from ubsan checks - - JDK-8338112: Test testlibrary_tests/ir_framework/tests/TestPrivilegedMode.java fails with release build - - JDK-8338344: Test TestPrivilegedMode.java intermittent fails java.lang.NoClassDefFoundError: jdk/test/lib/Platform - - JDK-8338380: Update TLSCommon/interop/AbstractServer to specify an interface to listen for connections - - JDK-8338389: [JFR] Long strings should be added to the string pool - - JDK-8338402: GHA: some of bundles may not get removed - - JDK-8338449: ubsan: division by zero in sharedRuntimeTrans.cpp - - JDK-8338550: Do libubsan1 installation in test container only if requested - - JDK-8338748: [17u,21u] Test Disconnect.java compile error: cannot find symbol after JDK-8299813 - - JDK-8338751: ConfigureNotify behavior has changed in KWin 6.2 - - JDK-8338759: Add extra diagnostic to java/net/InetAddress/ptr/Lookup.java - - JDK-8338924: C1: assert(0 <= i && i < _len) failed: illegal index 5 for length 5 - - JDK-8339080: Bump update version for OpenJDK: jdk-21.0.6 - - JDK-8339180: Enhanced Building of Processes: Follow-on Issue - - JDK-8339248: RISC-V: Remove li64 macro assembler routine and related code - - JDK-8339384: Unintentional IOException in jdk.jdi module when JDWP end of stream occurs - - JDK-8339386: Assertion on AIX - original PC must be in the main code section of the compiled method - - JDK-8339416: [s390x] Provide implementation for resolve_global_jobject - - JDK-8339487: ProcessHandleImpl os_getChildren sysctl call - retry in case of ENOMEM and enhance exception message - - JDK-8339548: GHA: RISC-V: Use Debian snapshot archive for bootstrap - - JDK-8339560: Unaddressed comments during code review of JDK-8337664 - - JDK-8339591: Mark jdk/jshell/ExceptionMessageTest.java intermittent - - JDK-8339637: (tz) Update Timezone Data to 2024b - - JDK-8339644: Improve parsing of Day/Month in tzdata rules - - JDK-8339648: ZGC: Division by zero in rule_major_allocation_rate - - JDK-8339725: Concurrent GC crashed due to GetMethodDeclaringClass - - JDK-8339731: java.desktop/share/classes/javax/swing/text/html/default.css typo in margin settings - - JDK-8339741: RISC-V: C ABI breakage for integer on stack - - JDK-8339787: Add some additional diagnostic output to java/net/ipv6tests/UdpTest.java - - JDK-8339803: Acknowledge case insensitive unambiguous keywords in tzdata files - - JDK-8339892: Several security shell tests don't set TESTJAVAOPTS - - JDK-8340007: Refactor KeyEvent/FunctionKeyTest.java - - JDK-8340008: KeyEvent/KeyTyped/Numpad1KeyTyped.java has 15 seconds timeout - - JDK-8340109: Ubsan: ciEnv.cpp:1660:65: runtime error: member call on null pointer of type 'struct CompileTask' - - JDK-8340210: Add positionTestUI() to PassFailJFrame.Builder - - JDK-8340214: C2 compilation asserts with "no node with a side effect" in PhaseIdealLoop::try_sink_out_of_loop - - JDK-8340230: Tests crash: assert(is_in_encoding_range || k->is_interface() || k->is_abstract()) failed: sanity - - JDK-8340306: Add border around instructions in PassFailJFrame - - JDK-8340308: PassFailJFrame: Make rows default to number of lines in instructions - - JDK-8340365: Position the first window of a window list - - JDK-8340383: VM issues warning failure to find kernel32.dll on Windows nanoserver - - JDK-8340387: Update OS detection code to recognize Windows Server 2025 - - JDK-8340398: [JVMCI] Unintuitive behavior of UseJVMCICompiler option - - JDK-8340418: GHA: MacOS AArch64 bundles can be removed prematurely - - JDK-8340461: Amend description for logArea - - JDK-8340466: Add description for PassFailJFrame constructors - - JDK-8340552: Harden TzdbZoneRulesCompiler against missing zone names - - JDK-8340590: RISC-V: C2: Small improvement to vector gather load and scatter store - - JDK-8340632: ProblemList java/nio/channels/DatagramChannel/ for Macos - - JDK-8340657: [PPC64] SA determines wrong unextendedSP - - JDK-8340684: Reading from an input stream backed by a closed ZipFile has no test coverage - - JDK-8340785: Update description of PassFailJFrame and samples - - JDK-8340799: Add border inside instruction frame in PassFailJFrame - - JDK-8340801: Disable ubsan checks in some awt/2d coding - - JDK-8340804: doc/building.md update Xcode instructions to note that full install is required - - JDK-8340812: LambdaForm customization via MethodHandle::updateForm is not thread safe - - JDK-8340815: Add SECURITY.md file - - JDK-8340899: Remove wildcard bound in PositionWindows.positionTestWindows - - JDK-8340923: The class LogSelection copies uninitialized memory - - JDK-8341024: [test] build/AbsPathsInImage.java fails with OOM when using ubsan-enabled binaries - - JDK-8341146: RISC-V: Unnecessary fences used for load-acquire in template interpreter - - JDK-8341235: Improve default instruction frame title in PassFailJFrame - - JDK-8341261: Tests assume UnlockExperimentalVMOptions is disabled by default - - JDK-8341562: RISC-V: Generate comments in -XX:+PrintInterpreter to link to source code - - JDK-8341688: Aarch64: Generate comments in -XX:+PrintInterpreter to link to source code - - JDK-8341722: Fix some warnings as errors when building on Linux with toolchain clang - - JDK-8341806: Gcc version detection failure on Alinux3 - - JDK-8341927: Replace hardcoded security providers with new test.provider.name system property - - JDK-8341997: Tests create files in src tree instead of scratch dir - - JDK-8342014: RISC-V: ZStoreBarrierStubC2 clobbers rflags - - JDK-8342063: [21u][aix] Backport introduced redundant line in ProblemList - - JDK-8342181: Update tests to use stronger Key and Salt size - - JDK-8342183: Update tests to use stronger algorithms and keys - - JDK-8342188: Update tests to use stronger key parameters and certificates - - JDK-8342409: [s390x] C1 unwind_handler fails to unlock synchronized methods with LM_MONITOR - - JDK-8342496: C2/Shenandoah: SEGV in compiled code when running jcstress - - JDK-8342578: GHA: RISC-V: Bootstrap using Debian snapshot is still failing - - JDK-8342607: Enhance register printing on x86_64 platforms - - JDK-8342669: [21u] Fix TestArrayAllocatorMallocLimit after backport of JDK-8315097 - - JDK-8342681: TestLoadBypassesNullCheck.java fails improperly specified VM option - - JDK-8342701: [PPC64] TestOSRLotsOfLocals.java crashes - - JDK-8342765: [21u] RTM tests assume UnlockExperimentalVMOptions is disabled by default - - JDK-8342823: Ubsan: ciEnv.cpp:1614:65: runtime error: member call on null pointer of type 'struct CompileTask' - - JDK-8342905: Thread.setContextClassloader from thread in FJP commonPool task no longer works after JDK-8327501 redux - - JDK-8342962: [s390x] TestOSRLotsOfLocals.java crashes - - JDK-8343285: java.lang.Process is unresponsive and CPU usage spikes to 100% - - JDK-8343474: [updates] Customize README.md to specifics of update project - - JDK-8343506: [s390x] multiple test failures with ubsan - - JDK-8343724: [PPC64] Disallow OptoScheduling - - JDK-8343848: Fix typo of property name in TestOAEPPadding after 8341927 - - JDK-8343877: Test AsyncClose.java intermittent fails - Socket.getInputStream().read() wasn't preempted - - JDK-8343884: [s390x] Disallow OptoScheduling - - JDK-8343923: GHA: Switch to Xcode 15 on MacOS AArch64 runners - - JDK-8344164: [s390x] ProblemList hotspot/jtreg/runtime/NMT/VirtualAllocCommitMerge.java - - JDK-8344628: Test TestEnableJVMCIProduct.java run with virtual thread intermittent fails - - JDK-8344993: [21u] [REDO] Backport JDK-8327501 and JDK-8328366 to JDK 21 - - JDK-8345055: [21u] ProblemList failing rtm tests on ppc platforms - - JDK-8347010: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.6 - -Notes on individual issues: -=========================== - -core-libs/java.util.jar: - -JDK-8335912/JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files -=================================================================================================================== -In previous OpenJDK releases, when the jar tool extracted files from -an archive, it would overwrite any existing files with the same name -in the target directory. With this release, a new option ('-k' or -'--keep-old-files') may be specified so that existing files are not -overwritten. - -The option may be specified in short or long option form, as in the -following examples: - -* jar xkf foo.jar -* jar --extract --keep-old-files --file foo.jar - -By default, the old behaviour remains in place and files will be -overwritten. - -core-libs/java.time: - -JDK-8339637: (tz) Update Timezone Data to 2024b -=============================================== -This OpenJDK release upgrades the in-tree copy of the IANA timezone -database to 2024b. This timezone update is primarily concerned with -improving historical data for Mexico, Monogolia and Portugal. It also -makes Asia/Choibalsan an alias for Asia/Ulaanbaatar and makes the MET -timezone the same as CET. - -The 2024b update also makes a number of legacy timezone IDs equal to -geographical names rather than fixed offsets, as follows: - -* EST => America/Panama instead of -5:00 -* MST => America/Phoenix instead of -7:00 -* HST => Pacific/Honolulu instead of -10:00 - -For long term support releases of OpenJDK, this change is overridden -locally to retain the existing fixed offset mapping. - -New in release OpenJDK 21.0.5 (2024-10-15): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk2105 - -* CVEs - - CVE-2024-21208 - - CVE-2024-21210 - - CVE-2024-21217 - - CVE-2024-21235 -* Security fixes - - JDK-8307383: Enhance DTLS connections - - JDK-8311208: Improve CDS Support - - JDK-8328286: Enhance HTTP client - - JDK-8328544: Improve handling of vectorization - - JDK-8328726: Better Kerberos support - - JDK-8331446: Improve deserialization support - - JDK-8332644: Improve graph optimizations - - JDK-8335713: Enhance vectorization analysis -* Other changes - - JDK-6355567: AdobeMarkerSegment causes failure to read valid JPEG - - JDK-6967482: TAB-key does not work in JTables after selecting details-view in JFileChooser - - JDK-7022325: TEST_BUG: test/java/util/zip/ZipFile/ReadLongZipFileName.java leaks files if it fails - - JDK-8051959: Add thread and timestamp options to java.security.debug system property - - JDK-8073061: (fs) Files.copy(foo, bar, REPLACE_EXISTING) deletes bar even if foo is not readable - - JDK-8166352: FilePane.createDetailsView() removes JTable TAB, SHIFT-TAB functionality - - JDK-8170817: G1: Returning MinTLABSize from unsafe_max_tlab_alloc causes TLAB flapping - - JDK-8211847: [aix] java/lang/ProcessHandle/InfoTest.java fails: "reported cputime less than expected" - - JDK-8211854: [aix] java/net/ServerSocket/AcceptInheritHandle.java fails: read times out - - JDK-8222884: ConcurrentClassDescLookup.java times out intermittently - - JDK-8238169: BasicDirectoryModel getDirectories and DoChangeContents.run can deadlock - - JDK-8241550: [macOS] SSLSocketImpl/ReuseAddr.java failed due to "BindException: Address already in use" - - JDK-8242564: javadoc crashes:: class cast exception com.sun.tools.javac.code.Symtab$6 - - JDK-8260633: [macos] java/awt/dnd/MouseEventAfterStartDragTest/MouseEventAfterStartDragTest.html test failed - - JDK-8261433: Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit - - JDK-8269428: java/util/concurrent/ConcurrentHashMap/ToArray.java timed out - - JDK-8269657: Test java/nio/channels/DatagramChannel/Loopback.java failed: Unexpected message - - JDK-8280120: [IR Framework] Add attribute to @IR to enable/disable IR matching based on the architecture - - JDK-8280392: java/awt/Focus/NonFocusableWindowTest/NonfocusableOwnerTest.java failed with "RuntimeException: Test failed." - - JDK-8280988: [XWayland] Click on title to request focus test failures - - JDK-8280990: [XWayland] XTest emulated mouse click does not bring window to front - - JDK-8283223: gc/stringdedup/TestStringDeduplicationFullGC.java#Parallel failed with "RuntimeException: String verification failed" - - JDK-8287325: AArch64: fix virtual threads with -XX:UseBranchProtection=pac-ret - - JDK-8291809: Convert compiler/c2/cr7200264/TestSSE2IntVect.java to IR verification test - - JDK-8294148: Support JSplitPane for instructions and test UI - - JDK-8299058: AssertionError in sun.net.httpserver.ServerImpl when connection is idle - - JDK-8299487: Test java/net/httpclient/whitebox/SSLTubeTestDriver.java timed out - - JDK-8299790: os::print_hex_dump is racy - - JDK-8299813: java/nio/channels/DatagramChannel/Disconnect.java fails with jtreg test timeout due to lost datagram - - JDK-8301686: TLS 1.3 handshake fails if server_name doesn't match resuming session - - JDK-8303920: Avoid calling out to python in DataDescriptorSignatureMissing test - - JDK-8305072: Win32ShellFolder2.compareTo is inconsistent - - JDK-8305825: getBounds API returns wrong value resulting in multiple Regression Test Failures on Ubuntu 23.04 - - JDK-8307193: Several Swing jtreg tests use class.forName on L&F classes - - JDK-8307352: AARCH64: Improve itable_stub - - JDK-8307778: com/sun/jdi/cds tests fail with jtreg's Virtual test thread factory - - JDK-8307788: vmTestbase/gc/gctests/LargeObjects/large003/TestDescription.java timed out - - JDK-8308286: Fix clang warnings in linux code - - JDK-8308660: C2 compilation hits 'node must be dead' assert - - JDK-8309067: gtest/AsyncLogGtest.java fails again in stderrOutput_vm - - JDK-8309621: [XWayland][Screencast] screen capture failure with sun.java2d.uiScale other than 1 - - JDK-8309685: Fix -Wconversion warnings in assembler and register code - - JDK-8309894: compiler/vectorapi/VectorLogicalOpIdentityTest.java fails on SVE system with UseSVE=0 - - JDK-8310072: JComboBox/DisabledComboBoxFontTestAuto: Enabled and disabled ComboBox does not match in these LAFs: GTK+ - - JDK-8310108: Skip ReplaceCriticalClassesForSubgraphs when EnableJVMCI is specified - - JDK-8310201: Reduce verbose locale output in -XshowSettings launcher option - - JDK-8310334: [XWayland][Screencast] screen capture error message in debug - - JDK-8310628: GcInfoBuilder.c missing JNI Exception checks - - JDK-8310683: Refactor StandardCharset/standard.java to use JUnit - - JDK-8310906: Fix -Wconversion warnings in runtime, oops and some code header files. - - JDK-8311306: Test com/sun/management/ThreadMXBean/ThreadCpuTimeArray.java failed: out of expected range - - JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin - - JDK-8311989: Test java/lang/Thread/virtual/Reflection.java timed out - - JDK-8312049: runtime/logging/ClassLoadUnloadTest can be improved - - JDK-8312111: open/test/jdk/java/awt/Robot/ModifierRobotKey/ModifierRobotKeyTest.java fails on ubuntu 23.04 - - JDK-8312140: jdk/jshell tests failed with JDI socket timeouts - - JDK-8312200: Fix Parse::catch_call_exceptions memory leak - - JDK-8312229: Crash involving yield, switch and anonymous classes - - JDK-8313674: (fc) java/nio/channels/FileChannel/BlockDeviceSize.java should test for more block devices - - JDK-8313697: [XWayland][Screencast] consequent getPixelColor calls are slow - - JDK-8313983: jmod create --target-platform should replace existing ModuleTarget attribute - - JDK-8314163: os::print_hex_dump prints incorrectly for big endian platforms and unit sizes larger than 1 - - JDK-8314225: SIGSEGV in JavaThread::is_lock_owned - - JDK-8314515: java/util/concurrent/SynchronousQueue/Fairness.java failed with "Error: fair=false i=8 j=0" - - JDK-8314614: jdk/jshell/ImportTest.java failed with "InternalError: Failed remote listen" - - JDK-8315024: Vector API FP reduction tests should not test for exact equality - - JDK-8315031: YoungPLABSize and OldPLABSize not aligned by ObjectAlignmentInBytes - - JDK-8315422: getSoTimeout() would be in try block in SSLSocketImpl - - JDK-8315505: CompileTask timestamp printed can overflow - - JDK-8315576: compiler/codecache/CodeCacheFullCountTest.java fails after JDK-8314837 - - JDK-8315804: Open source several Swing JTabbedPane JTextArea JTextField tests - - JDK-8315923: pretouch_memory by atomic-add-0 fragments huge pages unexpectedly - - JDK-8315965: Open source various AWT applet tests - - JDK-8315969: compiler/rangechecks/TestRangeCheckHoistingScaledIV.java: make flagless - - JDK-8316104: Open source several Swing SplitPane and RadioButton related tests - - JDK-8316131: runtime/cds/appcds/TestParallelGCWithCDS.java fails with JNI error - - JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java java.lang.Exception: Could not find leak - - JDK-8316211: Open source several manual applet tests - - JDK-8316240: Open source several add/remove MenuBar manual tests - - JDK-8316285: Opensource JButton manual tests - - JDK-8316306: Open source and convert manual Swing test - - JDK-8316328: Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes - - JDK-8316361: C2: assert(!failure) failed: Missed optimization opportunity in PhaseIterGVN with -XX:VerifyIterativeGVN=10 - - JDK-8316389: Open source few AWT applet tests - - JDK-8316756: C2 EA fails with "missing memory path" when encountering unsafe_arraycopy stub call - - JDK-8317112: Add screenshot for Frame/DefaultSizeTest.java - - JDK-8317128: java/nio/file/Files/CopyAndMove.java failed with AccessDeniedException - - JDK-8317240: Promptly free OopMapEntry after fail to insert the entry to OopMapCache - - JDK-8317288: [macos] java/awt/Window/Grab/GrabTest.java: Press on the outside area didn't cause ungrab - - JDK-8317299: safepoint scalarization doesn't keep track of the depth of the JVM state - - JDK-8317360: Missing null checks in JfrCheckpointManager and JfrStringPool initialization routines - - JDK-8317372: Refactor some NumberFormat tests to use JUnit - - JDK-8317446: ProblemList gc/arguments/TestNewSizeFlags.java on macosx-aarch64 in Xcomp - - JDK-8317449: ProblemList serviceability/jvmti/stress/StackTrace/NotSuspended/GetStackTraceNotSuspendedStressTest.java on several platforms - - JDK-8317635: Improve GetClassFields test to verify correctness of field order - - JDK-8317696: Fix compilation with clang-16 - - JDK-8317738: CodeCacheFullCountTest failed with "VirtualMachineError: Out of space in CodeCache for method handle intrinsic" - - JDK-8317831: compiler/codecache/CheckLargePages.java fails on OL 8.8 with unexpected memory string - - JDK-8318071: IgnoreUnrecognizedVMOptions flag still causes failure in ArchiveHeapTestClass - - JDK-8318479: [jmh] the test security.CacheBench failed for multiple threads run - - JDK-8318605: Enable parallelism in vmTestbase/nsk/stress/stack tests - - JDK-8319197: Exclude hb-subset and hb-style from compilation - - JDK-8319406: x86: Shorter movptr(reg, imm) for 32-bit immediates - - JDK-8319773: Avoid inflating monitors when installing hash codes for LM_LIGHTWEIGHT - - JDK-8319793: C2 compilation fails with "Bad graph detected in build_loop_late" after JDK-8279888 - - JDK-8319817: Charset constructor should make defensive copy of aliases - - JDK-8319818: Address GCC 13.2.0 warnings (stringop-overflow and dangling-pointer) - - JDK-8320079: The ArabicBox.java test has no control buttons - - JDK-8320212: Disable GCC stringop-overflow warning for affected files - - JDK-8320379: C2: Sort spilling/unspilling sequence for better ld/st merging into ldp/stp on AArch64 - - JDK-8320602: Lock contention in SchemaDVFactory.getInstance() - - JDK-8320608: Many jtreg printing tests are missing the @printer keyword - - JDK-8320655: awt screencast robot spin and sync issues with native libpipewire api - - JDK-8320675: PrinterJob/SecurityDialogTest.java hangs - - JDK-8320945: problemlist tests failing on latest Windows 11 update - - JDK-8321025: Enable Neoverse N1 optimizations for Neoverse V2 - - JDK-8321176: [Screencast] make a second attempt on screencast failure - - JDK-8321206: Make Locale related system properties `StaticProperty` - - JDK-8321220: JFR: RecordedClass reports incorrect modifiers - - JDK-8321278: C2: Partial peeling fails with assert "last_peel <- first_not_peeled" - - JDK-8321509: False positive in get_trampoline fast path causes crash - - JDK-8321933: TestCDSVMCrash.java spawns two processes - - JDK-8322008: Exclude some CDS tests from running with -Xshare:off - - JDK-8322062: com/sun/jdi/JdwpAllowTest.java does not performs negative testing with prefix length - - JDK-8322330: JavadocHelperTest.java OOMEs with Parallel GC and ZGC - - JDK-8322726: C2: Unloaded signature class kills argument value - - JDK-8322743: C2: prevent lock region elimination in OSR compilation - - JDK-8322766: Micro bench SSLHandshake should use default algorithms - - JDK-8322881: java/nio/file/Files/CopyMoveVariations.java fails with AccessDeniedException due to permissions of files in /tmp - - JDK-8322971: KEM.getInstance() should check if a 3rd-party security provider is signed - - JDK-8322996: BoxLockNode creation fails with assert(reg < CHUNK_SIZE) failed: sanity - - JDK-8323122: AArch64: Increase itable stub size estimate - - JDK-8323196: jdk/jfr/api/consumer/filestream/TestOrdered.java failed with "Events are not ordered! Reuse = false" - - JDK-8323274: C2: array load may float above range check - - JDK-8323552: AbstractMemorySegmentImpl#mismatch returns -1 when comparing distinct areas of the same instance of MemorySegment - - JDK-8323577: C2 SuperWord: remove AlignVector restrictions on IR tests added in JDK-8305055 - - JDK-8323584: AArch64: Unnecessary ResourceMark in NativeCall::set_destination_mt_safe - - JDK-8323670: A few client tests intermittently throw ConcurrentModificationException - - JDK-8323682: C2: guard check is not generated in Arrays.copyOfRange intrinsic when allocation is eliminated by EA - - JDK-8323782: Race: Thread::interrupt vs. AbstractInterruptibleChannel.begin - - JDK-8323801: tag doesn't strikethrough the text - - JDK-8323972: C2 compilation fails with assert(!x->as_Loop()->is_loop_nest_inner_loop()) failed: loop was transformed - - JDK-8324174: assert(m->is_entered(current)) failed: invariant - - JDK-8324577: [REDO] - [IMPROVE] OPEN_MAX is no longer the max limit on macOS >= 10.6 for RLIMIT_NOFILE - - JDK-8324580: SIGFPE on THP initialization on kernels < 4.10 - - JDK-8324641: [IR Framework] Add Setup method to provide custom arguments and set fields - - JDK-8324668: JDWP process management needs more efficient file descriptor handling - - JDK-8324755: Enable parallelism in vmTestbase/gc/gctests/LargeObjects tests - - JDK-8324781: runtime/Thread/TestAlwaysPreTouchStacks.java failed with Expected a higher ratio between stack committed and reserved - - JDK-8324808: Manual printer tests have no Pass/Fail buttons, instructions close set 3 - - JDK-8324969: C2: prevent elimination of unbalanced coarsened locking regions - - JDK-8324983: Race in CompileBroker::possibly_add_compiler_threads - - JDK-8325022: Incorrect error message on client authentication - - JDK-8325037: x86: enable and fix hotspot/jtreg/compiler/vectorization/TestRoundVectFloat.java - - JDK-8325083: jdk/incubator/vector/Double512VectorTests.java crashes in Assembler::vex_prefix_and_encode - - JDK-8325179: Race in BasicDirectoryModel.validateFileCache - - JDK-8325218: gc/parallel/TestAlwaysPreTouchBehavior.java fails - - JDK-8325382: (fc) FileChannel.transferTo throws IOException when position equals size - - JDK-8325384: sun/security/ssl/SSLSessionImpl/ResumptionUpdateBoundValues.java failing intermittently when main thread is a virtual thread - - JDK-8325469: Freeze/Thaw code can crash in the presence of OSR frames - - JDK-8325494: C2: Broken graph after not skipping CastII node anymore for Assertion Predicates after JDK-8309902 - - JDK-8325520: Vector loads and stores with indices and masks incorrectly compiled - - JDK-8325542: CTW: Runner can produce negative StressSeed - - JDK-8325587: Shenandoah: ShenandoahLock should allow blocking in VM - - JDK-8325616: JFR ZGC Allocation Stall events should record stack traces - - JDK-8325620: HTMLReader uses ConvertAction instead of specified CharacterAction for , , - - JDK-8325754: Dead AbstractQueuedSynchronizer$ConditionNodes survive minor garbage collections - - JDK-8325763: Revert properties: vm.opt.x.* - - JDK-8326106: Write and clear stack trace table outside of safepoint - - JDK-8326129: Java Record Pattern Match leads to infinite loop - - JDK-8326332: Unclosed inline tags cause misalignment in summary tables - - JDK-8326717: Disable stringop-overflow in shenandoahLock.cpp - - JDK-8326734: text-decoration applied to lost when mixed with or - - JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails - - JDK-8327040: Problemlist ActionListenerCalledTwiceTest.java test failing in macos14 - - JDK-8327137: Add test for ConcurrentModificationException in BasicDirectoryModel - - JDK-8327401: Some jtreg tests fail on Wayland without any tracking bug - - JDK-8327423: C2 remove_main_post_loops: check if main-loop belongs to pre-loop, not just assert - - JDK-8327424: ProblemList serviceability/sa/TestJmapCore.java on all platforms with ZGC - - JDK-8327501: Common ForkJoinPool prevents class unloading in some cases - - JDK-8327650: Test java/nio/channels/DatagramChannel/StressNativeSignal.java timed out - - JDK-8327787: Convert javax/swing/border/Test4129681.java applet test to main - - JDK-8327840: Automate javax/swing/border/Test4129681.java - - JDK-8327990: [macosx-aarch64] Various tests fail with -XX:+AssertWXAtThreadSync - - JDK-8328011: Convert java/awt/Frame/GetBoundsResizeTest/GetBoundsResizeTest.java applet test to main - - JDK-8328075: Shenandoah: Avoid forwarding when objects don't move in full-GC - - JDK-8328110: Allow simultaneous use of PassFailJFrame with split UI and additional windows - - JDK-8328115: Convert java/awt/font/TextLayout/TestJustification.html applet test to main - - JDK-8328158: Convert java/awt/Choice/NonFocusablePopupMenuTest to automatic main test - - JDK-8328218: Delete test java/awt/Window/FindOwner/FindOwner.html - - JDK-8328234: Remove unused nativeUtils files - - JDK-8328238: Convert few closed manual applet tests to main - - JDK-8328269: NonFocusablePopupMenuTest.java should be marked as headful - - JDK-8328273: sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java failed with java.rmi.server.ExportException: Port already in use - - JDK-8328366: Thread.setContextClassloader from thread in FJP commonPool task no longer works after JDK-8327501 - - JDK-8328560: java/awt/event/MouseEvent/ClickDuringKeypress/ClickDuringKeypress.java imports Applet - - JDK-8328561: test java/awt/Robot/ManualInstructions/ManualInstructions.java isn't used - - JDK-8328642: Convert applet test MouseDraggedOutCauseScrollingTest.html to main - - JDK-8328647: TestGarbageCollectorMXBean.java fails with C1-only and -Xcomp - - JDK-8328697: SubMenuShowTest and SwallowKeyEvents tests stabilization - - JDK-8328785: IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0 - - JDK-8328896: Fontmetrics for large Fonts has zero width - - JDK-8328953: JEditorPane.read throws ChangedCharSetException - - JDK-8328999: Update GIFlib to 5.2.2 - - JDK-8329004: Update Libpng to 1.6.43 - - JDK-8329088: Stack chunk thawing races with concurrent GC stack iteration - - JDK-8329103: assert(!thread->in_asgct()) failed during multi-mode profiling - - JDK-8329126: No native wrappers generated anymore with -XX:-TieredCompilation after JDK-8251462 - - JDK-8329134: Reconsider TLAB zapping - - JDK-8329258: TailCall should not use frame pointer register for jump target - - JDK-8329510: Update ProblemList for JFileChooser/8194044/FileSystemRootTest.java - - JDK-8329559: Test javax/swing/JFrame/bug4419914.java failed because The End and Start buttons are not placed correctly and Tab focus does not move as expected - - JDK-8329665: fatal error: memory leak: allocating without ResourceMark - - JDK-8329667: [macos] Issue with JTree related fix for JDK-8317771 - - JDK-8329995: Restricted access to `/proc` can cause JFR initialization to crash - - JDK-8330027: Identity hashes of archived objects must be based on a reproducible random seed - - JDK-8330063: Upgrade jQuery to 3.7.1 - - JDK-8330133: libj2pkcs11.so crashes on some pkcs#11 v3.0 libraries - - JDK-8330146: assert(!_thread->is_in_any_VTMS_transition()) failed - - JDK-8330520: linux clang build fails in os_linux.cpp with static_assert with no message is a C++17 extension - - JDK-8330576: ZYoungCompactionLimit should have range check - - JDK-8330611: AES-CTR vector intrinsic may read out of bounds (x86_64, AVX-512) - - JDK-8330748: ByteArrayOutputStream.writeTo(OutputStream) pins carrier - - JDK-8330814: Cleanups for KeepAliveCache tests - - JDK-8330819: C2 SuperWord: bad dominance after pre-loop limit adjustment with base that has CastLL after pre-loop - - JDK-8330849: Add test to verify memory usage with recursive locking - - JDK-8330981: ZGC: Should not dedup strings in the finalizer graph - - JDK-8331011: [XWayland] TokenStorage fails under Security Manager - - JDK-8331063: Some HttpClient tests don't report leaks - - JDK-8331077: nroff man page update for jar tool - - JDK-8331142: Add test for number of loader threads in BasicDirectoryModel - - JDK-8331153: JFR: Improve logging of jdk/jfr/api/consumer/filestream/TestOrdered.java - - JDK-8331164: createJMHBundle.sh download jars fail when url needed to be redirected - - JDK-8331266: Bump update version for OpenJDK: jdk-21.0.5 - - JDK-8331405: Shenandoah: Optimize ShenandoahLock with TTAS - - JDK-8331411: Shenandoah: Reconsider spinning duration in ShenandoahLock - - JDK-8331421: ubsan: vmreg.cpp checking error member call on misaligned address - - JDK-8331495: Limit BasicDirectoryModel/LoaderThreadCount.java to Windows only - - JDK-8331518: Tests should not use the "Classpath" exception form of the legal header - - JDK-8331572: Allow using OopMapCache outside of STW GC phases - - JDK-8331573: Rename CollectedHeap::is_gc_active to be explicitly about STW GCs - - JDK-8331575: C2: crash when ConvL2I is split thru phi at LongCountedLoop - - JDK-8331605: jdk/test/lib/TestMutuallyExclusivePlatformPredicates.java test failure - - JDK-8331626: unsafe.cpp:162:38: runtime error in index_oop_from_field_offset_long - applying non-zero offset 4563897424 to null pointer - - JDK-8331714: Make OopMapCache installation lock-free - - JDK-8331731: ubsan: relocInfo.cpp:155:30: runtime error: applying non-zero offset to null pointer - - JDK-8331746: Create a test to verify that the cmm id is not ignored - - JDK-8331771: ZGC: Remove OopMapCacheAlloc_lock ordering workaround - - JDK-8331789: ubsan: deoptimization.cpp:403:29: runtime error: load of value 208, which is not a valid value for type 'bool' - - JDK-8331798: Remove unused arg of checkErgonomics() in TestMaxHeapSizeTools.java - - JDK-8331854: ubsan: copy.hpp:218:10: runtime error: addition of unsigned offset to 0x7fc2b4024518 overflowed to 0x7fc2b4024510 - - JDK-8331863: DUIterator_Fast used before it is constructed - - JDK-8331885: C2: meet between unloaded and speculative types is not symmetric - - JDK-8331931: JFR: Avoid loading regex classes during startup - - JDK-8331999: BasicDirectoryModel/LoaderThreadCount.java frequently fails on Windows in CI - - JDK-8332008: Enable issuestitle check - - JDK-8332113: Update nsk.share.Log to be always verbose - - JDK-8332154: Memory leak in SynchronousQueue - - JDK-8332174: Remove 2 (unpaired) RLO Unicode characters in ff_Adlm.xml - - JDK-8332248: (fc) java/nio/channels/FileChannel/BlockDeviceSize.java failed with RuntimeException - - JDK-8332424: Update IANA Language Subtag Registry to Version 2024-05-16 - - JDK-8332431: NullPointerException in JTable of SwingSet2 - - JDK-8332473: ubsan: growableArray.hpp:290:10: runtime error: null pointer passed as argument 1, which is declared to never be null - - JDK-8332490: JMH org.openjdk.bench.java.util.zip.InflaterInputStreams.inflaterInputStreamRead OOM - - JDK-8332499: Gtest codestrings.validate_vm fail on linux x64 when hsdis is present - - JDK-8332524: Instead of printing "TLSv1.3," it is showing "TLS13" - - JDK-8332589: ubsan: unix/native/libjava/ProcessImpl_md.c:562:5: runtime error: null pointer passed as argument 2, which is declared to never be null - - JDK-8332675: test/hotspot/jtreg/gc/testlibrary/Helpers.java compileClass javadoc does not match after 8321812 - - JDK-8332699: ubsan: jfrEventSetting.inline.hpp:31:43: runtime error: index 163 out of bounds for type 'jfrNativeEventSetting [162]' - - JDK-8332717: ZGC: Division by zero in heuristics - - JDK-8332720: ubsan: instanceKlass.cpp:3550:76: runtime error: member call on null pointer of type 'struct Array' - - JDK-8332818: ubsan: archiveHeapLoader.cpp:70:27: runtime error: applying non-zero offset 18446744073707454464 to null pointer - - JDK-8332825: ubsan: guardedMemory.cpp:35:11: runtime error: null pointer passed as argument 2, which is declared to never be null - - JDK-8332885: Clarify failure_handler self-tests - - JDK-8332894: ubsan: vmError.cpp:2090:26: runtime error: division by zero - - JDK-8332898: failure_handler: log directory of commands - - JDK-8332903: ubsan: opto/output.cpp:1002:18: runtime error: load of value 171, which is not a valid value for type 'bool' - - JDK-8332904: ubsan ppc64le: c1_LIRGenerator_ppc.cpp:581:21: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int' - - JDK-8332905: C2 SuperWord: bad AD file, with RotateRightV and first operand not a pack - - JDK-8332920: C2: Partial Peeling is wrongly applied for CmpU with negative limit - - JDK-8332935: Crash: assert(*lastPtr != 0) failed: Mismatched JNINativeInterface tables, check for new entries - - JDK-8332936: Test vmTestbase/metaspace/gc/watermark_70_80/TestDescription.java fails with no GC's recorded - - JDK-8332959: C2: ZGC fails with 'Incorrect load shift' when invoking Object.clone() reflectively on an array - - JDK-8333088: ubsan: shenandoahAdaptiveHeuristics.cpp:245:44: runtime error: division by zero - - JDK-8333093: Incorrect comment in zAddress_aarch64.cpp - - JDK-8333099: Missing check for is_LoadVector in StoreNode::Identity - - JDK-8333149: ubsan : memset on nullptr target detected in jvmtiEnvBase.cpp get_object_monitor_usage - - JDK-8333178: ubsan: jvmti_tools.cpp:149:16: runtime error: null pointer passed as argument 2, which is declared to never be null - - JDK-8333270: HandlersOnComplexResetUpdate and HandlersOnComplexUpdate tests fail with "Unexpected reference" if timeoutFactor is less than 1/3 - - JDK-8333277: ubsan: mlib_ImageScanPoly.c:292:43: runtime error: division by zero - - JDK-8333353: Delete extra empty line in CodeBlob.java - - JDK-8333354: ubsan: frame.inline.hpp:91:25: and src/hotspot/share/runtime/frame.inline.hpp:88:29: runtime error: member call on null pointer of type 'const struct SmallRegisterMap' - - JDK-8333361: ubsan,test : libHeapMonitorTest.cpp:518:9: runtime error: null pointer passed as argument 2, which is declared to never be null - - JDK-8333363: ubsan: instanceKlass.cpp: runtime error: member call on null pointer of type 'struct AnnotationArray' - - JDK-8333366: C2: CmpU3Nodes are not pushed back to worklist in PhaseCCP leading to non-fixpoint assertion failure - - JDK-8333398: Uncomment the commented test in test/jdk/java/util/jar/JarFile/mrjar/MultiReleaseJarAPI.java - - JDK-8333462: Performance regression of new DecimalFormat() when compare to jdk11 - - JDK-8333477: Delete extra empty spaces in Makefiles - - JDK-8333542: Breakpoint in parallel code does not work - - JDK-8333622: ubsan: relocInfo_x86.cpp:101:56: runtime error: pointer index expression with base (-1) overflowed - - JDK-8333639: ubsan: cppVtables.cpp:81:55: runtime error: index 14 out of bounds for type 'long int [1]' - - JDK-8333652: RISC-V: compiler/vectorapi/VectorGatherMaskFoldingTest.java fails when using RVV - - JDK-8333716: Shenandoah: Check for disarmed method before taking the nmethod lock - - JDK-8333724: Problem list security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1 - - JDK-8333804: java/net/httpclient/ForbiddenHeadTest.java threw an exception with 0 failures - - JDK-8333887: ubsan: unsafe.cpp:247:13: runtime error: store to null pointer of type 'volatile int' - - JDK-8334078: RISC-V: TestIntVect.java fails after JDK-8332153 when running without RVV - - JDK-8334123: log the opening of Type 1 fonts - - JDK-8334166: Enable binary check - - JDK-8334239: Introduce macro for ubsan method/function exclusions - - JDK-8334297: (so) java/nio/channels/SocketChannel/OpenLeak.java should not depend on SecurityManager - - JDK-8334332: TestIOException.java fails if run by root - - JDK-8334333: MissingResourceCauseTestRun.java fails if run by root - - JDK-8334339: Test java/nio/file/attribute/BasicFileAttributeView/CreationTime.java fails on alinux3 - - JDK-8334418: Update IANA Language Subtag Registry to Version 2024-06-14 - - JDK-8334421: assert(!oldbox->is_unbalanced()) failed: this should not be called for unbalanced region - - JDK-8334482: Shenandoah: Deadlock when safepoint is pending during nmethods iteration - - JDK-8334592: ProblemList serviceability/jvmti/stress/StackTrace/NotSuspended/GetStackTraceNotSuspendedStressTest.java in jdk21 on all platforms - - JDK-8334594: Generational ZGC: Deadlock after OopMap rewrites in 8331572 - - JDK-8334600: TEST java/net/MulticastSocket/IPMulticastIF.java fails on linux-aarch64 - - JDK-8334618: ubsan: support setting additional ubsan check options - - JDK-8334653: ISO 4217 Amendment 177 Update - - JDK-8334769: Shenandoah: Move CodeCache_lock close to its use in ShenandoahConcurrentNMethodIterator - - JDK-8334867: Add back assertion from JDK-8325494 - - JDK-8335007: Inline OopMapCache table - - JDK-8335134: Test com/sun/jdi/BreakpointOnClassPrepare.java timeout - - JDK-8335150: Test LogGeneratedClassesTest.java fails on rpmbuild mock enviroment - - JDK-8335237: ubsan: vtableStubs.hpp is_vtable_stub exclude from ubsan checks - - JDK-8335283: Build failure due to 'no_sanitize' attribute directive ignored - - JDK-8335409: Can't allocate and retain memory from resource area in frame::oops_interpreted_do oop closure after 8329665 - - JDK-8335493: check_gc_overhead_limit should reset SoftRefPolicy::_should_clear_all_soft_refs - - JDK-8335536: Fix assertion failure in IdealGraphPrinter when append is true - - JDK-8335743: jhsdb jstack cannot print some information on the waiting thread - - JDK-8335775: Remove extraneous 's' in comment of rawmonitor.cpp test file - - JDK-8335904: Fix invalid comment in ShenandoahLock - - JDK-8335967: "text-decoration: none" does not work with "A" HTML tags - - JDK-8336284: Test TestClhsdbJstackLock.java/TestJhsdbJstackLock.java fails with -Xcomp after JDK-8335743 - - JDK-8336301: test/jdk/java/nio/channels/AsyncCloseAndInterrupt.java leaves around a FIFO file upon test completion - - JDK-8336342: Fix known X11 library locations in sysroot - - JDK-8336343: Add more known sysroot library locations for ALSA - - JDK-8336926: jdk/internal/util/ReferencedKeyTest.java can fail with ConcurrentModificationException - - JDK-8336928: GHA: Bundle artifacts removal broken - - JDK-8337038: Test java/nio/file/attribute/BasicFileAttributeView/CreationTime.java shoud set as /native - - JDK-8337283: configure.log is truncated when build dir is on different filesystem - - JDK-8337622: IllegalArgumentException in java.lang.reflect.Field.get - - JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs - - JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods are inconsistent with their setVerbose methods - - JDK-8338286: GHA: Demote x86_32 to hotspot build only - - JDK-8338696: (fs) BasicFileAttributes.creationTime() falls back to epoch if birth time is unavailable (Linux) - - JDK-8339869: [21u] Test CreationTime.java fails with UnsatisfiedLinkError after 8334339 - - JDK-8341057: Add 2 SSL.com TLS roots - - JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 - - JDK-8341674: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.5 - - JDK-8341989: [21u] Back out JDK-8327501 and JDK-8328366 - -Notes on individual issues: -=========================== - -security-libs/javax.net.ssl: - -JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs -JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 -==================================================================================================== -In accordance with similar plans recently announced by Google and -Mozilla, the JDK will not trust Transport Layer Security (TLS) -certificates issued after the 11th of November 2024 which are anchored -by Entrust root certificates. This includes certificates branded as -AffirmTrust, which are managed by Entrust. - -Certificates issued on or before November 11th, 2024 will continue to -be trusted until they expire. - -If a server's certificate chain is anchored by an affected -certificate, attempts to negotiate a TLS session will fail with an -Exception that indicates the trust anchor is not trusted. For example, - -"TLS server certificate issued after 2024-11-11 and anchored by a -distrusted legacy Entrust root CA: CN=Entrust.net Certification -Authority (2048), OU=(c) 1999 Entrust.net Limited, -OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), -O=Entrust.net" - -To check whether a certificate in a JDK keystore is affected by this -change, you can the `keytool` utility: - -keytool -v -list -alias -keystore - -If any of the certificates in the chain are affected by this change, -then you will need to update the certificate or contact the -organisation responsible for managing the certificate. - -These restrictions apply to the following Entrust root certificates -included in the JDK: - -Alias name: entrustevca [jdk] -CN=Entrust Root Certification Authority -OU=(c) 2006 Entrust, Inc. -OU=www.entrust.net/CPS is incorporated by reference -O=Entrust, Inc. -C=US -SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C - -Alias name: entrustrootcaec1 [jdk] -CN=Entrust Root Certification Authority - EC1 -OU=(c) 2012 Entrust, Inc. - for authorized use only -OU=See www.entrust.net/legal-terms -O=Entrust, Inc. -C=US -SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 - -Alias name: entrustrootcag2 [jdk] -CN=Entrust Root Certification Authority - G2 -OU=(c) 2009 Entrust, Inc. - for authorized use only -OU=See www.entrust.net/legal-terms -O=Entrust, Inc. -C=US -SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 - -Alias name: entrustrootcag4 [jdk] -CN=Entrust Root Certification Authority - G4 -OU=(c) 2015 Entrust, Inc. - for authorized use only -OU=See www.entrust.net/legal-terms -O=Entrust, Inc. -C=US -SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 - -Alias name: entrust2048ca [jdk] -CN=Entrust.net Certification Authority (2048) -OU=(c) 1999 Entrust.net Limited -OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.) -O=Entrust.net -SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77 - -Alias name: affirmtrustcommercialca [jdk] -CN=AffirmTrust Commercial -O=AffirmTrust -C=US -SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 - -Alias name: affirmtrustnetworkingca [jdk] -CN=AffirmTrust Networking -O=AffirmTrust -C=US -SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B - -Alias name: affirmtrustpremiumca [jdk] -CN=AffirmTrust Premium -O=AffirmTrust -C=US -SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A - -Alias name: affirmtrustpremiumeccca [jdk] -CN=AffirmTrust Premium ECC -O=AffirmTrust -C=US -SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 - -Users can, *at their own risk*, remove this restriction by modifying -the `java.security` configuration file (or override it by using the -`java.security.properties` system property) so "ENTRUST_TLS" is no -longer listed in the `jdk.security.caDistrustPolicies` security -property. - -security-libs/javax.crypto: - -JDK-8322971: `KEM.getInstance()` Should Check If a Third-Party Security Provider Is Signed -========================================================================================== -The JDK's cryptographic framework authenticates third party security -provider implementations by determining the provider's codebase and -verifying its signature. In previous OpenJDK releases, this -authentication did not take place for Key Encapsulation Mechanism -(KEM) implementations. With this release, KEM implementations are -authenticated in a manner consistent with other JDK service types, -such as Cipher and Mac providers. - -tools/launcher: - -JDK-8310201: Reduce verbose locale output in -XshowSettings launcher option -=========================================================================== - -In previous releases of OpenJDK, the `-XshowSettings` launcher option printed a -long list of available locales which obscured other settings. In this release, -the `-XshowSettings` launcher option no longer prints the list of available -locales by default. To view all settings related to available locales, users -can now use the -XshowSettings:locale option. - -security-libs/java.security: - -JDK-8051959: Add thread and timestamp options to java.security.debug system property -==================================================================================== -This release adds the following additional options to the -`java.security.debug` property which can be applied to any specified -component: - -* `+timestamp`: Print a timestamp with each debug statement. -* `+thread`: Print thread and caller information for each debug statement. - -For example, `-Djava.security.debug=all+timestamp+thread` turns on -debug information for all components with both timestamps and thread -information. - -In contrast, `-Djava.security.debug=properties+timestamp` turns on -debug information only for security properties and includes a -timestamp. - -You can use `-Djava.security.debug=help` to display a complete list of -supported components and options. - -JDK-8341057: Add 2 SSL.com TLS roots -==================================== -The following root certificates have been added to the cacerts -truststore: - -Name: SSL.com -Alias Name: ssltlsrootecc2022 -Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US - -Name: SSL.com -Alias Name: ssltlsrootrsa2022 -Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US - -core-libs/java.net: - -JDK-8328286: Enhance HTTP client -================================ -This OpenJDK release limits the maximum header field size accepted by -the HTTP client within the JDK for all supported versions of the HTTP -protocol. The header field size is computed as the sum of the size of -the uncompressed header name, the size of the uncompressed header -value and a overhead of 32 bytes for each field section line. If a -peer sends a field section that exceeds this limit, a -`java.net.ProtocolException` will be raised. - -This release also introduces a new system property, -`jdk.http.maxHeaderSize`. This property can be used to alter the -maximum header field size (in bytes) or disable it by setting the -value to zero or a negative value. The default value is 393,216 bytes -or 384kB. - -core-svc/java.lang.management: - -JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods are inconsistent with their setVerbose methods -========================================================================================================== -In previous OpenJDK releases, the behaviour of the `isVerbose` and -`setVerbose` methods in `ClassLoadingMXBean` and `MemoryMXBean` was -inconsistent. The `setVerbose` method would only alter the level of -logging to `stdout`, setting it to `info` when passed the argument -`true`, and `off` when passed `false`. However, the `isVerbose` method -would check if logging was enabled on any output, causing it to return -`true` due to the presence of file logging, even when -`setVerbose(false)` had been called to turn off `stdout` logging. -With this release, the `isVerbose` methods only return `true` if -`stdout` logging is enabled. - -New in release OpenJDK 21.0.4 (2024-07-16): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk2104 - -* CVEs - - CVE-2024-21131 - - CVE-2024-21138 - - CVE-2024-21140 - - CVE-2024-21145 - - CVE-2024-21147 -* Security fixes - - JDK-8314794: Improve UTF8 String supports - - JDK-8319859: Better symbol storage - - JDK-8320097: Improve Image transformations - - JDK-8320548: Improved loop handling - - JDK-8323231: Improve array management - - JDK-8323390: Enhance mask blit functionality - - JDK-8324559: Improve 2D image handling - - JDK-8325600: Better symbol storage - - JDK-8327413: Enhance compilation efficiency -* Other changes - - JDK-7001133: OutOfMemoryError by CustomMediaSizeName implementation - - JDK-8159927: Add a test to verify JMOD files created in the images do not have debug symbols - - JDK-8185862: AWT Assertion Failure in ::GetDIBits(hBMDC, hBM, 0, 1, 0, gpBitmapInfo, 0) 'awt_Win32GraphicsDevice.cpp', at line 185 - - JDK-8187759: Background not refreshed when painting over a transparent JFrame - - JDK-8223696: java/net/httpclient/MaxStreams.java failed with didn't finish within the time-out - - JDK-8259866: two java.util tests failed with "IOException: There is not enough space on the disk" - - JDK-8266242: java/awt/GraphicsDevice/CheckDisplayModes.java failing on macOS 11 ARM - - JDK-8278527: java/util/concurrent/tck/JSR166TestCase.java fails nanoTime test - - JDK-8280056: gtest/LargePageGtests.java#use-large-pages failed "os.release_one_mapping_multi_commits_vm" - - JDK-8281658: Add a security category to the java -XshowSettings option - - JDK-8288936: Wrong lock ordering writing G1HeapRegionTypeChange JFR event - - JDK-8288989: Make tests not depend on the source code - - JDK-8293069: Make -XX:+Verbose less verbose - - JDK-8293850: need a largest_committed metric for each category of NMT's output - - JDK-8294699: Launcher causes lingering busy cursor - - JDK-8294985: SSLEngine throws IAE during parsing of X500Principal - - JDK-8295111: dpkg appears to have problems resolving symbolically linked native libraries - - JDK-8299023: TestPLABResize.java and TestPLABPromotion.java are failing intermittently - - JDK-8301183: (zipfs) jdk/jdk/nio/zipfs/TestLocOffsetFromZip64EF.java failing with ZipException:R0 on OL9 - - JDK-8303525: Refactor/cleanup open/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java - - JDK-8303773: Replace "main.wrapper" with "test.thread.factory" property in test code - - JDK-8303891: Speed up Zip64SizeTest using a small ZIP64 file - - JDK-8303959: tools/jpackage/share/RuntimePackageTest.java fails with java.lang.AssertionError missing files - - JDK-8303972: (zipfs) Make test/jdk/jdk/nio/zipfs/TestLocOffsetFromZip64EF.java independent of the zip command line - - JDK-8304839: Move TestScaffold.main() to the separate class DebugeeWrapper - - JDK-8305645: System Tray icons get corrupted when Windows primary monitor changes - - JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none" - - JDK-8306040: HttpResponseInputStream.available() returns 1 on empty stream - - JDK-8308144: Uncontrolled memory consumption in SSLFlowDelegate.Reader - - JDK-8308453: Convert JKS test keystores in test/jdk/javax/net/ssl/etc to PKCS12 - - JDK-8309142: Refactor test/langtools/tools/javac/versions/Versions.java - - JDK-8309752: com/sun/jdi/SetLocalWhileThreadInNative.java fails with virtual test thread factory due to OpaqueFrameException - - JDK-8309757: com/sun/jdi/ReferrersTest.java fails with virtual test thread factory - - JDK-8309763: Move tests in test/jdk/sun/misc/URLClassPath directory to test/jdk/jdk/internal/loader - - JDK-8309871: jdk/jfr/api/consumer/recordingstream/TestSetEndTime.java timed out - - JDK-8309890: TestStringDeduplicationInterned.java waits for the wrong condition - - JDK-8310070: Test: javax/net/ssl/DTLS/DTLSWontNegotiateV10.java timed out - - JDK-8310228: Improve error reporting for uncaught native exceptions on Windows - - JDK-8310234: Refactor Locale tests to use JUnit - - JDK-8310355: Move the stub test from initialize_final_stubs() to test/hotspot/gtest - - JDK-8310513: [s390x] Intrinsify recursive ObjectMonitor locking - - JDK-8310731: Configure a javax.net.ssl.SNIMatcher for the HTTP/1.1 test servers in java/net/httpclient tests - - JDK-8310818: Refactor more Locale tests to use JUnit - - JDK-8310913: Move ReferencedKeyMap to jdk.internal so it may be shared - - JDK-8311792: java/net/httpclient/ResponsePublisher.java fails intermittently with AssertionError: Found some outstanding operations - - JDK-8311823: JFR: Uninitialized EventEmitter::_thread_id field - - JDK-8311881: jdk/javax/swing/ProgressMonitor/ProgressTest.java does not show the ProgressMonitorInputStream all the time - - JDK-8311964: Some jtreg tests failing on x86 with error 'unrecognized VM options' (C2 flags) - - JDK-8312014: [s390x] TestSigInfoInHsErrFile.java Failure - - JDK-8312194: test/hotspot/jtreg/applications/ctw/modules/jdk_crypto_ec.java cannot handle empty modules - - JDK-8312218: Print additional debug information when hitting assert(in_hash) - - JDK-8312320: Remove javax/rmi/ssl/SSLSocketParametersTest.sh from ProblemList - - JDK-8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection - - JDK-8312498: Thread::getState and JVM TI GetThreadState should return TIMED_WAITING virtual thread is timed parked - - JDK-8312777: notifyJvmtiMount before notifyJvmtiUnmount - - JDK-8313394: Array Elements in OldObjectSample event has the incorrect description - - JDK-8313612: Use JUnit in lib-test/jdk tests - - JDK-8313702: Update IANA Language Subtag Registry to Version 2023-08-02 - - JDK-8313710: jcmd: typo in the documentation of JFR.start and JFR.dump - - JDK-8313899: JVMCI exception Translation can fail in TranslatedException. - - JDK-8314573: G1: Heap resizing at Remark does not take existing eden regions into account - - JDK-8314824: Fix serviceability/jvmti/8036666/GetObjectLockCount.java to use vm flags - - JDK-8314828: Mark 3 jcmd command-line options test as vm.flagless - - JDK-8314832: Few runtime/os tests ignore vm flags - - JDK-8314975: JavadocTester should set source path if not specified - - JDK-8315071: Modify TrayIconScalingTest.java, PrintLatinCJKTest.java to use new PassFailJFrame's builder pattern usage - - JDK-8315117: Update Zlib Data Compression Library to Version 1.3 - - JDK-8315373: Change VirtualThread to unmount after freezing, re-mount before thawing - - JDK-8315485: (fs) Move java/nio/file/Path/Misc.java tests into java/nio/file/Path/PathOps.java - - JDK-8315503: G1: Code root scan causes long GC pauses due to imbalanced iteration - - JDK-8315559: Delay TempSymbol cleanup to avoid symbol table churn - - JDK-8315605: G1: Add number of nmethods in code roots scanning statistics - - JDK-8315609: Open source few more swing text/html tests - - JDK-8315652: RISC-V: Features string uses wrong separator for jtreg - - JDK-8315663: Open source misc awt tests - - JDK-8315677: Open source few swing JFileChooser and other tests - - JDK-8315741: Open source few swing JFormattedTextField and JPopupMenu tests - - JDK-8315824: Open source several Swing Text/HTML related tests - - JDK-8315834: Open source several Swing JSpinner related tests - - JDK-8315889: Open source several Swing HTMLDocument related tests - - JDK-8315898: Open source swing JMenu tests - - JDK-8315998: Remove dead ClassLoaderDataGraphKlassIteratorStatic - - JDK-8316002: Remove unnecessary seen_dead_loader in ClassLoaderDataGraph::do_unloading - - JDK-8316053: Open some swing tests 3 - - JDK-8316138: Add GlobalSign 2 TLS root certificates - - JDK-8316154: Opensource JTextArea manual tests - - JDK-8316164: Opensource JMenuBar manual test - - JDK-8316186: RISC-V: Remove PlatformCmpxchg<4> - - JDK-8316228: jcmd tests are broken by 8314828 - - JDK-8316242: Opensource SwingGraphics manual test - - JDK-8316451: 6 java/lang/instrument/PremainClass tests ignore VM flags - - JDK-8316460: 4 javax/management tests ignore VM flags - - JDK-8316559: Refactor some util/Calendar tests to JUnit - - JDK-8316563: test tools/jpackage/linux/LinuxResourceTest.java fails on CentOS Linux release 8.5.2111 and Fedora 27 - - JDK-8316608: Enable parallelism in vmTestbase/gc/vector tests - - JDK-8316669: ImmutableOopMapSet destructor not called - - JDK-8316670: Remove effectively unused nmethodBucket::_count - - JDK-8316696: Remove the testing base classes: IntlTest and CollatorTest - - JDK-8316924: java/lang/Thread/virtual/stress/ParkALot.java times out - - JDK-8316959: Improve InlineCacheBuffer pending queue management - - JDK-8317007: Add bulk removal of dead nmethods during class unloading - - JDK-8317235: Remove Access API use in nmethod class - - JDK-8317287: [macos14] InterJVMGetDropSuccessTest.java: Child VM: abnormal termination - - JDK-8317350: Move code cache purging out of CodeCache::UnloadingScope - - JDK-8317440: Lock rank checking fails when code root set is modified with the Servicelock held after JDK-8315503 - - JDK-8317600: VtableStubs::stub_containing() table load not ordered wrt to stores - - JDK-8317631: Refactor ChoiceFormat tests to use JUnit - - JDK-8317677: Specialize Vtablestubs::entry_for() for VtableBlob - - JDK-8317809: Insertion of free code blobs into code cache can be very slow during class unloading - - JDK-8317965: TestLoadLibraryDeadlock.java fails with "Unable to load native library.: expected true, was false" - - JDK-8318109: Writing JFR records while a CHT has taken its lock asserts in rank checking - - JDK-8318322: Update IANA Language Subtag Registry to Version 2023-10-16 - - JDK-8318455: Fix the compiler/sharedstubs/SharedTrampolineTest.java and SharedStubToInterpTest.java - - JDK-8318580: "javax/swing/MultiMonitor/MultimonVImage.java failing with Error. Can't find library: /open/test/jdk/java/awt/regtesthelpers" after JDK-8316053 - - JDK-8318585: Rename CodeCache::UnloadingScope to UnlinkingScope - - JDK-8318599: HttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809 - - JDK-8318720: G1: Memory leak in G1CodeRootSet after JDK-8315503 - - JDK-8318727: Enable parallelism in vmTestbase/vm/gc/concurrent tests - - JDK-8318757: VM_ThreadDump asserts in interleaved ObjectMonitor::deflate_monitor calls - - JDK-8318854: [macos14] Running any AWT app prints Secure coding warning - - JDK-8318962: Update ProcessTools javadoc with suggestions in 8315097 - - JDK-8318986: Improve GenericWaitBarrier performance - - JDK-8319048: Monitor deflation unlink phase prolongs time to safepoint - - JDK-8319153: Fix: Class is a raw type in ProcessTools - - JDK-8319265: TestLoadLibraryDeadlock.java fails on windows-x64 "Unable to load b.jar" - - JDK-8319338: tools/jpackage/share/RuntimeImageTest.java fails with -XX:+UseZGC - - JDK-8319376: ParallelGC: Forwarded objects found during heap inspection - - JDK-8319437: NMT should show library names in call stacks - - JDK-8319567: Update java/lang/invoke tests to support vm flags - - JDK-8319568: Update java/lang/reflect/exeCallerAccessTest/CallerAccessTest.java to accept vm flags - - JDK-8319571: Update jni/nullCaller/NullCallerTest.java to accept flags or mark as flagless - - JDK-8319574: Exec/process tests should be marked as flagless - - JDK-8319578: Few java/lang/instrument ignore test.java.opts and accept test.vm.opts only - - JDK-8319647: Few java/lang/System/LoggerFinder/modules tests ignore vm flags - - JDK-8319648: java/lang/SecurityManager tests ignore vm flags - - JDK-8319650: Improve heap dump performance with class metadata caching - - JDK-8319651: Several network tests ignore vm flags when start java process - - JDK-8319672: Several classloader tests ignore VM flags - - JDK-8319676: A couple of jdk/modules/incubator/ tests ignore VM flags - - JDK-8319677: Test jdk/internal/misc/VM/RuntimeArguments.java should be marked as flagless - - JDK-8319713: Parallel: Remove PSAdaptiveSizePolicy::should_full_GC - - JDK-8319757: java/nio/channels/DatagramChannel/InterruptibleOrNot.java failed: wrong exception thrown - - JDK-8319876: Reduce memory consumption of VM_ThreadDump::doit - - JDK-8319896: Remove monitor deflation from final audit - - JDK-8319955: Improve dependencies removal during class unloading - - JDK-8320005: Allow loading of shared objects with .a extension on AIX - - JDK-8320061: [nmt] Multiple issues with peak accounting - - JDK-8320113: [macos14] : ShapeNotSetSometimes.java fails intermittently on macOS 14 - - JDK-8320129: "top" command during jtreg failure handler does not display CPU usage on OSX - - JDK-8320275: assert(_chunk->bitmap().at(index)) failed: Bit not set at index - - JDK-8320331: G1 Full GC Heap verification relies on metadata not reset before verification - - JDK-8320342: Use PassFailJFrame for TruncatedPopupMenuTest.java - - JDK-8320343: Generate GIF images for AbstractButton/5049549/bug5049549.java - - JDK-8320349: Simplify FileChooserSymLinkTest.java by using single-window testUI - - JDK-8320365: IPPPrintService.getAttributes() causes blanket re-initialisation - - JDK-8320370: NMT: Change MallocMemorySnapshot to simplify code. - - JDK-8320515: assert(monitor->object_peek() != nullptr) failed: Owned monitors should not have a dead object - - JDK-8320525: G1: G1UpdateRemSetTrackingBeforeRebuild::distribute_marked_bytes accesses partially unloaded klass - - JDK-8320570: NegativeArraySizeException decoding >1G UTF8 bytes with non-ascii characters - - JDK-8320681: [macos] Test tools/jpackage/macosx/MacAppStoreJlinkOptionsTest.java timed out on macOS - - JDK-8320692: Null icon returned for .exe without custom icon - - JDK-8320707: Virtual thread test updates - - JDK-8320712: Rewrite BadFactoryTest in pure Java - - JDK-8320714: java/util/Locale/LocaleProvidersRun.java and java/util/ResourceBundle/modules/visibility/VisibilityTest.java timeout after passing - - JDK-8320715: Improve the tests of test/hotspot/jtreg/compiler/intrinsics/float16 - - JDK-8320924: Improve heap dump performance by optimizing archived object checks - - JDK-8321075: RISC-V: UseSystemMemoryBarrier lacking proper OS support - - JDK-8321107: Add more test cases for JDK-8319372 - - JDK-8321163: [test] OutputAnalyzer.getExitValue() unnecessarily logs even when process has already completed - - JDK-8321182: SourceExample.SOURCE_14 comment should refer to 'switch expressions' instead of 'text blocks' - - JDK-8321270: Virtual Thread.yield consumes parking permit - - JDK-8321276: runtime/cds/appcds/dynamicArchive/DynamicSharedSymbols.java failed with "'17 2: jdk/test/lib/apps ' missing from stdout/stderr" - - JDK-8321489: Update LCMS to 2.16 - - JDK-8321713: Harmonize executeTestJvm with create[Limited]TestJavaProcessBuilder - - JDK-8321718: ProcessTools.executeProcess calls waitFor before logging - - JDK-8321812: Update GC tests to use execute[Limited]TestJava - - JDK-8321815: Shenandoah: gc state should be synchronized to java threads only once per safepoint - - JDK-8321925: sun/security/mscapi/KeytoolChangeAlias.java fails with "Alias <246810> does not exist" - - JDK-8322239: [macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane - - JDK-8322477: order of subclasses in the permits clause can differ between compilations - - JDK-8322503: Shenandoah: Clarify gc state usage - - JDK-8322818: Thread::getStackTrace can fail with InternalError if virtual thread is timed-parked when pinned - - JDK-8322846: Running with -Djdk.tracePinnedThreads set can hang - - JDK-8322858: compiler/c2/aarch64/TestFarJump.java fails on AArch64 due to unexpected PrintAssembly output - - JDK-8322920: Some ProcessTools.execute* functions are declared to throw Throwable - - JDK-8322962: Upcall stub might go undetected when freezing frames - - JDK-8323002: test/jdk/java/lang/Thread/virtual/stress/GetStackTraceALotWhenPinned.java times out on macosx-x64 - - JDK-8323170: j2dbench is using outdated javac source/target to be able to build by itself - - JDK-8323210: Update the usage of cmsFLAGS_COPY_ALPHA - - JDK-8323276: StressDirListings.java fails on AIX - - JDK-8323296: java/lang/Thread/virtual/stress/GetStackTraceALotWhenPinned.java#id1 timed out - - JDK-8323519: Add applications/ctw/modules to Hotspot tiered testing - - JDK-8323595: is_aligned(p, alignof(OopT))) assertion fails in Jetty without compressed OOPs - - JDK-8323635: Test gc/g1/TestHumongousAllocConcurrentStart.java fails with -XX:TieredStopAtLevel=3 - - JDK-8323685: PrintSystemDictionaryAtExit has mutex rank assert - - JDK-8323994: gtest runner repeats test name for every single gtest assertion - - JDK-8324121: SIGFPE in PhaseIdealLoop::extract_long_range_checks - - JDK-8324123: aarch64: fix prfm literal encoding in assembler - - JDK-8324236: compiler/ciReplay/TestInliningProtectionDomain.java failed with RuntimeException: should only dump inline information for ... expected true, was false - - JDK-8324238: [macOS] java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails with the shape has not been applied msg - - JDK-8324243: Compilation failures in java.desktop module with gcc 14 - - JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1 - - JDK-8324646: Avoid Class.forName in SecureRandom constructor - - JDK-8324648: Avoid NoSuchMethodError when instantiating NativePRNG - - JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16 - - JDK-8324733: [macos14] Problem list tests which fail due to macOS bug described in JDK-8322653 - - JDK-8324817: Parallel GC does not pre-touch all heap pages when AlwaysPreTouch enabled and large page disabled - - JDK-8324824: AArch64: Detect Ampere-1B core and update default options for Ampere CPUs - - JDK-8324834: Use _LARGE_FILES on AIX - - JDK-8324933: ConcurrentHashTable::statistics_calculate synchronization is expensive - - JDK-8324998: Add test cases for String.regionMatches comparing Turkic dotted/dotless I with uppercase latin I - - JDK-8325024: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java incorrect comment information - - JDK-8325028: (ch) Pipe channels should lazily set socket to non-blocking mode on first use by virtual thread - - JDK-8325095: C2: bailout message broken: ResourceArea allocated string used after free - - JDK-8325137: com/sun/management/ThreadMXBean/ThreadCpuTimeArray.java can fail in Xcomp with out of expected range - - JDK-8325203: System.exit(0) kills the launched 3rd party application - - JDK-8325213: Flags introduced by configure script are not passed to ADLC build - - JDK-8325255: jdk.internal.util.ReferencedKeySet::add using wrong test - - JDK-8325326: [PPC64] Don't relocate in case of allocation failure - - JDK-8325372: Shenandoah: SIGSEGV crash in unnecessary_acquire due to LoadStore split through phi - - JDK-8325432: enhance assert message "relocation addr must be in this section" - - JDK-8325437: Safepoint polling in monitor deflation can cause massive logs - - JDK-8325567: jspawnhelper without args fails with segfault - - JDK-8325579: Inconsistent behavior in com.sun.jndi.ldap.Connection::createSocket - - JDK-8325613: CTW: Stale method cleanup requires GC after Sweeper removal - - JDK-8325621: Improve jspawnhelper version checks - - JDK-8325743: test/jdk/java/nio/channels/unixdomain/SocketOptions.java enhance user name output in error case - - JDK-8325862: set -XX:+ErrorFileToStderr when executing java in containers for some container related jtreg tests - - JDK-8325908: Finish removal of IntlTest and CollatorTest - - JDK-8325972: Add -x to bash for building with LOG=debug - - JDK-8326006: Allow TEST_VM_FLAGLESS to set flagless mode - - JDK-8326101: [PPC64] Need to bailout cleanly if creation of stubs fails when code cache is out of space - - JDK-8326140: src/jdk.accessibility/windows/native/libjavaaccessbridge/AccessBridgeJavaEntryPoints.cpp ReleaseStringChars might be missing in early returns - - JDK-8326201: [S390] Need to bailout cleanly if creation of stubs fails when code cache is out of space - - JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1 - - JDK-8326446: The User and System of jdk.CPULoad on Apple M1 are inaccurate - - JDK-8326496: [test] checkHsErrFileContent support printing hserr in error case - - JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit - - JDK-8326529: JFR: Test for CompilerCompile events fails due to time out - - JDK-8326591: New test JmodExcludedFiles.java fails on Windows when --with-external-symbols-in-bundles=public is used - - JDK-8326638: Crash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop - - JDK-8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message - - JDK-8326661: sun/java2d/cmm/ColorConvertOp/ColConvTest.java assumes profiles were generated by LCMS - - JDK-8326685: Linux builds not reproducible if two builds configured in different build folders - - JDK-8326718: Test java/util/Formatter/Padding.java should timeout on large inputs before fix in JDK-8299677 - - JDK-8326773: Bump update version for OpenJDK: jdk-21.0.4 - - JDK-8326824: Test: remove redundant test in compiler/vectorapi/reshape/utils/TestCastMethods.java - - JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in internal JDK binaries - - JDK-8326936: RISC-V: Shenandoah GC crashes due to incorrect atomic memory operations - - JDK-8326948: Force English locale for timeout formatting - - JDK-8326960: GHA: RISC-V sysroot cannot be debootstrapped due to ongoing Debian t64 transition - - JDK-8326974: ODR violation in macroAssembler_aarch64.cpp - - JDK-8327036: [macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0 - - JDK-8327059: os::Linux::print_proc_sys_info add swappiness information - - JDK-8327096: (fc) java/nio/channels/FileChannel/Size.java fails on partition incapable of creating large files - - JDK-8327136: javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java fails on libgraal - - JDK-8327180: Failed: java/io/ObjectStreamClass/ObjectStreamClassCaching.java#G1 - - JDK-8327261: Parsing test for Double/Float succeeds w/o testing all bad cases - - JDK-8327468: Do not restart close if errno is EINTR [macOS/linux] - - JDK-8327474: Review use of java.io.tmpdir in jdk tests - - JDK-8327486: java/util/Properties/PropertiesStoreTest.java fails "Text 'xxx' could not be parsed at index 20" after 8174269 - - JDK-8327631: Update IANA Language Subtag Registry to Version 2024-03-07 - - JDK-8327799: JFR view: the "Park Until" field of jdk.ThreadPark is invalid if the parking method is not absolute - - JDK-8327971: Multiple ASAN errors reported for metaspace - - JDK-8327988: When running ASAN, disable dangerous NMT test - - JDK-8327989: java/net/httpclient/ManyRequest.java should not use "localhost" in URIs - - JDK-8327998: Enable java/lang/ProcessBuilder/JspawnhelperProtocol.java on Mac - - JDK-8328037: Test java/util/Formatter/Padding.java has unnecessary high heap requirement after JDK-8326718 - - JDK-8328066: WhiteBoxResizeTest failure on linux-x86: Could not reserve enough space for 2097152KB object heap - - JDK-8328165: improve assert(idx < _maxlrg) failed: oob - - JDK-8328166: Epsilon: 'EpsilonHeap::allocate_work' misuses the parameter 'size' as size in bytes - - JDK-8328168: Epsilon: Premature OOM when allocating object larger than uncommitted heap size - - JDK-8328194: Add a test to check default rendering engine - - JDK-8328524: [x86] StringRepeat.java failure on linux-x86: Could not reserve enough space for 2097152KB object heap - - JDK-8328540: test javax/swing/JSplitPane/4885629/bug4885629.java fails on windows hidpi - - JDK-8328555: hidpi problems for test java/awt/Dialog/DialogAnotherThread/JaWSTest.java - - JDK-8328589: unify os::breakpoint among posix platforms - - JDK-8328592: hprof tests fail with -XX:-CompactStrings - - JDK-8328604: remove on_aix() function - - JDK-8328638: Fallback option for POST-only OCSP requests - - JDK-8328702: C2: Crash during parsing because sub type check is not folded - - JDK-8328703: Illegal accesses in Java_jdk_internal_org_jline_terminal_impl_jna_linux_CLibraryImpl_ioctl0 - - JDK-8328705: GHA: Cross-compilation jobs do not require build JDK - - JDK-8328709: AIX os::get_summary_cpu_info support Power 10 - - JDK-8328744: Parallel: Parallel GC throws OOM before heap is fully expanded - - JDK-8328776: [AIX] remove checked_vmgetinfo, use vmgetinfo directly - - JDK-8328812: Update and move siphash license - - JDK-8328822: C2: "negative trip count?" assert failure in profile predicate code - - JDK-8328825: Google CAInterop test failures - - JDK-8328938: C2 SuperWord: disable vectorization for large stride and scale - - JDK-8328948: GHA: Restoring sysroot from cache skips the build after JDK-8326960 - - JDK-8328957: Update PKCS11Test.java to not use hardcoded path - - JDK-8328988: [macos14] Problem list LightweightEventTest.java which fails due to macOS bug described in JDK-8322653 - - JDK-8328997: Remove unnecessary template parameter lists in GrowableArray - - JDK-8329013: StackOverflowError when starting Apache Tomcat with signed jar - - JDK-8329109: Threads::print_on() tries to print CPU time for terminated GC threads - - JDK-8329163: C2: possible overflow in PhaseIdealLoop::extract_long_range_checks() - - JDK-8329213: Better validation for com.sun.security.ocsp.useget option - - JDK-8329223: Parallel: Parallel GC resizes heap even if -Xms = -Xmx - - JDK-8329545: [s390x] Fix garbage value being passed in Argument Register - - JDK-8329570: G1: Excessive is_obj_dead_cond calls in verification - - JDK-8329605: hs errfile generic events - move memory protections and nmethod flushes to separate sections - - JDK-8329663: hs_err file event log entry for thread adding/removing should print current thread - - JDK-8329823: RISC-V: Need to sync CPU features with related JVM flags - - JDK-8329840: Fix ZPhysicalMemorySegment::_end type - - JDK-8329850: [AIX] Allow loading of different members of same shared library archive - - JDK-8329862: libjli GetApplicationHome cleanups and enhance jli tracing - - JDK-8329961: Buffer overflow in os::Linux::kernel_version - - JDK-8330011: [s390x] update block-comments to make code consistent - - JDK-8330094: RISC-V: Save and restore FRM in the call stub - - JDK-8330156: RISC-V: Range check auipc + signed 12 imm instruction - - JDK-8330242: RISC-V: Simplify and remove CORRECT_COMPILER_ATOMIC_SUPPORT in atomic_linux_riscv.hpp - - JDK-8330275: Crash in XMark::follow_array - - JDK-8330464: hserr generic events - add entry for the before_exit calls - - JDK-8330523: Reduce runtime and improve efficiency of KeepAliveTest - - JDK-8330524: Linux ppc64le compile warning with clang in os_linux_ppc.cpp - - JDK-8330615: avoid signed integer overflows in zip_util.c readCen / hashN - - JDK-8330815: Use pattern matching for instanceof in KeepAliveCache - - JDK-8331031: unify os::dont_yield and os::naked_yield across Posix platforms - - JDK-8331113: createJMHBundle.sh support configurable maven repo mirror - - JDK-8331167: UBSan enabled build fails in adlc on macOS - - JDK-8331298: avoid alignment checks in UBSAN enabled build - - JDK-8331331: :tier1 target explanation in doc/testing.md is incorrect - - JDK-8331352: error: template-id not allowed for constructor/destructor in C++20 - - JDK-8331466: Problemlist serviceability/dcmd/gc/RunFinalizationTest.java on generic-all - - JDK-8331639: [21u]: Bump GHA bootstrap JDK to 21.0.3 - - JDK-8331942: On Linux aarch64, CDS archives should be using 64K alignment by default - - JDK-8332253: Linux arm32 build fails after 8292591 - - JDK-8334441: Mark tests in jdk_security_infra group as manual - - JDK-8335960: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.4 - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8281658: Add a security category to the java -XshowSettings option -====================================================================== - -The `-XshowSettings` launcher option now has a 'security' category, allowing -the following arguments to be passed: - -* -XshowSettings:security or -XshowSettings:security:all: show all security settings and continue -* -XshowSettings:security:properties - show security properties and continue -* -XshowSettings:security:providers - show static security provider settings and continue -* -XshowSettings:security:tls - show TLS related security settings and continue - -The output will include third-party security providers if they are -included in the application class path or module path, and configured -in the java.security file. - -JDK-8316138: Add GlobalSign 2 TLS root certificates -=================================================== -The following root certificates have been added to the cacerts -truststore: - -Name: GlobalSign -Alias Name: globalsignr46 -Distinguished Name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE - -Name: GlobalSign -Alias Name: globalsigne46 -Distinguished Name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE - -security-libs/javax.security: - -JDK-8328638: Fallback Option For POST-only OCSP Requests -======================================================== -JDK-8179503, introduced in OpenJDK 17, added support for using the -HTTP GET method for OCSP requests. This was turned on unconditionally -for small requests. - -RFC 5019 and RFC 6960 explicitly allow and recommend the use of HTTP -GET requests. However, some OCSP responders have been observed to not -work well with such requests. - -With this release, the JDK system property -`com.sun.security.ocsp.useget` is introduced. The default setting is -'true' which retains the current behaviour of using GET requests for -small requests. If the property is instead set to 'false', only HTTP -POST requests will be used, regardless of size. - -This option is non-standard and may be removed again if problematic -OCSP responders are no longer an issue. - -infrastructure/build: - -JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in internal JDK binaries -================================================================================== -Native executables and libraries in the JDK use embedded runtime -search paths to locate required internal JDK native libraries. On -Linux systems, there are two ways of specifying these search paths; -DT_RPATH and DT_RUNPATH. - -The main difference between the two options is that paths specified by -DT_RPATH are searched before those in the LD_LIBRARY_PATH environment -variable, whereas DT_RUNPATH paths are considered afterwards. This -means the use of DT_RUNPATH can allow JDK internal libraries to be -overridden by libraries of the same name found on the LD_LIBRARY_PATH. - -Builds of earlier OpenJDK releases left the choice of which type of -runtime search path to use down to the default of the linker. With -this release, the option `--disable-new-dtags` is explicitly passed to -the linker to avoid setting DT_RUNPATH. - -tools/jpackage: - -JDK-8295111: dpkg appears to have problems resolving symbolically linked native libraries -========================================================================================= -The jpackage tool uses `dpkg -S` to lookup which package provides a -particular file on Debian and Ubuntu systems. However, on newer Debian -and Ubuntu systems, `dpkg -S` does not resolve symlinks. In this -OpenJDK release, jpackage now resolves symlinks before passing the -real path of the file to dpkg. - -hotspot/gc: - -JDK-8314573: G1: Heap resizing at Remark does not take existing eden regions into account -========================================================================================= -To comply with the settings of `-XX:MinHeapFreeRatio` and -`-XX:MaxHeapFreeRatio`, the G1 garbage collector adjusts the Java heap -size during the Remark phase, keeping the number of free regions -within these bounds. - -In earlier OpenJDK releases, Eden regions were considered to be -occupied or full for this calculation. This made the heap size -dependent on the Eden occupancy at the time the Remark phase was -run. However, after the next garbage collection, these Eden regions -would be empty. - -With this OpenJDK release, Eden regions are now considered empty or -free during the Remark phase calculation. The overall effect is that -G1 now expands the Java heap less aggressively and more -determinstically, as the number of free regions does not vary as much. -It also aligns Java heap sizing with the full GC heap sizing. -However, this may potentially lead to more garbage collections. - -JDK-8315503: G1: Code root scan causes long GC pauses due to imbalanced iteration -================================================================================= -The Code Root Scan phase of garbage collection finds references to -Java objects within compiled code. To speed up this process, a cache -is maintained within each region of the compiled code that contains -references into the Java heap. - -On the assumption that the set of references was small, previous -releases used a single thread per region to iterate through these -references. This introduced a scalability bottleneck, where -performance could be reduced if a particular region contained a large -number of references. - -In this release, multiple threads are used, removing this bottleneck. - -New in release OpenJDK 21.0.3 (2024-04-16): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk2103 - -* CVEs - - CVE-2024-21012 - - CVE-2024-21011 - - CVE-2024-21068 -* Security fixes - - JDK-8315708: Enhance HTTP/2 client usage - - JDK-8318340: Improve RSA key implementations - - JDK-8319851: Improve exception logging - - JDK-8322122: Enhance generation of addresses -* Other changes - - JDK-6928542: Chinese characters in RTF are not decoded - - JDK-8009550: PlatformPCSC should load versioned so - - JDK-8077371: Binary files in JAXP test should be removed - - JDK-8169475: WheelModifier.java fails by timeout - - JDK-8209595: MonitorVmStartTerminate.java timed out - - JDK-8210410: Refactor java.util.Currency:i18n shell tests to plain java tests - - JDK-8261837: SIGSEGV in ciVirtualCallTypeData::translate_from - - JDK-8263256: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails due to dynamic reconfigurations of network interface during test - - JDK-8264899: C1: -XX:AbortVMOnException does not work if all methods in the call stack are compiled with C1 and there are no exception handlers - - JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java fails in Windows 11 - - JDK-8295343: sun/security/pkcs11 tests fail on Linux RHEL 8.6 and newer - - JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts - - JDK-8301310: The SendRawSysexMessage test may cause a JVM crash - - JDK-8304020: Speed up test/jdk/java/util/zip/ZipFile/TestTooManyEntries.java and clarify its purpose - - JDK-8304292: Memory leak related to ClassLoader::update_class_path_entry_list - - JDK-8305962: update jcstress to 0.16 - - JDK-8305971: NPE in JavacProcessingEnvironment for missing enum constructor body - - JDK-8306922: IR verification fails because IR dump is chopped up - - JDK-8307408: Some jdk/sun/tools/jhsdb tests don't pass test JVM args to the debuggee JVM - - JDK-8309109: AArch64: [TESTBUG] compiler/intrinsics/sha/cli/TestUseSHA3IntrinsicsOptionOnSupportedCPU.java fails on Neoverse N2 and V1 - - JDK-8309203: C2: remove copy-by-value of GrowableArray for InterfaceSet - - JDK-8309302: java/net/Socket/Timeouts.java fails with AssertionError on test temporal post condition - - JDK-8309697: [TESTBUG] Remove "@requires vm.flagless" from jtreg vectorization tests - - JDK-8310031: Parallel: Implement better work distribution for large object arrays in old gen - - JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/bug6889007.java fails - - JDK-8310308: IR Framework: check for type and size of vector nodes - - JDK-8310629: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java fails with RuntimeException Server not ready - - JDK-8310631: test/jdk/sun/nio/cs/TestCharsetMapping.java is spuriously passing - - JDK-8310807: java/nio/channels/DatagramChannel/Connect.java timed out - - JDK-8310844: [AArch64] C1 compilation fails because monitor offset in OSR buffer is too large for immediate - - JDK-8310919: runtime/ErrorHandling/TestAbortVmOnException.java times out due to core dumps taking a long time on OSX - - JDK-8310923: Refactor Currency tests to use JUnit - - JDK-8311081: KeytoolReaderP12Test.java fail on localized Windows platform - - JDK-8311279: TestStressIGVNAndCCP.java failed with different IGVN traces for the same seed - - JDK-8311581: Remove obsolete code and comments in TestLVT.java - - JDK-8311588: C2: RepeatCompilation compiler directive does not choose stress seed randomly - - JDK-8311663: Additional refactoring of Locale tests to JUnit - - JDK-8311893: Interactive component with ARIA role 'tabpanel' does not have a programmatically associated name - - JDK-8311986: Disable runtime/os/TestTracePageSizes.java for ShenandoahGC - - JDK-8311992: Test java/lang/Thread/virtual/JfrEvents::testVirtualThreadPinned failed - - JDK-8312136: Modify runtime/ErrorHandling/TestDwarf.java to split dwarf and decoder testing - - JDK-8312416: Tests in Locale should have more descriptive names - - JDK-8312428: PKCS11 tests fail with NSS 3.91 - - JDK-8312916: Remove remaining usages of -Xdebug from test/hotspot/jtreg - - JDK-8313082: Enable CreateCoredumpOnCrash for testing in makefiles - - JDK-8313229: DHEKeySizing.java should be modified to use TLS versions TLSv1, TLSv1.1, TLSv1.2 - - JDK-8313507: Remove pkcs11/Cipher/TestKATForGCM.java from ProblemList - - JDK-8313621: test/jdk/jdk/internal/math/FloatingDecimal/TestFloatingDecimal should use RandomFactory - - JDK-8313638: Add test for dump of resolved references - - JDK-8313670: Simplify shared lib name handling code in some tests - - JDK-8313720: C2 SuperWord: wrong result with -XX:+UseVectorCmov -XX:+UseCMoveUnconditionally - - JDK-8313816: Accessing jmethodID might lead to spurious crashes - - JDK-8313854: Some tests in serviceability area fail on localized Windows platform - - JDK-8314164: java/net/HttpURLConnection/HttpURLConnectionExpectContinueTest.java fails intermittently in timeout - - JDK-8314220: Configurable InlineCacheBuffer size - - JDK-8314283: Support for NSS tests on aarch64 platforms - - JDK-8314320: Mark runtime/CommandLine/ tests as flagless - - JDK-8314333: Update com/sun/jdi/ProcessAttachTest.java to use ProcessTools.createTestJvm(..) - - JDK-8314513: [IR Framework] Some internal IR Framework tests are failing after JDK-8310308 on PPC and Cascade Lake - - JDK-8314578: Non-verifiable code is emitted when two guards declare pattern variables in colon-switch - - JDK-8314610: hotspot can't compile with the latest of gtest because of - - JDK-8314612: TestUnorderedReduction.java fails with -XX:MaxVectorSize=32 and -XX:+AlignVector - - JDK-8314629: Generational ZGC: Clearing All SoftReferences log line lacks GCId - - JDK-8314829: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java ignores vm flags - - JDK-8314830: runtime/ErrorHandling/ tests ignore external VM flags - - JDK-8314831: NMT tests ignore vm flags - - JDK-8314835: gtest wrappers should be marked as flagless - - JDK-8314837: 5 compiled/codecache tests ignore VM flags - - JDK-8314838: 3 compiler tests ignore vm flags - - JDK-8314990: Generational ZGC: Strong OopStorage stats reported as weak roots - - JDK-8315034: File.mkdirs() occasionally fails to create folders on Windows shared folder - - JDK-8315042: NPE in PKCS7.parseOldSignedData - - JDK-8315097: Rename createJavaProcessBuilder - - JDK-8315241: (fs) Move toRealPath tests in java/nio/file/Path/Misc.java to separate JUnit 5 test - - JDK-8315406: [REDO] serviceability/jdwp/AllModulesCommandTest.java ignores VM flags - - JDK-8315594: Open source few headless Swing misc tests - - JDK-8315600: Open source few more headless Swing misc tests - - JDK-8315602: Open source swing security manager test - - JDK-8315611: Open source swing text/html and tree test - - JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should run with -Xbatch - - JDK-8315721: CloseRace.java#id0 fails transiently on libgraal - - JDK-8315726: Open source several AWT applet tests - - JDK-8315731: Open source several Swing Text related tests - - JDK-8315761: Open source few swing JList and JMenuBar tests - - JDK-8315891: java/foreign/TestLinker.java failed with "error occurred while instantiating class TestLinker: null" - - JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/bug4654927.java: component must be showing on the screen to determine its location - - JDK-8315988: Parallel: Make TestAggressiveHeap use createTestJvm - - JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use createTestJvm - - JDK-8316028: Update FreeType to 2.13.2 - - JDK-8316106: Open source few swing JInternalFrame and JMenuBar tests - - JDK-8316132: CDSProtectionDomain::get_shared_protection_domain should check for exception - - JDK-8316229: Enhance class initialization logging - - JDK-8316309: AArch64: VMError::print_native_stack() crashes on Java native method frame - - JDK-8316319: Generational ZGC: The SoftMaxHeapSize might be wrong when CDS decreases the MaxHeapSize - - JDK-8316392: compiler/interpreter/TestVerifyStackAfterDeopt.java failed with SIGBUS in PcDescContainer::find_pc_desc_internal - - JDK-8316410: GC: Make TestCompressedClassFlags use createTestJvm - - JDK-8316445: Mark com/sun/management/HotSpotDiagnosticMXBean/CheckOrigin.java as vm.flagless - - JDK-8316446: 4 sun/management/jdp tests ignore VM flags - - JDK-8316447: 8 sun/management/jmxremote tests ignore VM flags - - JDK-8316462: sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.java ignores VM flags - - JDK-8316464: 3 sun/tools tests ignore VM flags - - JDK-8316562: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java times out after JDK-8314829 - - JDK-8316594: C2 SuperWord: wrong result with hand unrolled loops - - JDK-8316661: CompilerThread leaks CodeBlob memory when dynamically stopping compiler thread in non-product - - JDK-8316693: Simplify at-requires checkDockerSupport() - - JDK-8316947: Write a test to check textArea triggers MouseEntered/MouseExited events properly - - JDK-8316961: Fallback implementations for 64-bit Atomic::{add,xchg} on 32-bit platforms - - JDK-8316973: GC: Make TestDisableDefaultGC use createTestJvm - - JDK-8317042: G1: Make TestG1ConcMarkStepDurationMillis use createTestJvm - - JDK-8317144: Exclude sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java on Linux ppc64le - - JDK-8317188: G1: Make TestG1ConcRefinementThreads use createTestJvm - - JDK-8317218: G1: Make TestG1HeapRegionSize use createTestJvm - - JDK-8317228: GC: Make TestXXXHeapSizeFlags use createTestJvm - - JDK-8317300: javac erroneously allows "final" in front of a record pattern - - JDK-8317307: test/jdk/com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails with ConnectException: Connection timed out: no further information - - JDK-8317316: G1: Make TestG1PercentageOptions use createTestJvm - - JDK-8317317: G1: Make TestG1RemSetFlags use createTestJvm - - JDK-8317343: GC: Make TestHeapFreeRatio use createTestJvm - - JDK-8317347: Parallel: Make TestInitialTenuringThreshold use createTestJvm - - JDK-8317358: G1: Make TestMaxNewSize use createTestJvm - - JDK-8317522: Test logic for BODY_CF in AbstractThrowingSubscribers.java is wrong - - JDK-8317535: Shenandoah: Remove unused code - - JDK-8317771: [macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma - - JDK-8317804: com/sun/jdi/JdwpAllowTest.java fails on Alpine 3.17 / 3.18 - - JDK-8318039: GHA: Bump macOS and Xcode versions - - JDK-8318082: ConcurrentModificationException from IndexWriter - - JDK-8318154: Improve stability of WheelModifier.java test - - JDK-8318157: RISC-V: implement ensureMaterializedForStackWalk intrinsic - - JDK-8318158: RISC-V: implement roundD/roundF intrinsics - - JDK-8318410: jdk/java/lang/instrument/BootClassPath/BootClassPathTest.sh fails on Japanese Windows - - JDK-8318468: compiler/tiered/LevelTransitionTest.java fails with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1 - - JDK-8318490: Increase timeout for JDK tests that are close to the limit when run with libgraal - - JDK-8318590: JButton ignores margin when painting HTML text - - JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java - - JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni tests - - JDK-8318608: Enable parallelism in vmTestbase/nsk/stress/threads tests - - JDK-8318613: ChoiceFormat patterns are not well tested - - JDK-8318689: jtreg is confused when folder name is the same as the test name - - JDK-8318696: Do not use LFS64 symbols on Linux - - JDK-8318737: Fallback linker passes bad JNI handle - - JDK-8318809: java/util/concurrent/ConcurrentLinkedQueue/WhiteBox.java shows intermittent failures on linux ppc64le and aarch64 - - JDK-8318964: Fix build failures caused by 8315097 - - JDK-8318971: Better Error Handling for Jar Tool When Processing Non-existent Files - - JDK-8318983: Fix comment typo in PKCS12Passwd.java - - JDK-8319103: Popups that request focus are not shown on Linux with Wayland - - JDK-8319124: Update XML Security for Java to 3.0.3 - - JDK-8319128: sun/security/pkcs11 tests fail on OL 7.9 aarch64 - - JDK-8319136: Skip pkcs11 tests on linux-aarch64 - - JDK-8319137: release _object in ObjectMonitor dtor to avoid races - - JDK-8319213: Compatibility.java reads both stdout and stderr of JdkUtils - - JDK-8319314: NMT detail report slow or hangs for large number of mappings - - JDK-8319372: C2 compilation fails with "Bad immediate dominator info" - - JDK-8319382: com/sun/jdi/JdwpAllowTest.java shows failures on AIX if prefixLen of mask is larger than 32 in IPv6 case - - JDK-8319456: jdk/jfr/event/gc/collection/TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker Initiated GC' not in the valid causes - - JDK-8319548: Unexpected internal name for Filler array klass causes error in VisualVM - - JDK-8319569: Several java/util tests should be updated to accept VM flags - - JDK-8319633: runtime/posixSig/TestPosixSig.java intermittent timeouts on UNIX - - JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh - - JDK-8319777: Zero: Support 8-byte cmpxchg - - JDK-8319879: Stress mode to randomize incremental inlining decision - - JDK-8319883: Zero: Use atomic built-ins for 64-bit accesses - - JDK-8319897: Move StackWatermark handling out of LockStack::contains - - JDK-8319938: TestFileChooserSingleDirectorySelection.java fails with "getSelectedFiles returned empty array" - - JDK-8320052: Zero: Use __atomic built-ins for atomic RMW operations - - JDK-8320145: Compiler should accept final variable in Record Pattern - - JDK-8320168: handle setsocktopt return values - - JDK-8320206: Some intrinsics/stubs missing vzeroupper on x86_64 - - JDK-8320208: Update Public Suffix List to b5bf572 - - JDK-8320300: Adjust hs_err output in malloc/mmap error cases - - JDK-8320303: Allow PassFailJFrame to accept single window creator - - JDK-8320309: AIX: pthreads created by foreign test library don't work as expected - - JDK-8320383: refresh libraries cache on AIX in VMError::report - - JDK-8320582: Zero: Misplaced CX8 enablement flag - - JDK-8320798: Console read line with zero out should zero out underlying buffer - - JDK-8320807: [PPC64][ZGC] C1 generates wrong code for atomics - - JDK-8320830: [AIX] Dont mix os::dll_load() with direct dlclose() calls - - JDK-8320877: Shenandoah: Remove ShenandoahUnloadClassesFrequency support - - JDK-8320888: Shenandoah: Enable ShenandoahVerifyOptoBarriers in debug builds - - JDK-8320890: [AIX] Find a better way to mimic dl handle equality - - JDK-8320898: exclude compiler/vectorapi/reshape/TestVectorReinterpret.java on ppc64(le) platforms - - JDK-8320907: Shenandoah: Remove ShenandoahSelfFixing flag - - JDK-8320921: GHA: Parallelize hotspot_compiler test jobs - - JDK-8320937: support latest VS2022 MSC_VER in abstract_vm_version.cpp - - JDK-8320943: Files/probeContentType/Basic.java fails on latest Windows 11 - content type mismatch - - JDK-8321120: Shenandoah: Remove ShenandoahElasticTLAB flag - - JDK-8321122: Shenandoah: Remove ShenandoahLoopOptsAfterExpansion flag - - JDK-8321131: Console read line with zero out should zero out underlying buffer in JLine - - JDK-8321151: JDK-8294427 breaks Windows L&F on all older Windows versions - - JDK-8321164: javac with annotation processor throws AssertionError: Filling jrt:/... during JarFileObject[/...] - - JDK-8321215: Incorrect x86 instruction encoding for VSIB addressing mode - - JDK-8321269: Require platforms to define DEFAULT_CACHE_LINE_SIZE - - JDK-8321374: Add a configure option to explicitly set CompanyName property in VersionInfo resource for Windows exe/dll - - JDK-8321408: Add Certainly roots R1 and E1 - - JDK-8321409: Console read line with zero out should zero out underlying buffer in JLine (redux) - - JDK-8321410: Shenandoah: Remove ShenandoahSuspendibleWorkers flag - - JDK-8321480: ISO 4217 Amendment 176 Update - - JDK-8321542: C2: Missing ChaCha20 stub for x86_32 leads to crashes - - JDK-8321582: yield .class not parsed correctly. - - JDK-8321599: Data loss in AVX3 Base64 decoding - - JDK-8321619: Generational ZGC: ZColorStoreGoodOopClosure is only valid for young objects - - JDK-8321894: Bump update version for OpenJDK: 21.0.3 - - JDK-8321972: test runtime/Unsafe/InternalErrorTest.java timeout on linux-riscv64 platform - - JDK-8321974: Crash in ciKlass::is_subtype_of because TypeAryPtr::_klass is not initialized - - JDK-8322040: Missing array bounds check in ClassReader.parameter - - JDK-8322098: os::Linux::print_system_memory_info enhance the THP output with /sys/kernel/mm/transparent_hugepage/hpage_pmd_size - - JDK-8322142: JFR: Periodic tasks aren't orphaned between recordings - - JDK-8322159: ThisEscapeAnalyzer crashes for erroneous code - - JDK-8322255: Generational ZGC: ZPageSizeMedium should be set before MaxTenuringThreshold - - JDK-8322279: Generational ZGC: Use ZFragmentationLimit and ZYoungCompactionLimit as percentage instead of multiples - - JDK-8322282: Incorrect LoaderConstraintTable::add_entry after JDK-8298468 - - JDK-8322321: Add man page doc for -XX:+VerifySharedSpaces - - JDK-8322417: Console read line with zero out should zero out when throwing exception - - JDK-8322418: Problem list gc/TestAllocHumongousFragment.java subtests for 8298781 - - JDK-8322512: StringBuffer.repeat does not work correctly after toString() was called - - JDK-8322583: RISC-V: Enable fast class initialization checks - - JDK-8322725: (tz) Update Timezone Data to 2023d - - JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray - - JDK-8322772: Clean up code after JDK-8322417 - - JDK-8322783: prioritize /etc/os-release over /etc/SuSE-release in hs_err/info output - - JDK-8322790: RISC-V: Tune costs for shuffles with no conversion - - JDK-8322957: Generational ZGC: Relocation selection must join the STS - - JDK-8323008: filter out harmful -std* flags added by autoconf from CXX - - JDK-8323021: Shenandoah: Encountered reference count always attributed to first worker thread - - JDK-8323065: Unneccesary CodeBlob lookup in CompiledIC::internal_set_ic_destination - - JDK-8323086: Shenandoah: Heap could be corrupted by oom during evacuation - - JDK-8323101: C2: assert(n->in(0) == nullptr) failed: divisions with zero check should already have bailed out earlier in split-if - - JDK-8323154: C2: assert(cmp != nullptr && cmp->Opcode() == Op_Cmp(bt)) failed: no exit test - - JDK-8323243: JNI invocation of an abstract instance method corrupts the stack - - JDK-8323331: fix typo hpage_pdm_size - - JDK-8323428: Shenandoah: Unused memory in regions compacted during a full GC should be mangled - - JDK-8323515: Create test alias "all" for all test roots - - JDK-8323637: Capture hotspot replay files in GHA - - JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed - - JDK-8323659: LinkedTransferQueue add and put methods call overridable offer - - JDK-8323664: java/awt/font/JNICheck/FreeTypeScalerJNICheck.java still fails with JNI warning on some Windows configurations - - JDK-8323667: Library debug files contain non-reproducible full gcc include paths - - JDK-8323671: DevKit build gcc libraries contain full paths to source location - - JDK-8323717: Introduce test keyword for tests that need external dependencies - - JDK-8323964: runtime/Thread/ThreadCountLimit.java fails intermittently on AIX - - JDK-8324050: Issue store-store barrier after re-materializing objects during deoptimization - - JDK-8324280: RISC-V: Incorrect implementation in VM_Version::parse_satp_mode - - JDK-8324347: Enable "maybe-uninitialized" warning for FreeType 2.13.1 - - JDK-8324514: ClassLoaderData::print_on should print address of class loader - - JDK-8324598: use mem_unit when working with sysinfo memory and swap related information - - JDK-8324637: [aix] Implement support for reporting swap space in jdk.management - - JDK-8324647: Invalid test group of lib-test after JDK-8323515 - - JDK-8324659: GHA: Generic jtreg errors are not reported - - JDK-8324753: [AIX] adjust os_posix after JDK-8318696 - - JDK-8324858: [vectorapi] Bounds checking issues when accessing memory segments - - JDK-8324874: AArch64: crypto pmull based CRC32/CRC32C intrinsics clobber V8-V15 registers - - JDK-8324937: GHA: Avoid multiple test suites per job - - JDK-8325074: ZGC fails assert(index == 0 || is_power_of_2(index)) failed: Incorrect load shift: 11 - - JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java is failing - - JDK-8325150: (tz) Update Timezone Data to 2024a - - JDK-8325194: GHA: Add macOS M1 testing - - JDK-8325254: CKA_TOKEN private and secret keys are not necessarily sensitive - - JDK-8325444: GHA: JDK-8325194 causes a regression - - JDK-8325470: [AIX] use fclose after fopen in read_psinfo - - JDK-8325496: Make TrimNativeHeapInterval a product switch - - JDK-8325672: C2: allocate PhaseIdealLoop::_loop_or_ctrl from C->comp_arena() - - JDK-8325876: crashes in docker container tests on Linuxppc64le Power8 machines - - JDK-8326000: Remove obsolete comments for class sun.security.ssl.SunJSSE - - JDK-8327391: Add SipHash attribution file - - JDK-8329838: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.3 - -Notes on individual issues: -=========================== - -tools/javac: - -JDK-8317300: Align `javac` with the Java Language Specification by Rejecting `final` in Record Patterns -======================================================================================================= -Java 21 enhanced the language with pattern matching for switch -statements. However, the javac compiler released with OpenJDK 21 -allowed the 'final' keyword to be used in front of a record pattern -(e.g. `case final R(...) ->`), which is a violation of the Java -Language specification. - -With this release of OpenJDK 21, programs using `final` within a -switch statement will now fail to compile. The erroneous keyword will -need to be removed to allow the program to be compiled. - -security-libs/javax.xml.crypto: - -JDK-8319124: Update XML Security for Java to 3.0.3 -================================================== -The XML signature implementation in OpenJDK 21 has been updated to -Apache Santuario 3.0.3. This update introduces four new SHA-3 based -RSA-MGF1 SignatureMethod algorithms. - -However, the API of javax.xml.crypto.dsig.SignatureMethod can not be -changed in update releases to provide constants for these new -algorithms. The equivalent string literals should be used as below: - -* SHA3_224_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-224-rsa-MGF1" -* SHA3_256_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-256-rsa-MGF1" -* SHA3_384_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-384-rsa-MGF1" -* SHA3_512_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-512-rsa-MGF1" - -hotspot/runtime: - -JDK-8325496: Make TrimNativeHeapInterval a product switch -========================================================= -The option '-XX:TrimNativeHeapInterval=ms', where 'ms' is the interval -in milliseconds, is now an official product switch. It allows the -virtual machine to trim the native heap at the specified interval on -supported platforms (currently only Linux with glibc). A value of -zero (the default) disables trimming. - -client-libs/java.awt: - -JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops -======================================================================= -The java.awt.SystemTray API is used to interact with the system's -desktop taskbar to provide notifications and may include an icon -representing an application. The GNOME desktop's support for taskbar -icons has not worked properly for several years, due to a platform -bug. This bug, in turn, affects the JDK's SystemTray support on GNOME -desktops. - -Therefore, in accordance with the SystemTray API specification, -java.awt.SystemTray.isSupported() will now return false on systems -that exhibit this bug, which is assumed to be those running a version -of GNOME Shell below 45. - -The impact of this change is likely to be minimal, as users of the -SystemTray API should already be able to handle isSupported() -returning false and the system tray on such platforms has already been -unsupported for a number of years for all applications. - -security-libs/java.security: - -JDK-8321408: Added Certainly R1 and E1 Root Certificates -======================================================== -The following root certificate has been added to the cacerts -truststore: - -Name: Certainly -Alias Name: certainlyrootr1 -Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US - -Name: Certainly -Alias Name: certainlyroote1 -Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US - -hotspot/gc: - -JDK-8310031: Parallel: Precise Parallel Scanning of Large Object Arrays for Young Collection Roots -================================================================================================== -During the collection of young generation objects, the ParallelGC -collector partitions the old generation into 64kB stripes to scan for -references to the young generation. The stripes are assigned to worker -threads to do the scanning in parallel. - -However, previous releases of OpenJDK 21 did not constrain these -worker threads to their own stripe. Parallelism was limited as a -single thread could end up scanning a large object with thousands of -references across multiple stripes, if it happened to start in its -allocated stripe. This also resulted in bad scaling, due to the -subsequent memory sharing associated with multiple threads working on -the same stripe. - -In this release, workers are limited to their stripe and only process -interesting parts of large object arrays. Pauses for the ParallelGC -collector are now on par with the G1 collector when large object -arrays are present, reducing pause times by four to five times in some -cases. - -JDK-8325074: ZGC fails assert(index == 0 || is_power_of_2(index)) failed: Incorrect load shift: 11 -================================================================================================== -Running the virtual machine with `-XX:+UseZGC` and a non-default value -of `-XX:ObjectAlignmentInBytes` had the potential to crash or perform -incorrect execution. This was due to `ZBarrierSet::clone_obj_array` -not taking into account padding words at the end of an ObjArray. This -has now been rectified in this release. - -New in release OpenJDK 21.0.2 (2024-01-16): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk2102 - -* CVEs - - CVE-2024-20918 - - CVE-2024-20919 - - CVE-2024-20921 - - CVE-2024-20945 - - CVE-2024-20952 -* Security fixes - - JDK-8308204: Enhanced certificate processing - - JDK-8314295: Enhance verification of verifier - - JDK-8314307: Improve loop handling - - JDK-8314468: Improve Compiler loops - - JDK-8316976: Improve signature handling - - JDK-8317547: Enhance TLS connection support -* Other changes - - JDK-8038244: (fs) Check return value of malloc in Java_sun_nio_fs_AixNativeDispatcher_getmntctl() - - JDK-8161536: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with ProviderException - - JDK-8219652: [aix] Tests failing with JNI attach problems. - - JDK-8225377: type annotations are not visible to javac plugins across compilation boundaries - - JDK-8232839: JDI AfterThreadDeathTest.java failed due to "FAILED: Did not get expected IllegalThreadStateException on a StepRequest.enable()" - - JDK-8267502: JDK-8246677 caused 16x performance regression in SynchronousQueue - - JDK-8267509: Improve IllegalAccessException message to include the cause of the exception - - JDK-8268916: Tests for AffirmTrust roots - - JDK-8286757: adlc tries to build with /pathmap but without /experimental:deterministic - - JDK-8294156: Allow PassFailJFrame.Builder to create test UI - - JDK-8294158: HTML formatting for PassFailJFrame instructions - - JDK-8294427: Check boxes and radio buttons have rendering issues on Windows in High DPI env - - JDK-8294535: Add screen capture functionality to PassFailJFrame - - JDK-8295068: SSLEngine throws NPE parsing CertificateRequests - - JDK-8295555: Primitive wrapper caches could be `@Stable` - - JDK-8299614: Shenandoah: STW mark should keep nmethod/oops referenced from stack chunk alive - - JDK-8300663: java/util/concurrent/SynchronousQueue/Fairness.java failed with "Error: fair=true i=0 j=1" - - JDK-8301247: JPackage app-image exe launches multiple exe's in JDK 17+ - - JDK-8301341: LinkedTransferQueue does not respect timeout for poll() - - JDK-8301457: Code in SendPortZero.java is uncommented even after JDK-8236852 was fixed - - JDK-8301489: C1: ShortLoopOptimizer might lift instructions before their inputs - - JDK-8301846: Invalid TargetDataLine after screen lock when using JFileChooser or COM library - - JDK-8303737: C2: Load can bypass subtype check that enforces it's from the right object type - - JDK-8306561: Possible out of bounds access in print_pointer_information - - JDK-8308103: Massive (up to ~30x) increase in C2 compilation time since JDK 17 - - JDK-8308452: Extend internal Architecture enum with byte order and address size - - JDK-8308479: [s390x] Implement alternative fast-locking scheme - - JDK-8308592: Framework for CA interoperability testing - - JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows - - JDK-8309209: C2 failed "assert(_stack_guard_state == stack_guard_reserved_disabled) failed: inconsistent state" - - JDK-8309305: sun/security/ssl/SSLSocketImpl/BlockedAsyncClose.java fails with jtreg test timeout - - JDK-8309545: Thread.interrupted from virtual thread needlessly resets interrupt status - - JDK-8309663: test fails "assert(check_alignment(result)) failed: address not aligned: 0x00000008baadbabe" - - JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when using second test directory - - JDK-8309974: some JVMCI tests fail when VM options include -XX:+EnableJVMCI - - JDK-8310239: Add missing cross modifying fence in nmethod entry barriers - - JDK-8310512: Cleanup indentation in jfc files - - JDK-8310596: Utilize existing method frame::interpreter_frame_monitor_size_in_bytes() - - JDK-8310982: jdk/internal/util/ArchTest.java fails after JDK-8308452 failed with Method isARM() - - JDK-8311261: [AIX] TestAlwaysPreTouchStacks.java fails due to java.lang.RuntimeException: Did not find expected NMT output - - JDK-8311514: Incorrect regex in TestMetaSpaceLog.java - - JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java - - JDK-8311591: Add SystemModulesPlugin test case that splits module descriptors with new local variables defined by DedupSetBuilder - - JDK-8311630: [s390] Implementation of Foreign Function & Memory API (Preview) - - JDK-8311631: When multiple users run tools/jpackage/share/LicenseTest.java, Permission denied for writing /var/tmp/*.files - - JDK-8311680: Update the release version after forking Oct CPU23_10 - - JDK-8311681: Update the Jan CPU24_01 release date in master branch after forking Oct CPU23_10 - - JDK-8311813: C1: Uninitialized PhiResolver::_loop field - - JDK-8311938: Add default cups include location for configure on AIX - - JDK-8312078: [PPC] JcmdScale.java Failing on AIX - - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955 - - JDK-8312166: (dc) DatagramChannel's socket adaptor does not release carrier thread when blocking in receive - - JDK-8312174: missing JVMTI events from vthreads parked during JVMTI attach - - JDK-8312191: ColorConvertOp.filter for the default destination is too slow - - JDK-8312433: HttpClient request fails due to connection being considered idle and closed - - JDK-8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom" - - JDK-8312440: assert(cast != nullptr) failed: must have added a cast to pin the node - - JDK-8312466: /bin/nm usage in AIX makes needs -X64 flag - - JDK-8312467: relax the builddir check in make/autoconf/basic.m4 - - JDK-8312592: New parentheses warnings after HarfBuzz 7.2.0 update - - JDK-8312612: handle WideCharToMultiByte return values - - JDK-8313164: src/java.desktop/windows/native/libawt/windows/awt_Robot.cpp GetRGBPixels adjust releasing of resources - - JDK-8313167: Update to use jtreg 7.3 - - JDK-8313206: PKCS11 tests silently skip execution - - JDK-8313244: NM flags handling in configure process - - JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground release resources in early returns - - JDK-8313322: RISC-V: implement MD5 intrinsic - - JDK-8313368: (fc) FileChannel.size returns 0 on block special files - - JDK-8313575: Refactor PKCS11Test tests - - JDK-8313616: support loading library members on AIX in os::dll_load - - JDK-8313643: Update HarfBuzz to 8.2.2 - - JDK-8313656: assert(!JvmtiExport::can_support_virtual_threads()) with -XX:-DoJVMTIVirtualThreadTransitions - - JDK-8313756: [BACKOUT] 8308682: Enhance AES performance - - JDK-8313760: [REDO] Enhance AES performance - - JDK-8313779: RISC-V: use andn / orn in the MD5 instrinsic - - JDK-8313781: Add regression tests for large page logging and user-facing error messages - - JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used - - JDK-8313792: Verify 4th party information in src/jdk.internal.le/share/legal/jline.md - - JDK-8313873: java/nio/channels/DatagramChannel/SendReceiveMaxSize.java fails on AIX due to small default RCVBUF size and different IPv6 Header interpretation - - JDK-8314045: ArithmeticException in GaloisCounterMode - - JDK-8314094: java/lang/ProcessHandle/InfoTest.java fails on Windows when run as user with Administrator privileges - - JDK-8314120: Add tests for FileDescriptor.sync - - JDK-8314121: test tools/jpackage/share/RuntimePackageTest.java#id0 fails on RHEL8 - - JDK-8314191: C2 compilation fails with "bad AD file" - - JDK-8314226: Series of colon-style fallthrough switch cases with guards compiled incorrectly - - JDK-8314242: Update applications/scimark/Scimark.java to accept VM flags - - JDK-8314246: javax/swing/JToolBar/4529206/bug4529206.java fails intermittently on Linux - - JDK-8314263: Signed jars triggering Logger finder recursion and StackOverflowError - - JDK-8314330: java/foreign tests should respect vm flags when start new processes - - JDK-8314476: TestJstatdPortAndServer.java failed with "java.rmi.NoSuchObjectException: no such object in table" - - JDK-8314495: Update to use jtreg 7.3.1 - - JDK-8314551: More generic way to handshake GC threads with monitor deflation - - JDK-8314580: PhaseIdealLoop::transform_long_range_checks fails with assert "was tested before" - - JDK-8314632: Intra-case dominance check fails in the presence of a guard - - JDK-8314759: VirtualThread.parkNanos timeout adjustment when pinned should be replaced - - JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0 write result errno in missing case - - JDK-8314935: Shenandoah: Unable to throw OOME on back-to-back Full GCs - - JDK-8315026: ProcessHandle implementation listing processes on AIX should use getprocs64 - - JDK-8315062: [GHA] get-bootjdk action should return the abolute path - - JDK-8315082: [REDO] Generational ZGC: Tests crash with assert(index == 0 || is_power_of_2(index)) - - JDK-8315088: C2: assert(wq.size() - before == EMPTY_LOOP_SIZE) failed: expect the EMPTY_LOOP_SIZE nodes of this body if empty - - JDK-8315195: RISC-V: Update hwprobe query for new extensions - - JDK-8315206: RISC-V: hwprobe query is_set return wrong value - - JDK-8315213: java/lang/ProcessHandle/TreeTest.java test enhance output of children - - JDK-8315214: Do not run sun/tools/jhsdb tests concurrently - - JDK-8315362: NMT: summary diff reports threads count incorrectly - - JDK-8315377: C2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes? - - JDK-8315383: jlink SystemModulesPlugin incorrectly parses the options - - JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some cases - - JDK-8315437: Enable parallelism in vmTestbase/nsk/monitoring/stress/classload tests - - JDK-8315442: Enable parallelism in vmTestbase/nsk/monitoring/stress/thread tests - - JDK-8315452: Erroneous AST missing modifiers for partial input - - JDK-8315499: build using devkit on Linux ppc64le RHEL puts path to devkit into libsplashscreen - - JDK-8315545: C1: x86 cmove can use short branches - - JDK-8315549: CITime misreports code/total nmethod sizes - - JDK-8315554: C1: Replace "cmp reg, 0" with "test reg, reg" on x86 - - JDK-8315578: PPC builds are broken after JDK-8304913 - - JDK-8315579: SPARC64 builds are broken after JDK-8304913 - - JDK-8315606: Open source few swing text/html tests - - JDK-8315612: RISC-V: intrinsic for unsignedMultiplyHigh - - JDK-8315644: increase timeout of sun/security/tools/jarsigner/Warning.java - - JDK-8315651: Stop hiding AIX specific multicast socket errors via NetworkConfiguration (aix) - - JDK-8315683: Parallelize java/util/concurrent/tck/JSR166TestCase.java - - JDK-8315684: Parallelize sun/security/util/math/TestIntegerModuloP.java - - JDK-8315688: Update jdk21u fix version to 21.0.2 - - JDK-8315692: Parallelize gc/stress/TestStressRSetCoarsening.java test - - JDK-8315696: SignedLoggerFinderTest.java test failed - - JDK-8315702: jcmd Thread.dump_to_file slow with millions of virtual threads - - JDK-8315706: com/sun/tools/attach/warnings/DynamicLoadWarningTest.java real fix for failure on AIX - - JDK-8315735: VerifyError when switch statement used with synchronized block - - JDK-8315751: RandomTestBsi1999 fails often with timeouts on Linux ppc64le - - JDK-8315766: Parallelize gc/stress/TestStressIHOPMultiThread.java test - - JDK-8315770: serviceability/sa/TestJmapCoreMetaspace.java should run with -XX:-VerifyDependencies - - JDK-8315774: Enable parallelism in vmTestbase/gc/g1/unloading tests - - JDK-8315863: [GHA] Update checkout action to use v4 - - JDK-8315869: UseHeavyMonitors not used - - JDK-8315920: C2: "control input must dominate current control" assert failure - - JDK-8315931: RISC-V: xxxMaxVectorTestsSmokeTest fails when using RVV - - JDK-8315936: Parallelize gc/stress/TestStressG1Humongous.java test - - JDK-8315937: Enable parallelism in vmTestbase/nsk/stress/numeric tests - - JDK-8315942: Sort platform enums and definitions after JDK-8304913 follow-ups - - JDK-8315960: test/jdk/java/io/File/TempDirDoesNotExist.java leaves test files behind - - JDK-8315971: ProblemList containers/docker/TestMemoryAwareness.java on linux-all - - JDK-8316003: Update FileChooserSymLinkTest.java to HTML instructions - - JDK-8316017: Refactor timeout handler in PassFailJFrame - - JDK-8316025: Use testUI() method of PassFailJFrame.Builder in FileChooserSymLinkTest.java - - JDK-8316030: Update Libpng to 1.6.40 - - JDK-8316031: SSLFlowDelegate should not log from synchronized block - - JDK-8316060: test/hotspot/jtreg/runtime/reflect/ReflectOutOfMemoryError.java may fail if heap is huge - - JDK-8316087: Test SignedLoggerFinderTest.java is still failing - - JDK-8316113: Infinite permission checking loop in java/net/spi/InetAddressResolverProvider/RuntimePermissionTest - - JDK-8316123: ProblemList serviceability/dcmd/gc/RunFinalizationTest.java on AIX - - JDK-8316130: Incorrect control in LibraryCallKit::inline_native_notify_jvmti_funcs - - JDK-8316142: Enable parallelism in vmTestbase/nsk/monitoring/stress/lowmem tests - - JDK-8316156: ByteArrayInputStream.transferTo causes MaxDirectMemorySize overflow - - JDK-8316178: Better diagnostic header for CodeBlobs - - JDK-8316179: Use consistent naming for lightweight locking in MacroAssembler - - JDK-8316181: Move the fast locking implementation out of the .ad files - - JDK-8316199: Remove sun/tools/jstatd/TestJstatd* tests from problemlist for Windows. - - JDK-8316206: Test StretchedFontTest.java fails for Baekmuk font - - JDK-8316304: (fs) Add support for BasicFileAttributes.creationTime() for Linux - - JDK-8316337: (bf) Concurrency issue in DirectByteBuffer.Deallocator - - JDK-8316341: sun/security/pkcs11/PKCS11Test.java needs adjustment on Linux ppc64le Ubuntu 22 - - JDK-8316387: Exclude more failing multicast tests on AIX after JDK-8315651 - - JDK-8316396: Endless loop in C2 compilation triggered by AddNode::IdealIL - - JDK-8316399: Exclude java/net/MulticastSocket/Promiscuous.java on AIX - - JDK-8316400: Exclude jdk/jfr/event/runtime/TestResidentSetSizeEvent.java on AIX - - JDK-8316401: sun/tools/jhsdb/JStackStressTest.java failed with "InternalError: We should have found a thread that owns the anonymous lock" - - JDK-8316411: compiler/compilercontrol/TestConflictInlineCommands.java fails intermittent with force inline by CompileCommand missing - - JDK-8316414: C2: large byte array clone triggers "failed: malformed control flow" assertion failure on linux-x86 - - JDK-8316415: Parallelize sun/security/rsa/SignedObjectChain.java subtests - - JDK-8316418: containers/docker/TestMemoryWithCgroupV1.java get OOM killed with Parallel GC - - JDK-8316436: ContinuationWrapper uses unhandled nullptr oop - - JDK-8316461: Fix: make test outputs TEST SUCCESS after unsuccessful exit - - JDK-8316468: os::write incorrectly handles partial write - - JDK-8316514: Better diagnostic header for VtableStub - - JDK-8316540: StoreReproducibilityTest fails on some locales - - JDK-8316566: RISC-V: Zero extended narrow oop passed to Atomic::cmpxchg - - JDK-8316581: Improve performance of Symbol::print_value_on() - - JDK-8316585: [REDO] runtime/InvocationTests spend a lot of time on dependency verification - - JDK-8316645: RISC-V: Remove dependency on libatomic by adding cmpxchg 1b - - JDK-8316648: jrt-fs.jar classes not reproducible between standard and bootcycle builds - - JDK-8316659: assert(LockingMode != LM_LIGHTWEIGHT || flag == CCR0) failed: bad condition register - - JDK-8316671: sun/security/ssl/SSLSocketImpl/SSLSocketCloseHang.java test fails intermittent with Read timed out - - JDK-8316679: C2 SuperWord: wrong result, load should not be moved before store if not comparable - - JDK-8316710: Exclude java/awt/font/Rotate/RotatedTextTest.java - - JDK-8316719: C2 compilation still fails with "bad AD file" - - JDK-8316735: Print LockStack in hs_err files - - JDK-8316741: BasicStroke.createStrokedShape miter-limits failing on small shapes - - JDK-8316743: RISC-V: Change UseVectorizedMismatchIntrinsic option result to warning - - JDK-8316746: Top of lock-stack does not match the unlocked object - - JDK-8316778: test hprof lib: invalid array element type from JavaValueArray.elementSize - - JDK-8316859: RISC-V: Disable detection of V through HWCAP - - JDK-8316879: RegionMatches1Tests fails if CompactStrings are disabled after JDK-8302163 - - JDK-8316880: AArch64: "stop: Header is not fast-locked" with -XX:-UseLSE since JDK-8315880 - - JDK-8316894: make test TEST="jtreg:test/jdk/..." fails on AIX - - JDK-8316906: Clarify TLABWasteTargetPercent flag - - JDK-8316929: Shenandoah: Shenandoah degenerated GC and full GC need to cleanup old OopMapCache entries - - JDK-8316933: RISC-V: compiler/vectorapi/VectorCastShape128Test.java fails when using RVV - - JDK-8316935: [s390x] Use consistent naming for lightweight locking in MacroAssembler - - JDK-8316958: Add test for unstructured locking - - JDK-8316967: Correct the scope of vmtimer in UnregisteredClasses::load_class - - JDK-8317039: Enable specifying the JDK used to run jtreg - - JDK-8317136: [AIX] Problem List runtime/jni/terminatedThread/TestTerminatedThread.java - - JDK-8317257: RISC-V: llvm build broken - - JDK-8317262: LockStack::contains(oop) fails "assert(t->is_Java_thread()) failed: incorrect cast to JavaThread" - - JDK-8317294: Classloading throws exceptions over already pending exceptions - - JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js - - JDK-8317331: Solaris build failed with "declaration can not follow a statement (E_DECLARATION_IN_CODE)" - - JDK-8317335: Build on windows fails after 8316645 - - JDK-8317336: Assertion error thrown during 'this' escape analysis - - JDK-8317340: Windows builds are not reproducible if MS VS compiler install path differs - - JDK-8317373: Add Telia Root CA v2 - - JDK-8317374: Add Let's Encrypt ISRG Root X2 - - JDK-8317439: Updating RE Configs for BUILD REQUEST 21.0.2+1 - - JDK-8317507: C2 compilation fails with "Exceeded _node_regs array" - - JDK-8317510: Change Windows debug symbol files naming to avoid losing info when an executable and a library share the same name - - JDK-8317581: [s390x] Multiple test failure with LockingMode=2 - - JDK-8317601: Windows build on WSL broken after JDK-8317340 - - JDK-8317603: Improve exception messages thrown by sun.nio.ch.Net native methods (win) - - JDK-8317692: jcmd GC.heap_dump performance regression after JDK-8292818 - - JDK-8317705: ProblemList sun/tools/jstat/jstatLineCountsX.sh on linux-ppc64le and aix due to JDK-8248691 - - JDK-8317706: Exclude java/awt/Graphics2D/DrawString/RotTransText.java on linux - - JDK-8317711: Exclude gtest/GTestWrapper.java on AIX - - JDK-8317736: Stream::handleReset locks twice - - JDK-8317751: ProblemList ConsumeForModalDialogTest.java, MenuItemActivatedTest.java & MouseModifiersUnitTest_Standard.java for windows - - JDK-8317772: NMT: Make peak values available in release builds - - JDK-8317790: Fix Bug entry for exclusion of runtime/jni/terminatedThread/TestTerminatedThread.java on AIX - - JDK-8317803: Exclude java/net/Socket/asyncClose/Race.java on AIX - - JDK-8317807: JAVA_FLAGS removed from jtreg running in JDK-8317039 - - JDK-8317818: Combinatorial explosion during 'this' escape analysis - - JDK-8317834: java/lang/Thread/IsAlive.java timed out - - JDK-8317839: Exclude java/nio/channels/Channels/SocketChannelStreams.java on AIX - - JDK-8317920: JDWP-agent sends broken exception event with onthrow option - - JDK-8317959: Check return values of malloc in native java.base coding - - JDK-8317964: java/awt/Mouse/MouseModifiersUnitTest/MouseModifiersUnitTest_Standard.java fails on macosx-all after JDK-8317751 - - JDK-8317967: Enhance test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java to handle default cases - - JDK-8317987: C2 recompilations cause high memory footprint - - JDK-8318078: ADLC: pass ASSERT and PRODUCT flags - - JDK-8318089: Class space not marked as such with NMT when CDS is off - - JDK-8318137: Change milestone to fcs for all releases - - JDK-8318144: Match on enum constants with body compiles but fails with MatchException - - JDK-8318183: C2: VM may crash after hitting node limit - - JDK-8318240: [AIX] Cleaners.java test failure - - JDK-8318415: Adjust describing comment of os_getChildren after 8315026 - - JDK-8318474: Fix memory reporter for thread_count - - JDK-8318525: Atomic gtest should run as TEST_VM to access VM capabilities - - JDK-8318528: Rename TestUnstructuredLocking test - - JDK-8318540: make test cannot run .jasm tests directly - - JDK-8318562: Computational test more than 2x slower when AVX instructions are used - - JDK-8318587: refresh libraries cache on AIX in print_vm_info - - JDK-8318591: avoid leaks in loadlib_aix.cpp reload_table() - - JDK-8318669: Target OS detection in 'test-prebuilt' makefile target is incorrect when running on MSYS2 - - JDK-8318705: [macos] ProblemList java/rmi/registry/multipleRegistries/MultipleRegistries.java - - JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with "transport error 202: bind failed: Address already in use" - - JDK-8318759: Add four DigiCert root certificates - - JDK-8318889: C2: add bailout after assert Bad graph detected in build_loop_late - - JDK-8318895: Deoptimization results in incorrect lightweight locking stack - - JDK-8318951: Additional negative value check in JPEG decoding - - JDK-8318953: RISC-V: Small refactoring for MacroAssembler::test_bit - - JDK-8318955: Add ReleaseIntArrayElements in Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to early return - - JDK-8318957: enhance agentlib:jdwp help output by info about allow option - - JDK-8318961: increase javacserver connection timeout values and max retry attempts - - JDK-8318981: compiler/compilercontrol/TestConflictInlineCommands.java fails intermittent with 'disallowed by CompileCommand' missing from stdout/stderr - - JDK-8319104: GtestWrapper crashes with SIGILL in AsyncLogTest::test_asynclog_raw on AIX opt - - JDK-8319120: Unbound ScopedValue.get() throws the wrong exception - - JDK-8319184: RISC-V: improve MD5 intrinsic - - JDK-8319187: Add three eMudhra emSign roots - - JDK-8319195: Move most tier 1 vector API regression tests to tier 3 - - JDK-8319268: Build failure with GCC8.3.1 after 8313643 - - JDK-8319339: Internal error on spurious markup in a hybrid snippet - - JDK-8319436: Proxy.newProxyInstance throws NPE if loader is null and interface not visible from class loader - - JDK-8319525: RISC-V: Rename *_riscv64.ad files to *_riscv.ad under riscv/gc - - JDK-8319532: jshell - Non-sealed declarations sometimes break a snippet evaluation - - JDK-8319542: Fix boundaries of region to be tested with os::is_readable_range - - JDK-8319700: [AArch64] C2 compilation fails with "Field too big for insn" - - JDK-8319828: runtime/NMT/VirtualAllocCommitMerge.java may fail if mixing interpreted and compiled native invocations - - JDK-8319922: libCreationTimeHelper.so fails to link in JDK 21 - - JDK-8319958: test/jdk/java/io/File/libGetXSpace.c does not compile on Windows 32-bit - - JDK-8319961: JvmtiEnvBase doesn't zero _ext_event_callbacks - - JDK-8320001: javac crashes while adding type annotations to the return type of a constructor - - JDK-8320053: GHA: Cross-compile gtest code - - JDK-8320209: VectorMaskGen clobbers rflags on x86_64 - - JDK-8320280: RISC-V: Avoid passing t0 as temp register to MacroAssembler::lightweight_lock/unlock - - JDK-8320363: ppc64 TypeEntries::type_unknown logic looks wrong, missed optimization opportunity - - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly - - JDK-8320601: ProblemList java/lang/invoke/lambda/LambdaFileEncodingSerialization.java on linux-all - - JDK-8321067: Unlock experimental options in EATests.java - - JDK-8322883: [BACKOUT] 8225377: type annotations are not visible to javac plugins across compilation boundaries - - JDK-8322985: [BACKOUT] 8318562: Computational test more than 2x slower when AVX instructions are used - -Notes on individual issues: -=========================== - -core-libs/java.net: - -JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows -====================================================================== -On Windows 10 version 1709 and above, TCP_KEEPIDLE and -TCP_KEEPINTERVAL are now supported in the -java.net.ExtendedSocketOptions class. Similarly, on Windows 10 -version 1703 and above, TCP_KEEPCOUNT is now supported. - -hotspot/compiler: - -JDK-8315082: [REDO] Generational ZGC: Tests crash with assert(index == 0 || is_power_of_2(index)) -================================================================================================= -In the initial release of JDK 21, running the JVM with -XX:+UseZGC and -a non-default value of -XX:ObjectAlignmentInBytes could lead to JVM -crashes or incorrect execution. This issue should now be resolved and -it should be possible to use these options again. - -hotspot/runtime: - -JDK-8317772: NMT: Make peak values available in release builds -============================================================== -The peak value is the highest value for committed memory in a given -Native Memory Tracking (NMT) category over the lifetime of the JVM -process. NMT reports will now show the peak value for all categories. - -If the committed memory for a category is at its peak, NMT will -print "at peak". Otherwise, it prints the peak value. - -For example, "Compiler (arena=196KB #4) (peak=6126KB #16)" shows that -compiler arena memory peaked above 6 MB, but now hovers around 200KB. - -JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used -=========================================================================== -On Linux, the JVM will now print the following message to standard -output if Transparent Huge Pages (THPs) are requested, but are not -supported on the operating system: - -"UseTransparentHugePages disabled; transparent huge pages are not -supported by the operating system." - -security-libs/java.security: - -JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt -================================================================= -The following root certificate has been added to the cacerts -truststore: - -Name: Let's Encrypt -Alias Name: letsencryptisrgx2 -Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US - -JDK-8318759: Added Four Root Certificates from DigiCert, Inc. -============================================================= -The following root certificates have been added to the cacerts -truststore: - -Name: DigiCert, Inc. -Alias Name: digicertcseccrootg5 -Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US - -Name: DigiCert, Inc. -Alias Name: digicertcsrsarootg5 -Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US - -Name: DigiCert, Inc. -Alias Name: digicerttlseccrootg5 -Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US - -Name: DigiCert, Inc. -Alias Name: digicerttlsrsarootg5 -Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US - -JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited -============================================================================ -The following root certificates have been added to the cacerts -truststore: - -Name: eMudhra Technologies Limited -Alias Name: emsignrootcag1 -Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN - -Name: eMudhra Technologies Limited -Alias Name: emsigneccrootcag3 -Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN - -Name: eMudhra Technologies Limited -Alias Name: emsignrootcag2 -Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN - -JDK-8317373: Added Telia Root CA v2 Certificate -=============================================== -The following root certificate has been added to the cacerts -truststore: - -Name: Telia Root CA v2 -Alias Name: teliarootcav2 -Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ``` - -New in release OpenJDK 21.0.1 (2023-10-17): -=========================================== - -* CVEs - - CVE-2023-22081 - - CVE-2023-22025 -* Security fixes - - JDK-8286503, JDK-8312367: Enhance security classes - - JDK-8296581: Better system proxy support - - JDK-8297856: Improve handling of Bidi characters - - JDK-8309966: Enhanced TLS connections - - JDK-8312248: Enhanced archival support redux - - JDK-8314649: Enhanced archival support redux - - JDK-8317121: vector_masked_load instruction is moved too early after JDK-8286941 -* Other changes - - JDK-8240567: MethodTooLargeException thrown while creating a jlink image - - JDK-8284772: GHA: Use GCC Major Version Dependencies Only - - JDK-8293114: JVM should trim the native heap - - JDK-8299658: C1 compilation crashes in LinearScan::resolve_exception_edge - - JDK-8302017: Allocate BadPaddingException only if it will be thrown - - JDK-8303815: Improve Metaspace test speed - - JDK-8304954: SegmentedCodeCache fails when using large pages - - JDK-8307766: Linux: Provide the option to override the timer slack - - JDK-8308042: [macos] Developer ID Application Certificate not picked up by jpackage if it contains UNICODE characters - - JDK-8308047: java/util/concurrent/ScheduledThreadPoolExecutor/BasicCancelTest.java timed out and also had jcmd pipe errors - - JDK-8308184: Launching java with large number of jars in classpath with java.protocol.handler.pkgs system property set can lead to StackOverflowError - - JDK-8308474: DSA does not reset SecureRandom when initSign is called again - - JDK-8308609: java/lang/ScopedValue/StressStackOverflow.java fails with "-XX:-VMContinuations" - - JDK-8309032: jpackage does not work for module projects unless --module-path is specified - - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails - - JDK-8309214: sun/security/pkcs11/KeyStore/CertChainRemoval.java fails after 8301154 - - JDK-8309475: Test java/foreign/TestByteBuffer.java fails: a problem with msync (aix) - - JDK-8309502: RISC-V: String.indexOf intrinsic may produce misaligned memory loads - - JDK-8309591: Socket.setOption(TCP_QUICKACK) uses wrong level - - JDK-8309746: Reconfigure check should include make/conf/version-numbers.conf - - JDK-8309889: [s390] Missing return statement after calling jump_to_native_invoker method in generate_method_handle_dispatch. - - JDK-8310106: sun.security.ssl.SSLHandshake.getHandshakeProducer() incorrectly checks handshakeConsumers - - JDK-8310171: Bump version numbers for 21.0.1 - - JDK-8310211: serviceability/jvmti/thread/GetStackTrace/getstacktr03/getstacktr03.java failing - - JDK-8310233: Fix THP detection on Linux - - JDK-8310268: RISC-V: misaligned memory access in String.Compare intrinsic - - JDK-8310321: make JDKOPT_CHECK_CODESIGN_PARAMS more verbose - - JDK-8310586: ProblemList java/lang/ScopedValue/StressStackOverflow.java#default with virtual threads on linux-all - - JDK-8310687: JDK-8303215 is incomplete - - JDK-8310873: Re-enable locked_create_entry symbol check in runtime/NMT/CheckForProperDetailStackTrace.java for RISC-V - - JDK-8311026: Some G1 specific tests do not set -XX:+UseG1GC - - JDK-8311033: [macos] PrinterJob does not take into account Sides attribute - - JDK-8311160: [macOS, Accessibility] VoiceOver: No announcements on JRadioButtonMenuItem and JCheckBoxMenuItem - - JDK-8311249: Remove unused MemAllocator::obj_memory_range - - JDK-8311285: report some fontconfig related environment variables in hs_err file - - JDK-8311511: Improve description of NativeLibrary JFR event - - JDK-8311592: ECKeySizeParameterSpec causes too many exceptions on third party providers - - JDK-8311682: Change milestone to fcs for all releases - - JDK-8311862: RISC-V: small improvements to shift immediate instructions - - JDK-8311917: MAP_FAILED definition seems to be obsolete in src/java.desktop/unix/native/common/awt/fontpath.c - - JDK-8311921: Inform about MaxExpectedDataSegmentSize in case of pthread_create failures on AIX - - JDK-8311923: TestIRMatching.java fails on RISC-V - - JDK-8311926: java/lang/ScopedValue/StressStackOverflow.java takes 9mins in tier1 - - JDK-8311955: c++filt is now ibm-llvm-cxxfilt when using xlc17 / clang on AIX - - JDK-8311981: Test gc/stringdedup/TestStringDeduplicationAgeThreshold.java#ZGenerational timed out - - JDK-8312127: FileDescriptor.sync should temporarily increase parallelism - - JDK-8312180: (bf) MappedMemoryUtils passes incorrect arguments to msync (aix) - - JDK-8312182: THPs cause huge RSS due to thread start timing issue - - JDK-8312394: [linux] SIGSEGV if kernel was built without hugepage support - - JDK-8312395: Improve assertions in growableArray - - JDK-8312401: SymbolTable::do_add_if_needed hangs when called in InstanceKlass::add_initialization_error path with requesting length exceeds max_symbol_length - - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar - - JDK-8312525: New test runtime/os/TestTrimNative.java#trimNative is failing: did not see the expected RSS reduction - - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException - - JDK-8312555: Ideographic characters aren't stretched by AffineTransform.scale(2, 1) - - JDK-8312573: Failure during CompileOnly parsing leads to ShouldNotReachHere - - JDK-8312585: Rename DisableTHPStackMitigation flag to THPStackMitigation - - JDK-8312591: GCC 6 build failure after JDK-8280982 - - JDK-8312619: Strange error message when switching over long - - JDK-8312620: WSL Linux build crashes after JDK-8310233 - - JDK-8312625: Test serviceability/dcmd/vm/TrimLibcHeapTest.java failed: RSS use increased - - JDK-8312909: C1 should not inline through interface calls with non-subtype receiver - - JDK-8312976: MatchResult produces StringIndexOutOfBoundsException for groups outside match - - JDK-8312984: javac may crash on a record pattern with too few components - - JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074 - - JDK-8313248: C2: setScopedValueCache intrinsic exposes nullptr pre-values to store barriers - - JDK-8313262: C2: Sinking node may cause required cast to be dropped - - JDK-8313307: java/util/Formatter/Padding.java fails on some Locales - - JDK-8313312: Add missing classpath exception copyright header - - JDK-8313323: javac -g on a java file which uses unnamed variable leads to ClassFormatError when launching that class - - JDK-8313402: C1: Incorrect LoadIndexed value numbering - - JDK-8313428: GHA: Bump GCC versions for July 2023 updates - - JDK-8313576: GCC 7 reports compiler warning in bundled freetype 2.13.0 - - JDK-8313602: increase timeout for jdk/classfile/CorpusTest.java - - JDK-8313626: C2 crash due to unexpected exception control flow - - JDK-8313657: com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors - - JDK-8313676: Amend TestLoadIndexedMismatch test to target intrinsic directly - - JDK-8313678: SymbolTable can leak Symbols during cleanup - - JDK-8313691: use close after failing os::fdopen in vmError and ciEnv - - JDK-8313701: GHA: RISC-V should use the official repository for bootstrap - - JDK-8313707: GHA: Bootstrap sysroots with --variant=minbase - - JDK-8313752: InstanceKlassFlags::print_on doesn't print the flag names - - JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) - - JDK-8313796: AsyncGetCallTrace crash on unreadable interpreter method pointer - - JDK-8313874: JNI NewWeakGlobalRef throws exception for null arg - - JDK-8313901: [TESTBUG] test/hotspot/jtreg/compiler/codecache/CodeCacheFullCountTest.java fails with java.lang.VirtualMachineError - - JDK-8313904: [macos] All signing tests which verifies unsigned app images are failing - - JDK-8314020: Print instruction blocks in byte units - - JDK-8314024: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info - - JDK-8314063: The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection - - JDK-8314117: RISC-V: Incorrect VMReg encoding in RISCV64Frame.java - - JDK-8314118: Update JMH devkit to 1.37 - - JDK-8314139: TEST_BUG: runtime/os/THPsInThreadStackPreventionTest.java could fail on machine with large number of cores - - JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to extra concurrent mark with -Xcomp - - JDK-8314216: Case enumConstant, pattern compilation fails - - JDK-8314262: GHA: Cut down cross-compilation sysroots deeper - - JDK-8314423: Multiple patterns without unnamed variables - - JDK-8314426: runtime/os/TestTrimNative.java is failing on slow machines - - JDK-8314501: Shenandoah: sun/tools/jhsdb/heapconfig/JMapHeapConfigTest.java fails - - JDK-8314517: some tests fail in case ipv6 is disabled on the machine - - JDK-8314618: RISC-V: -XX:MaxVectorSize does not work as expected - - JDK-8314656: GHA: No need for Debian ports keyring installation after JDK-8313701 - - JDK-8314679: SA fails to properly attach to JVM after having just detached from a different JVM - - JDK-8314730: GHA: Drop libfreetype6-dev transitional package in favor of libfreetype-dev - - JDK-8314850: SharedRuntime::handle_wrong_method() gets called too often when resolving Continuation.enter - - JDK-8314960: Add Certigna Root CA - 2 - - JDK-8315020: The macro definition for LoongArch64 zero build is not accurate. - - JDK-8315051: jdk/jfr/jvm/TestGetEventWriter.java fails with non-JVMCI GCs - - JDK-8315534: Incorrect warnings about implicit annotation processing - -Notes on individual issues: -=========================== - -core-libs/java.util.jar: - -JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) -===================================================================== -Additional validity checks in the handling of Zip64 files, -JDK-8302483, introduced in 21.0.0, caused the use of some valid zip -files to now fail with the error, `Invalid CEN header (invalid zip64 -extra data field size)` - -This release, 21.0.1, allows for zero length headers and additional -padding produced by some Zip64 creation tools. - -The following third party tools have also released patches to better -adhere to the ZIP File Format Specification: - -* Apache Commons Compress fix for Empty CEN Zip64 Extra Headers fixed in Commons Compress release 1.11 -* Apache Ant fix for Empty CEN Zip64 Extra Headers fixed in Ant 1.10.14 -* BND issue with writing invalid Extra Headers fixed in BND 5.3 - -The maven-bundle-plugin 5.1.5 includes the BND 5.3 patch. - -If these improved validation checks cause issues for deployed zip or -jar files, check how the file was created and whether patches are -available from the generating software to resolve the issue. With -both JDK releases, the checks can be disabled by setting the new -system property, `jdk.util.zip.disableZip64ExtraFieldValidation` to -`true`. - -hotspot/runtime: - -JDK-8311981: JVM May Hang When Using Generational ZGC if a VM Handshake Stalls on Memory -======================================================================================== -The JVM can hang under an uncommon condition that involves the JVM -running out of heap memory, the GC just starting a relocation phase to -reclaim memory, and a JVM thread-local Handshake asking to relocate an -object. This potential deadlock should now be avoided in this -release. - -core-libs/java.util.regex: - -JDK-8312976: `java.util.regex.MatchResult` Might Throw `StringIndexOutOfBoundsException` on Regex Patterns Containing Lookaheads and Lookbehinds -================================================================================================================================================ -JDK-8132995 introduced an unintended regression when using instances -returned by `java.util.regex.Matcher.toMatchResult()`. - -This regression happens with a `java.util.regex.Pattern`s containing -lookaheads and lookbehinds that, in turn, contain groups. If these are -located outside the match, a `StringIndexOutOfBoundsException` is -thrown when accessing these groups. See JDK-8312976 for an example. - -The issue is resolved in this release by calculating a minimum start -location as part of the match result and using this in constructing -String objects, rather than the location of the first match. - -JDK-8314960: Added Certigna Root CA Certificate -=============================================== -The following root certificate has been added to the cacerts -truststore: - -Name: Certigna (Dhimyotis) -Alias Name: certignarootca -Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR - -JDK-8312489: Increase Default Value of the System Property `jdk.jar.maxSignatureFileSize` -========================================================================================= -A maximum signature file size property, jdk.jar.maxSignatureFileSize, -was introduced in the 21.0.0 release of OpenJDK by JDK-8300596 to -control the maximum size of signature files in a signed JAR. The -default value of 8MB proved to be too small for some JAR files. This -release, 21.0.1, increases it to 16MB. - -New in release OpenJDK 21.0.0 (2023-09-XX): +New in release OpenJDK 22.0.0 (2024-03-19): =========================================== Major changes are listed below. Some changes may have been backported -to earlier releases following their first appearance in OpenJDK 18 -through to 21. +to earlier releases following their first appearance in OpenJDK 22 +through to 25. NEW FEATURES ============ @@ -3239,44 +15,34 @@ NEW FEATURES Language Features ================= -Pattern Matching for switch -=========================== -https://openjdk.org/jeps/406 -https://openjdk.org/jeps/420 -https://openjdk.org/jeps/427 -https://openjdk.org/jeps/433 -https://openjdk.org/jeps/441 +Statements before super(...) +============================ +https://openjdk.org/jeps/447 -Enhance the Java programming language with pattern matching for -`switch` expressions and statements, along with extensions to the -language of patterns. Extending pattern matching to `switch` allows an -expression to be tested against a number of patterns, each with a -specific action, so that complex data-oriented queries can be -expressed concisely and safely. +In constructors in the Java programming language, allow statements +that do not reference the instance being created to appear before an +explicit constructor invocation (i.e. super()). -This was a preview feature (http://openjdk.java.net/jeps/12) -introduced in OpenJDK 17 (JEP 406), which saw a second preview in -OpenJDK 18 (JEP 420), a third in OpenJDK 19 (JEP 427) and a fourth -(JEP 427) in OpenJDK 20. It became final with OpenJDK 21 (JEP 441). +This is a preview language feature (http://openjdk.java.net/jeps/12) +introduced in OpenJDK 22 (JEP 447). -Record Patterns -=============== -https://openjdk.org/jeps/405 -https://openjdk.org/jeps/432 -https://openjdk.org/jeps/440 +Unnamed Patterns and Variables +============================== +https://openjdk.org/jeps/443 +https://openjdk.org/jeps/456 -Enhance the Java programming language with record patterns to -deconstruct record values. Record patterns and type patterns can be -nested to enable a powerful, declarative, and composable form of data -navigation and processing. +Enhance the Java language with unnamed patterns, which match a record +component without stating the component's name or type, and unnamed +variables, which can be initialized but not used. Both are denoted by +an underscore character, _. -This was a preview feature (http://openjdk.java.net/jeps/12) introduced -in OpenJDK 19 (JEP 405) with a second preview (JEP 432) in OpenJDK 20. -It became final with OpenJDK 21 (JEP 440). +This feature is now final. It was a preview feature +(http://openjdk.java.net/jeps/12) in OpenJDK 21 (JEP 443). String Templates ================ https://openjdk.org/jeps/430 +https://openjdk.org/jeps/459 Enhance the Java programming language with string templates. String templates complement Java's existing string literals and text blocks @@ -3284,54 +50,47 @@ by coupling literal text with embedded expressions and template processors to produce specialized results. This is a preview feature (http://openjdk.java.net/jeps/12) introduced -in OpenJDK 21 (JEP 430). - -Unnamed Patterns and Variables -============================== -https://openjdk.org/jeps/443 - -Enhance the Java language with unnamed patterns, which match a record -component without stating the component's name or type, and unnamed -variables, which can be initialized but not used. Both are denoted by -an underscore character, _. - -This is a preview feature (http://openjdk.java.net/jeps/12) introduced -in OpenJDK 21 (JEP 443). - -Unnamed Classes and Instance Main Methods (Preview) -=================================================== -https://openjdk.org/jeps/445 - -Evolve the Java language so that students can write their first -programs without needing to understand language features designed for -large programs. Far from using a separate dialect of Java, students -can write streamlined declarations for single-class programs and then -seamlessly expand their programs to use more advanced features as -their skills grow. - -This is a preview feature (http://openjdk.java.net/jeps/12) introduced -in OpenJDK 21 (JEP 445). +in OpenJDK 21 (JEP 430) and reaching its second preview in OpenJDK 22 +(JEP 459). Library Features ================ -UTF-8 by Default -================ -https://openjdk.org/jeps/400 +Foreign Function & Memory API +============================= +https://openjdk.org/jeps/412 +https://openjdk.org/jeps/419 +https://openjdk.org/jeps/424 +https://openjdk.org/jeps/434 +https://openjdk.org/jeps/442 +https://openjdk.org/jeps/454 -Specify UTF-8 as the default charset of the standard Java APIs. With -this change, APIs that depend upon the default charset will behave -consistently across all implementations, operating systems, locales, -and configurations. +Introduce an API by which Java programs can interoperate with code and +data outside of the Java runtime. By efficiently invoking foreign +functions (i.e., code outside the JVM), and by safely accessing +foreign memory (i.e., memory not managed by the JVM), the API enables +Java programs to call native libraries and process native data without +the brittleness and danger of JNI. -Reimplement Core Reflection with Method Handles -=============================================== -https://openjdk.org/jeps/416 +This API is now finalised. It was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 17 (JEP 412), and is an +evolution of the Foreign Memory Access API (OpenJDK 14 through 16) and +Foreign Linker API (OpenJDK 16) (see release notes for +java-17-openjdk). OpenJDK 18 saw a second round of incubation (JEP +419) before its inclusion as a preview feature +(http://openjdk.java.net/jeps/12) in OpenJDK 19 (JEP 424). A second +preview took place in OpenJDK 20 (JEP 434) and a third and final +preview in OpenJDK 21 (JEP 442). -Reimplement java.lang.reflect.Method, Constructor, and Field on top of -java.lang.invoke method handles. Making method handles the underlying -mechanism for reflection will reduce the maintenance and development -cost of both the java.lang.reflect and java.lang.invoke APIs. +Class-File API +============== +https://openjdk.org/jeps/457 + +Provide a standard API for parsing, generating, and transforming Java +class files. + +This is a preview library feature (http://openjdk.java.net/jeps/12) +introduced in OpenJDK 22 (JEP 457). Vector API ========== @@ -3341,6 +100,7 @@ https://openjdk.org/jeps/417 https://openjdk.org/jeps/426 https://openjdk.org/jeps/438 https://openjdk.org/jeps/448 +https://openjdk.org/jeps/460 Introduce an API to express vector computations that reliably compile at runtime to optimal vector hardware instructions on supported CPU @@ -3350,61 +110,27 @@ scalar computations. This is an incubation feature (https://openjdk.java.net/jeps/11) introduced in OpenJDK 16 (JEP 338). A second round of incubation took place in OpenJDK 17 (JEP 414), OpenJDK 18 (JEP 417) saw a third, -OpenJDK 19 a fourth (JEP 426), OpenJDK 20 (JEP 438) a fifth and -OpenJDK 21 a sixth (JEP 448). +OpenJDK 19 a fourth (JEP 426), OpenJDK 20 (JEP 438) a fifth, OpenJDK +21 a sixth (JEP 448) and it reaches its seventh in OpenJDK 22 (JEP +460). -Internet-Address Resolution SPI -=============================== -https://openjdk.org/jeps/418 +Stream Gatherers +================ +https://openjdk.org/jeps/461 -Define a service-provider interface (SPI) for host name and address -resolution, so that java.net.InetAddress can make use of resolvers -other than the platform's built-in resolver. +Enhance the Stream API to support custom intermediate operations. This +will allow stream pipelines to transform data in ways that are not +easily achievable with the existing built-in intermediate operations. -Foreign Function & Memory API -============================= -https://openjdk.org/jeps/412 -https://openjdk.org/jeps/419 -https://openjdk.org/jeps/424 -https://openjdk.org/jeps/434 -https://openjdk.org/jeps/442 - -Introduce an API by which Java programs can interoperate with code and -data outside of the Java runtime. By efficiently invoking foreign -functions (i.e., code outside the JVM), and by safely accessing -foreign memory (i.e., memory not managed by the JVM), the API enables -Java programs to call native libraries and process native data without -the brittleness and danger of JNI. - -This API is now a preview feature (http://openjdk.java.net/jeps/12). -It was first introduced in incubation -(https://openjdk.java.net/jeps/11) in OpenJDK 17 (JEP 412), and is an -evolution of the Foreign Memory Access API (OpenJDK 14 through 16) and -Foreign Linker API (OpenJDK 16) (see release notes for -java-17-openjdk). OpenJDK 18 saw a second round of incubation (JEP -419) before its inclusion as a preview in OpenJDK 19 (JEP 424) and a -second in OpenJDK 20 (JEP 434). It reaches a third preview in OpenJDK -21 (JEP 442). - -Virtual Threads -=============== -https://openjdk.org/jeps/425 -https://openjdk.org/jeps/436 -https://openjdk.org/jeps/444 - -Introduce virtual threads to the Java Platform. Virtual threads are -lightweight threads that dramatically reduce the effort of writing, -maintaining, and observing high-throughput concurrent applications. - -This was a preview feature (http://openjdk.java.net/jeps/12) -introduced in OpenJDK 19 (JEP 425) and reaching its second preview in -OpenJDK 20 (JEP 436). It became final with OpenJDK 21 (JEP 444). +This is a preview library feature (http://openjdk.java.net/jeps/12) +introduced in OpenJDK 22 (JEP 461). Structured Concurrency ====================== https://openjdk.org/jeps/428 https://openjdk.org/jeps/437 https://openjdk.org/jeps/453 +https://openjdk.org/jeps/462 Simplify multithreaded programming by introducing an API for structured concurrency. Structured concurrency treats multiple tasks @@ -3412,115 +138,66 @@ running in different threads as a single unit of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability. -This API is now a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 21 (JEP 453). It was first introduced in incubation +This API was first introduced in incubation (https://openjdk.java.net/jeps/11) in OpenJDK 19 (JEP 428) and had a -second round of incubation in OpenJDK 20 (JEP 437). +second round of incubation in OpenJDK 20 (JEP 437). It became a +preview feature (http://openjdk.java.net/jeps/12) in OpenJDK 21 (JEP +453) and reaches its second preview in OpenJDK 22 (JEP 462). + +Implicitly Declared Classes and Instance Main Methods +===================================================== +https://openjdk.org/jeps/445 +https://openjdk.org/jeps/463 + +Evolve the Java language so that students can write their first +programs without needing to understand language features designed for +large programs. Far from using a separate dialect of Java, students +can write streamlined declarations for single-class programs and then +seamlessly expand their programs to use more advanced features as +their skills grow. + +This library feature was introduced as a preview +(http://openjdk.java.net/jeps/12) in OpenJDK 21 (JEP 445) under the +name "Unnamed Classes and Instance Main Methods". It reaches a second +preview in OpenJDK 22 (JEP 463) under a new name, due to the move away +from unnamed classes to an implicitly declared name chosen by the host +system. Scoped Values ============= https://openjdk.org/jeps/429 +https://openjdk.org/jeps/446 +https://openjdk.org/jeps/464 Introduce scoped values, which enable the sharing of immutable data within and across threads. They are preferred to thread-local variables, especially when using large numbers of virtual threads. -This API is now a preview feature (http://openjdk.java.net/jeps/12) -in OpenJDK 21 (JEP 429). It was first introduced in incubation -(https://openjdk.java.net/jeps/11) in OpenJDK 20 (JEP 429). - -Sequenced Collections -===================== -https://openjdk.org/jeps/431 - -Introduce new interfaces to represent collections with a defined -encounter order. Each such collection has a well-defined first -element, second element, and so forth, up to the last element. It also -provides uniform APIs for accessing its first and last elements, and -for processing its elements in reverse order. - -Key Encapsulation Mechanism API -=============================== -https://openjdk.org/jeps/452 - -Introduce an API for key encapsulation mechanisms (KEMs), an -encryption technique for securing symmetric keys using public key -cryptography. +This API was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 20 (JEP 429). It became a +preview feature (http://openjdk.java.net/jeps/12) in OpenJDK 21 (JEP +446) and reaches its second preview in OpenJDK 22 (JEP 464). Virtual Machine Enhancements ============================ -Generational ZGC -================ -https://openjdk.org/jeps/439 +Region Pinning for G1 +===================== +https://openjdk.org/jeps/423 -Improve application performance by extending the Z Garbage Collector -(ZGC) to maintain separate generations for young and old objects. This -will allow ZGC to collect young objects — which tend to die young — -more frequently. +Reduce latency by implementing region pinning in G1, so that garbage +collection need not be disabled during Java Native Interface (JNI) +critical regions. Tools ===== -Simple Web Server -================= -https://openjdk.org/jeps/408 +Launch Multi-File Source-Code Programs +====================================== +https://openjdk.org/jeps/458 -Provide a command-line tool, `jwebserver`, to start a minimal web -server that serves static files only. No CGI or servlet-like -functionality is available. This tool will be useful for prototyping, -ad-hoc coding, and testing purposes, particularly in educational -contexts. - -Code Snippets in Java API Documentation -======================================= -https://openjdk.org/jeps/413 - -Introduce an @snippet tag for JavaDoc's Standard Doclet, to simplify -the inclusion of example source code in API documentation. - -Ports -===== - -Linux/RISC-V Port -================= -https://openjdk.org/jeps/422 - -RISC-V is a free and open-source RISC instruction set architecture -(ISA) designed originally at the University of California, Berkeley, -and now developed collaboratively under the sponsorship of RISC-V -International. It is already supported by a wide range of language -toolchains. With the increasing availability of RISC-V hardware, a -port of the JDK would be valuable. - -DEPRECATIONS -============ - -Deprecate Finalization for Removal -================================== -https://openjdk.org/jeps/421 - -Deprecate finalization for removal in a future release. Finalization -remains enabled by default for now, but can be disabled to facilitate -early testing. In a future release it will be disabled by default, and -in a later release it will be removed. Maintainers of libraries and -applications that rely upon finalization should consider migrating to -other resource management techniques such as the try-with-resources -statement and cleaners. - -Deprecate the Windows 32-bit x86 Port for Removal -================================================= -https://openjdk.org/jeps/449 - -Deprecate the Windows 32-bit x86 port, with the intent to remove it in -a future release. - -Prepare to Disallow the Dynamic Loading of Agents -================================================= -https://openjdk.org/jeps/451 - -Issue warnings when agents are loaded dynamically into a running -JVM. These warnings aim to prepare users for a future release which -disallows the dynamic loading of agents by default in order to improve -integrity by default. Serviceability tools that load agents at startup -will not cause warnings to be issued in any release. +Enhance the java application launcher to be able to run a program +supplied as multiple files of Java source code. This will make the +transition from small programs to larger ones more gradual, enabling +developers to choose whether and when to go to the trouble of +configuring a build tool. diff --git a/fips-21u-9203d50836c.patch b/fips-21u-9203d50836c.patch deleted file mode 100644 index 9966391..0000000 --- a/fips-21u-9203d50836c.patch +++ /dev/null @@ -1,4234 +0,0 @@ -diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4 -index 5f4b22bb27f..1ca9f5b8ffe 100644 ---- a/make/autoconf/build-aux/pkg.m4 -+++ b/make/autoconf/build-aux/pkg.m4 -@@ -179,3 +179,19 @@ else - ifelse([$3], , :, [$3]) - fi[]dnl - ])# PKG_CHECK_MODULES -+ -+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, -+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) -+dnl ------------------------------------------- -+dnl Since: 0.28 -+dnl -+dnl Retrieves the value of the pkg-config variable for the given module. -+AC_DEFUN([PKG_CHECK_VAR], -+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl -+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl -+ -+_PKG_CONFIG([$1], [variable="][$3]["], [$2]) -+AS_VAR_COPY([$1], [pkg_cv_][$1]) -+ -+AS_VAR_IF([$1], [""], [$5], [$4])dnl -+])dnl PKG_CHECK_VAR -diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 -new file mode 100644 -index 00000000000..f48fc7f7e80 ---- /dev/null -+++ b/make/autoconf/lib-sysconf.m4 -@@ -0,0 +1,87 @@ -+# -+# Copyright (c) 2021, Red Hat, Inc. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. Oracle designates this -+# particular file as subject to the "Classpath" exception as provided -+# by Oracle in the LICENSE file that accompanied this code. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ AC_MSG_CHECKING([for NSS library directory]) -+ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) -+ -+ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+ AC_SUBST(NSS_LIBDIR) -+]) -diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index 51d4f724c33..feb0bcf3e75 100644 ---- a/make/autoconf/libraries.m4 -+++ b/make/autoconf/libraries.m4 -@@ -35,6 +35,7 @@ m4_include([lib-std.m4]) - m4_include([lib-x11.m4]) - - m4_include([lib-tests.m4]) -+m4_include([lib-sysconf.m4]) - - ################################################################################ - # Determine which libraries are needed for this configuration -@@ -128,6 +129,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], - LIB_SETUP_X11 - - LIB_TESTS_SETUP_GTEST -+ LIB_SETUP_SYSCONF_LIBS - - BASIC_JDKLIB_LIBS="" - BASIC_JDKLIB_LIBS_TARGET="" -diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index f6def153c82..4d7abc33427 100644 ---- a/make/autoconf/spec.gmk.in -+++ b/make/autoconf/spec.gmk.in -@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ - # Libraries - # - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+NSS_LIBDIR:=@NSS_LIBDIR@ -+ - USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ - LCMS_CFLAGS:=@LCMS_CFLAGS@ - LCMS_LIBS:=@LCMS_LIBS@ -diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk -index 9e5cfe2d0fc..434ade8e182 100644 ---- a/make/modules/java.base/Gendata.gmk -+++ b/make/modules/java.base/Gendata.gmk -@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST - TARGETS += $(GENDATA_JAVA_SECURITY) - - ################################################################################ -+ -+GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in -+GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg -+ -+$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) -+ $(call LogInfo, Generating nss.fips.cfg) -+ $(call MakeTargetDir) -+ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ -+ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ -+ ) -+ -+TARGETS += $(GENDATA_NSS_FIPS_CFG) -+ -+################################################################################ -diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk -index 1e0f66726d0..59fe923f2c5 100644 ---- a/make/modules/java.base/Lib.gmk -+++ b/make/modules/java.base/Lib.gmk -@@ -163,6 +163,29 @@ ifeq ($(call isTargetOsType, unix), true) - endif - endif - -+################################################################################ -+# Create the systemconf library -+ -+LIBSYSTEMCONF_CFLAGS := -+LIBSYSTEMCONF_CXXFLAGS := -+ -+ifeq ($(USE_SYSCONF_NSS), true) -+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+endif -+ -+$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+)) -+ -+TARGETS += $(BUILD_LIBSYSTEMCONF) -+ - ################################################################################ - # Create the symbols file for static builds. - -diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -index 10093137151..b023c63ae58 100644 ---- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -+++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -@@ -31,6 +31,7 @@ import java.security.SecureRandom; - import java.security.PrivilegedAction; - import java.util.HashMap; - import java.util.List; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - import static sun.security.util.SecurityProviderConstants.*; - -@@ -82,6 +83,10 @@ import static sun.security.util.SecurityProviderConstants.*; - - public final class SunJCE extends Provider { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - @java.io.Serial - private static final long serialVersionUID = 6812507587804302833L; - -@@ -147,298 +152,299 @@ public final class SunJCE extends Provider { - void putEntries() { - // reuse attribute map and reset before each reuse - HashMap attrs = new HashMap<>(3); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -- + "|OAEPWITHMD5ANDMGF1PADDING" -- + "|OAEPWITHSHA1ANDMGF1PADDING" -- + "|OAEPWITHSHA-1ANDMGF1PADDING" -- + "|OAEPWITHSHA-224ANDMGF1PADDING" -- + "|OAEPWITHSHA-256ANDMGF1PADDING" -- + "|OAEPWITHSHA-384ANDMGF1PADDING" -- + "|OAEPWITHSHA-512ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -- ps("Cipher", "RSA", -- "com.sun.crypto.provider.RSACipher", null, attrs); -- -- // common block cipher modes, pads -- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -- final String BLOCK_MODES128 = BLOCK_MODES + -- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DES", -- "com.sun.crypto.provider.DESCipher", null, attrs); -- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -- attrs); -- ps("Cipher", "Blowfish", -- "com.sun.crypto.provider.BlowfishCipher", null, attrs); -- -- ps("Cipher", "RC2", -- "com.sun.crypto.provider.RC2Cipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES128); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES", -- "com.sun.crypto.provider.AESCipher$General", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -- attrs); -- ps("Cipher", "AES/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_128/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_128/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_128/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_128/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_192/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_192/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_192/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_192/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_256/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_256/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_256/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_256/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "GCM"); -- attrs.put("SupportedKeyFormats", "RAW"); -- -- ps("Cipher", "AES/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -- attrs); -- psA("Cipher", "AES_128/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES128", -- attrs); -- psA("Cipher", "AES_192/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES192", -- attrs); -- psA("Cipher", "AES_256/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES256", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "CBC"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DESedeWrap", -- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "ARCFOUR", -- "com.sun.crypto.provider.ARCFOURCipher", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "ChaCha20", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -- null, attrs); -- psA("Cipher", "ChaCha20-Poly1305", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -- attrs); -- -- // PBES1 -- psA("Cipher", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -- null); -- ps("Cipher", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -- psA("Cipher", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -- null); -- psA("Cipher", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -- null); -- -- psA("Cipher", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -- null); -- -- // PBES2 -- ps("Cipher", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); -- -- -- ps("Cipher", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); -- -- /* -- * Key(pair) Generator engines -- */ -- ps("KeyGenerator", "DES", -- "com.sun.crypto.provider.DESKeyGenerator"); -- psA("KeyGenerator", "DESede", -- "com.sun.crypto.provider.DESedeKeyGenerator", -- null); -- ps("KeyGenerator", "Blowfish", -- "com.sun.crypto.provider.BlowfishKeyGenerator"); -- psA("KeyGenerator", "AES", -- "com.sun.crypto.provider.AESKeyGenerator", -- null); -- ps("KeyGenerator", "RC2", -- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -- psA("KeyGenerator", "ARCFOUR", -- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -- null); -- ps("KeyGenerator", "ChaCha20", -- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -- ps("KeyGenerator", "HmacMD5", -- "com.sun.crypto.provider.HmacMD5KeyGenerator"); -- -- psA("KeyGenerator", "HmacSHA1", -- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -- psA("KeyGenerator", "HmacSHA224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -- null); -- psA("KeyGenerator", "HmacSHA256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -- null); -- psA("KeyGenerator", "HmacSHA384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -- null); -- psA("KeyGenerator", "HmacSHA512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -- null); -- psA("KeyGenerator", "HmacSHA512/224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -- null); -- psA("KeyGenerator", "HmacSHA512/256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -- null); -- -- psA("KeyGenerator", "HmacSHA3-224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -- null); -- psA("KeyGenerator", "HmacSHA3-256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -- null); -- psA("KeyGenerator", "HmacSHA3-384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -- null); -- psA("KeyGenerator", "HmacSHA3-512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -- null); -- -- psA("KeyPairGenerator", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyPairGenerator", -- null); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -+ + "|OAEPWITHMD5ANDMGF1PADDING" -+ + "|OAEPWITHSHA1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-256ANDMGF1PADDING" -+ + "|OAEPWITHSHA-384ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ ps("Cipher", "RSA", -+ "com.sun.crypto.provider.RSACipher", null, attrs); -+ -+ // common block cipher modes, pads -+ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -+ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -+ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -+ final String BLOCK_MODES128 = BLOCK_MODES + -+ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -+ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -+ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DES", -+ "com.sun.crypto.provider.DESCipher", null, attrs); -+ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -+ attrs); -+ ps("Cipher", "Blowfish", -+ "com.sun.crypto.provider.BlowfishCipher", null, attrs); -+ -+ ps("Cipher", "RC2", -+ "com.sun.crypto.provider.RC2Cipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES128); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES", -+ "com.sun.crypto.provider.AESCipher$General", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_128/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_128/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_128/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_192/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_192/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_192/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_256/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_256/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_256/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "GCM"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ -+ ps("Cipher", "AES/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -+ attrs); -+ psA("Cipher", "AES_128/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES128", -+ attrs); -+ psA("Cipher", "AES_192/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES192", -+ attrs); -+ psA("Cipher", "AES_256/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES256", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "CBC"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DESedeWrap", -+ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "ARCFOUR", -+ "com.sun.crypto.provider.ARCFOURCipher", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "ChaCha20", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -+ null, attrs); -+ psA("Cipher", "ChaCha20-Poly1305", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -+ attrs); -+ -+ // PBES1 -+ psA("Cipher", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -+ null); -+ ps("Cipher", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -+ psA("Cipher", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("Cipher", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -+ null); -+ -+ // PBES2 -+ ps("Cipher", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); -+ -+ /* -+ * Key(pair) Generator engines -+ */ -+ ps("KeyGenerator", "DES", -+ "com.sun.crypto.provider.DESKeyGenerator"); -+ psA("KeyGenerator", "DESede", -+ "com.sun.crypto.provider.DESedeKeyGenerator", -+ null); -+ ps("KeyGenerator", "Blowfish", -+ "com.sun.crypto.provider.BlowfishKeyGenerator"); -+ psA("KeyGenerator", "AES", -+ "com.sun.crypto.provider.AESKeyGenerator", -+ null); -+ ps("KeyGenerator", "RC2", -+ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -+ psA("KeyGenerator", "ARCFOUR", -+ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -+ null); -+ ps("KeyGenerator", "ChaCha20", -+ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -+ ps("KeyGenerator", "HmacMD5", -+ "com.sun.crypto.provider.HmacMD5KeyGenerator"); -+ -+ psA("KeyGenerator", "HmacSHA1", -+ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -+ psA("KeyGenerator", "HmacSHA224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -+ null); -+ psA("KeyGenerator", "HmacSHA256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -+ null); -+ psA("KeyGenerator", "HmacSHA384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -+ null); -+ psA("KeyGenerator", "HmacSHA512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -+ null); -+ psA("KeyGenerator", "HmacSHA512/224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -+ null); -+ psA("KeyGenerator", "HmacSHA512/256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -+ null); -+ -+ psA("KeyGenerator", "HmacSHA3-224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -+ null); -+ psA("KeyGenerator", "HmacSHA3-256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -+ null); -+ psA("KeyGenerator", "HmacSHA3-384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -+ null); -+ psA("KeyGenerator", "HmacSHA3-512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -+ null); -+ -+ psA("KeyPairGenerator", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyPairGenerator", -+ null); -+ } - - /* - * Algorithm parameter generation engines -@@ -447,15 +453,17 @@ public final class SunJCE extends Provider { - "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", - null); - -- /* -- * Key Agreement engines -- */ -- attrs.clear(); -- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + -- "|javax.crypto.interfaces.DHPrivateKey"); -- psA("KeyAgreement", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyAgreement", -- attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * Key Agreement engines -+ */ -+ attrs.clear(); -+ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + -+ "|javax.crypto.interfaces.DHPrivateKey"); -+ psA("KeyAgreement", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyAgreement", -+ attrs); -+ } - - /* - * Algorithm Parameter engines -@@ -625,10 +633,10 @@ public final class SunJCE extends Provider { - "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); - - ps("SecretKeyFactory", "PBEWithHmacSHA512/224AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); - - ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); - - ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", - "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -@@ -651,136 +659,137 @@ public final class SunJCE extends Provider { - ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256", - "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256"); - -- // PBKDF2 -- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", -- null); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); -- -- /* -- * MAC -- */ -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); -- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", -- attrs); -- psA("Mac", "HmacSHA224", -- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); -- psA("Mac", "HmacSHA256", -- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); -- psA("Mac", "HmacSHA384", -- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); -- psA("Mac", "HmacSHA512", -- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); -- psA("Mac", "HmacSHA512/224", -- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); -- psA("Mac", "HmacSHA512/256", -- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); -- psA("Mac", "HmacSHA3-224", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); -- psA("Mac", "HmacSHA3-256", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); -- psA("Mac", "HmacSHA3-384", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); -- psA("Mac", "HmacSHA3-512", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); -- -- ps("Mac", "HmacPBESHA1", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", -- null, attrs); -- ps("Mac", "HmacPBESHA224", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", -- null, attrs); -- ps("Mac", "HmacPBESHA256", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", -- null, attrs); -- ps("Mac", "HmacPBESHA384", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", -- null, attrs); -- ps("Mac", "HmacPBESHA512", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", -- null, attrs); -- ps("Mac", "HmacPBESHA512/224", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", -- null, attrs); -- ps("Mac", "HmacPBESHA512/256", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", -- null, attrs); -- -- -- // PBMAC1 -- ps("Mac", "PBEWithHmacSHA1", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); -- ps("Mac", "PBEWithHmacSHA224", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); -- ps("Mac", "PBEWithHmacSHA256", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); -- ps("Mac", "PBEWithHmacSHA384", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); -- ps("Mac", "PBEWithHmacSHA512", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); -- ps("Mac", "PBEWithHmacSHA512/224", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); -- ps("Mac", "PBEWithHmacSHA512/256", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); -- -- ps("Mac", "SslMacMD5", -- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); -- ps("Mac", "SslMacSHA1", -- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); -- -- /* -- * KeyStore -- */ -- ps("KeyStore", "JCEKS", -- "com.sun.crypto.provider.JceKeyStore"); -- -- /* -- * KEMs -- */ -- attrs.clear(); -- attrs.put("ImplementedIn", "Software"); -- attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + -- "|java.security.interfaces.XECKey"); -- ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); -- -- /* -- * SSL/TLS mechanisms -- * -- * These are strictly internal implementations and may -- * be changed at any time. These names were chosen -- * because PKCS11/SunPKCS11 does not yet have TLS1.2 -- * mechanisms, and it will cause calls to come here. -- */ -- ps("KeyGenerator", "SunTlsPrf", -- "com.sun.crypto.provider.TlsPrfGenerator$V10"); -- ps("KeyGenerator", "SunTls12Prf", -- "com.sun.crypto.provider.TlsPrfGenerator$V12"); -- -- ps("KeyGenerator", "SunTlsMasterSecret", -- "com.sun.crypto.provider.TlsMasterSecretGenerator", -- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), -- null); -- -- ps("KeyGenerator", "SunTlsKeyMaterial", -- "com.sun.crypto.provider.TlsKeyMaterialGenerator", -- List.of("SunTls12KeyMaterial"), null); -- -- ps("KeyGenerator", "SunTlsRsaPremasterSecret", -- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -- List.of("SunTls12RsaPremasterSecret"), null); -+ if (!systemFipsEnabled) { -+ // PBKDF2 -+ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", -+ null); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); -+ -+ /* -+ * MAC -+ */ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); -+ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", -+ attrs); -+ psA("Mac", "HmacSHA224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); -+ psA("Mac", "HmacSHA256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); -+ psA("Mac", "HmacSHA384", -+ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); -+ psA("Mac", "HmacSHA512", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); -+ psA("Mac", "HmacSHA512/224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); -+ psA("Mac", "HmacSHA512/256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); -+ psA("Mac", "HmacSHA3-224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); -+ psA("Mac", "HmacSHA3-256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); -+ psA("Mac", "HmacSHA3-384", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); -+ psA("Mac", "HmacSHA3-512", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); -+ -+ ps("Mac", "HmacPBESHA1", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", -+ null, attrs); -+ ps("Mac", "HmacPBESHA224", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", -+ null, attrs); -+ ps("Mac", "HmacPBESHA256", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", -+ null, attrs); -+ ps("Mac", "HmacPBESHA384", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512/224", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512/256", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", -+ null, attrs); -+ -+ // PBMAC1 -+ ps("Mac", "PBEWithHmacSHA1", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); -+ ps("Mac", "PBEWithHmacSHA224", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); -+ ps("Mac", "PBEWithHmacSHA256", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); -+ ps("Mac", "PBEWithHmacSHA384", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); -+ ps("Mac", "PBEWithHmacSHA512", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); -+ ps("Mac", "PBEWithHmacSHA512/224", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); -+ ps("Mac", "PBEWithHmacSHA512/256", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); -+ -+ ps("Mac", "SslMacMD5", -+ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); -+ ps("Mac", "SslMacSHA1", -+ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); -+ -+ /* -+ * KeyStore -+ */ -+ ps("KeyStore", "JCEKS", -+ "com.sun.crypto.provider.JceKeyStore"); -+ -+ /* -+ * KEMs -+ */ -+ attrs.clear(); -+ attrs.put("ImplementedIn", "Software"); -+ attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + -+ "|java.security.interfaces.XECKey"); -+ ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); -+ -+ /* -+ * SSL/TLS mechanisms -+ * -+ * These are strictly internal implementations and may -+ * be changed at any time. These names were chosen -+ * because PKCS11/SunPKCS11 does not yet have TLS1.2 -+ * mechanisms, and it will cause calls to come here. -+ */ -+ ps("KeyGenerator", "SunTlsPrf", -+ "com.sun.crypto.provider.TlsPrfGenerator$V10"); -+ ps("KeyGenerator", "SunTls12Prf", -+ "com.sun.crypto.provider.TlsPrfGenerator$V12"); -+ -+ ps("KeyGenerator", "SunTlsMasterSecret", -+ "com.sun.crypto.provider.TlsMasterSecretGenerator", -+ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), -+ null); -+ -+ ps("KeyGenerator", "SunTlsKeyMaterial", -+ "com.sun.crypto.provider.TlsKeyMaterialGenerator", -+ List.of("SunTls12KeyMaterial"), null); -+ -+ ps("KeyGenerator", "SunTlsRsaPremasterSecret", -+ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -+ List.of("SunTls12RsaPremasterSecret"), null); -+ } - } - - // Return the instance of this class or create one if needed. -diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index 671529f71a1..af632936921 100644 ---- a/src/java.base/share/classes/java/security/Security.java -+++ b/src/java.base/share/classes/java/security/Security.java -@@ -34,6 +34,7 @@ import java.net.URL; - import jdk.internal.access.JavaSecurityPropertiesAccess; - import jdk.internal.event.EventHelper; - import jdk.internal.event.SecurityPropertyModificationEvent; -+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.util.Debug; -@@ -58,6 +59,11 @@ import sun.security.jca.*; - - public final class Security { - -+ private static final String SYS_PROP_SWITCH = -+ "java.security.disableSystemPropertiesFile"; -+ private static final String SEC_PROP_SWITCH = -+ "security.useSystemPropertiesFile"; -+ - /* Are we debugging? -- for developers */ - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -75,6 +81,19 @@ public final class Security { - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -96,6 +115,7 @@ public final class Security { - private static void initialize() { - props = new Properties(); - boolean overrideAll = false; -+ boolean systemSecPropsEnabled = false; - - // first load the system properties file - // to determine the value of security.overridePropertiesFile -@@ -116,6 +136,61 @@ public final class Security { - } - loadProps(null, extraPropFile, overrideAll); - } -+ -+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); -+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); -+ if (sdebug != null) { -+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); -+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); -+ } -+ if (!sysUseProps && secUseProps) { -+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); -+ if (!systemSecPropsEnabled) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System security properties could not be loaded."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("System security property support disabled by user."); -+ } -+ } -+ -+ if (systemSecPropsEnabled) { -+ boolean shouldEnable; -+ String sysProp = System.getProperty("com.redhat.fips"); -+ if (sysProp == null) { -+ shouldEnable = true; -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips unset, using default value of true"); -+ } -+ } else { -+ shouldEnable = Boolean.valueOf(sysProp); -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); -+ } -+ } -+ if (shouldEnable) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS mode support configured and enabled."); -+ } else { -+ sdebug.println("FIPS mode support disabled."); -+ } -+ } -+ } else { -+ if (sdebug != null ) { -+ sdebug.println("FIPS mode support disabled by user."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("WARNING: FIPS mode support can not be enabled without " + -+ "system security properties being enabled."); -+ } -+ } -+ - initialSecurityProperties = (Properties) props.clone(); - if (sdebug != null) { - for (String key : props.stringPropertyNames()) { -@@ -126,7 +201,7 @@ public final class Security { - - } - -- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { -+ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { - InputStream is = null; - try { - if (masterFile != null && masterFile.exists()) { -diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java -new file mode 100644 -index 00000000000..9d26a54f5d4 ---- /dev/null -+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,232 @@ -+/* -+ * Copyright (c) 2019, 2021, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+final class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; -+ -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ @SuppressWarnings("removal") -+ var dummy = AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configureSysProps(Properties props) { -+ // now load the system file, if it exists, so its values -+ // will win if they conflict with the earlier values -+ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } -+ loadedProps = true; -+ systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } -+ } else { -+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ -+ /** -+ * Determines whether FIPS mode should be enabled. -+ * -+ * OpenJDK FIPS mode will be enabled only if the system is in -+ * FIPS mode. -+ * -+ * Calls to this method only occur if the system property -+ * com.redhat.fips is not set to false. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. -+ * -+ * @return true if the system is in FIPS mode -+ */ -+ private static boolean enableFips() throws Exception { -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ boolean fipsEnabled = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + fipsEnabled); -+ } -+ return fipsEnabled; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } -+ } -+} -diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -new file mode 100644 -index 00000000000..3f3caac64dc ---- /dev/null -+++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -@@ -0,0 +1,31 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package jdk.internal.access; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); -+} -diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index 919d758a6e3..b1e5fbaf84a 100644 ---- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -+++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -43,6 +43,7 @@ import java.io.PrintStream; - import java.io.PrintWriter; - import java.io.RandomAccessFile; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - /** A repository of "shared secrets", which are a mechanism for -@@ -90,6 +91,7 @@ public class SharedSecrets { - private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; - private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; - private static JavaTemplateAccess javaTemplateAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { - javaUtilCollectionAccess = juca; -@@ -537,4 +539,15 @@ public class SharedSecrets { - MethodHandles.lookup().ensureInitialized(c); - } catch (IllegalAccessException e) {} - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ ensureClassInitialized(Security.class); -+ } -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java -index 06b141dcf22..e8cbf7f15d7 100644 ---- a/src/java.base/share/classes/module-info.java -+++ b/src/java.base/share/classes/module-info.java -@@ -158,6 +158,7 @@ module java.base { - java.naming, - java.rmi, - jdk.charsets, -+ jdk.crypto.ec, - jdk.jartool, - jdk.jlink, - jdk.jfr, -diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java -index f036a411f1d..1e9de933bd9 100644 ---- a/src/java.base/share/classes/sun/security/provider/SunEntries.java -+++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java -@@ -38,6 +38,7 @@ import java.util.HashMap; - import java.util.Iterator; - import java.util.LinkedHashSet; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.action.GetBooleanAction; - -@@ -91,6 +92,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - - public final class SunEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - // the default algo used by SecureRandom class for new SecureRandom() calls - public static final String DEF_SECURE_RANDOM_ALGO; - -@@ -102,89 +107,92 @@ public final class SunEntries { - // common attribute map - HashMap attrs = new HashMap<>(3); - -- /* -- * SecureRandom engines -- */ -- attrs.put("ThreadSafe", "true"); -- if (NativePRNG.isAvailable()) { -- add(p, "SecureRandom", "NativePRNG", -- "sun.security.provider.NativePRNG", attrs); -- } -- if (NativePRNG.Blocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGBlocking", -- "sun.security.provider.NativePRNG$Blocking", attrs); -- } -- if (NativePRNG.NonBlocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGNonBlocking", -- "sun.security.provider.NativePRNG$NonBlocking", attrs); -- } -- attrs.put("ImplementedIn", "Software"); -- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -- add(p, "SecureRandom", "SHA1PRNG", -- "sun.security.provider.SecureRandom", attrs); -- -- /* -- * Signature engines -- */ -- attrs.clear(); -- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -- "|java.security.interfaces.DSAPrivateKey"; -- attrs.put("SupportedKeyClasses", dsaKeyClasses); -- attrs.put("ImplementedIn", "Software"); -- -- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -- -- addWithAlias(p, "Signature", "SHA1withDSA", -- "sun.security.provider.DSA$SHA1withDSA", attrs); -- addWithAlias(p, "Signature", "NONEwithDSA", -- "sun.security.provider.DSA$RawDSA", attrs); -- -- // for DSA signatures with 224/256-bit digests -- attrs.put("KeySize", "2048"); -- -- addWithAlias(p, "Signature", "SHA224withDSA", -- "sun.security.provider.DSA$SHA224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA256withDSA", -- "sun.security.provider.DSA$SHA256withDSA", attrs); -- -- addWithAlias(p, "Signature", "SHA3-224withDSA", -- "sun.security.provider.DSA$SHA3_224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-256withDSA", -- "sun.security.provider.DSA$SHA3_256withDSA", attrs); -- -- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -- -- addWithAlias(p, "Signature", "SHA384withDSA", -- "sun.security.provider.DSA$SHA384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA512withDSA", -- "sun.security.provider.DSA$SHA512withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-384withDSA", -- "sun.security.provider.DSA$SHA3_384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-512withDSA", -- "sun.security.provider.DSA$SHA3_512withDSA", attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * SecureRandom engines -+ */ -+ attrs.put("ThreadSafe", "true"); -+ if (NativePRNG.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNG", -+ "sun.security.provider.NativePRNG", attrs); -+ } -+ if (NativePRNG.Blocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGBlocking", -+ "sun.security.provider.NativePRNG$Blocking", attrs); -+ } -+ if (NativePRNG.NonBlocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGNonBlocking", -+ "sun.security.provider.NativePRNG$NonBlocking", attrs); -+ } -+ attrs.put("ImplementedIn", "Software"); -+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -+ add(p, "SecureRandom", "SHA1PRNG", -+ "sun.security.provider.SecureRandom", attrs); - -- attrs.remove("KeySize"); -+ /* -+ * Signature engines -+ */ -+ attrs.clear(); -+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -+ "|java.security.interfaces.DSAPrivateKey"; -+ attrs.put("SupportedKeyClasses", dsaKeyClasses); -+ attrs.put("ImplementedIn", "Software"); -+ -+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -+ -+ addWithAlias(p, "Signature", "SHA1withDSA", -+ "sun.security.provider.DSA$SHA1withDSA", attrs); -+ addWithAlias(p, "Signature", "NONEwithDSA", -+ "sun.security.provider.DSA$RawDSA", attrs); -+ -+ // for DSA signatures with 224/256-bit digests -+ attrs.put("KeySize", "2048"); -+ -+ addWithAlias(p, "Signature", "SHA224withDSA", -+ "sun.security.provider.DSA$SHA224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA256withDSA", -+ "sun.security.provider.DSA$SHA256withDSA", attrs); -+ -+ addWithAlias(p, "Signature", "SHA3-224withDSA", -+ "sun.security.provider.DSA$SHA3_224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-256withDSA", -+ "sun.security.provider.DSA$SHA3_256withDSA", attrs); -+ -+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -+ -+ addWithAlias(p, "Signature", "SHA384withDSA", -+ "sun.security.provider.DSA$SHA384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA512withDSA", -+ "sun.security.provider.DSA$SHA512withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-384withDSA", -+ "sun.security.provider.DSA$SHA3_384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-512withDSA", -+ "sun.security.provider.DSA$SHA3_512withDSA", attrs); -+ -+ attrs.remove("KeySize"); -+ -+ add(p, "Signature", "SHA1withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -+ add(p, "Signature", "NONEwithDSAinP1363Format", -+ "sun.security.provider.DSA$RawDSAinP1363Format"); -+ add(p, "Signature", "SHA224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -+ add(p, "Signature", "SHA256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -+ add(p, "Signature", "SHA384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -+ add(p, "Signature", "SHA512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); - -- add(p, "Signature", "SHA1withDSAinP1363Format", -- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -- add(p, "Signature", "NONEwithDSAinP1363Format", -- "sun.security.provider.DSA$RawDSAinP1363Format"); -- add(p, "Signature", "SHA224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -- add(p, "Signature", "SHA256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -- add(p, "Signature", "SHA384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -- add(p, "Signature", "SHA512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -- add(p, "Signature", "SHA3-224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -- add(p, "Signature", "SHA3-256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -- add(p, "Signature", "SHA3-384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -- add(p, "Signature", "SHA3-512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ } - - attrs.clear(); - attrs.put("ImplementedIn", "Software"); -@@ -196,9 +204,11 @@ public final class SunEntries { - attrs.put("ImplementedIn", "Software"); - attrs.put("KeySize", "2048"); // for DSA KPG and APG only - -- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ if (!systemFipsEnabled) { -+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ } - - /* - * Algorithm Parameter Generator engines -@@ -213,44 +223,46 @@ public final class SunEntries { - addWithAlias(p, "AlgorithmParameters", "DSA", - "sun.security.provider.DSAParameters", attrs); - -- /* -- * Key factories -- */ -- addWithAlias(p, "KeyFactory", "DSA", -- "sun.security.provider.DSAKeyFactory", attrs); -- addWithAlias(p, "KeyFactory", "HSS/LMS", -- "sun.security.provider.HSS$KeyFactoryImpl", attrs); -- -- /* -- * Digest engines -- */ -- addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", -- attrs); -- addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", -- attrs); -- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -- attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * Key factories -+ */ -+ addWithAlias(p, "KeyFactory", "DSA", -+ "sun.security.provider.DSAKeyFactory", attrs); -+ addWithAlias(p, "KeyFactory", "HSS/LMS", -+ "sun.security.provider.HSS$KeyFactoryImpl", attrs); - -- addWithAlias(p, "MessageDigest", "SHA-224", -- "sun.security.provider.SHA2$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-256", -- "sun.security.provider.SHA2$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA-384", -- "sun.security.provider.SHA5$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512", -- "sun.security.provider.SHA5$SHA512", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/224", -- "sun.security.provider.SHA5$SHA512_224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/256", -- "sun.security.provider.SHA5$SHA512_256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-224", -- "sun.security.provider.SHA3$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-256", -- "sun.security.provider.SHA3$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-384", -- "sun.security.provider.SHA3$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-512", -- "sun.security.provider.SHA3$SHA512", attrs); -+ /* -+ * Digest engines -+ */ -+ addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", -+ attrs); -+ addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", -+ attrs); -+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -+ attrs); -+ -+ addWithAlias(p, "MessageDigest", "SHA-224", -+ "sun.security.provider.SHA2$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-256", -+ "sun.security.provider.SHA2$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-384", -+ "sun.security.provider.SHA5$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512", -+ "sun.security.provider.SHA5$SHA512", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/224", -+ "sun.security.provider.SHA5$SHA512_224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/256", -+ "sun.security.provider.SHA5$SHA512_256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-224", -+ "sun.security.provider.SHA3$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-256", -+ "sun.security.provider.SHA3$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-384", -+ "sun.security.provider.SHA3$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-512", -+ "sun.security.provider.SHA3$SHA512", attrs); -+ } - - /* - * Certificates -diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index 539ef1e8ee8..435f57e3ff2 100644 ---- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -+++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -@@ -27,6 +27,7 @@ package sun.security.rsa; - - import java.util.*; - import java.security.Provider; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityProviderConstants.getAliases; - - /** -@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - */ - public final class SunRsaSignEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - private void add(Provider p, String type, String algo, String cn, - List aliases, HashMap attrs) { - services.add(new Provider.Service(p, type, algo, cn, -@@ -63,42 +68,49 @@ public final class SunRsaSignEntries { - add(p, "KeyFactory", "RSA", - "sun.security.rsa.RSAKeyFactory$Legacy", - getAliases("PKCS1"), null); -- add(p, "KeyPairGenerator", "RSA", -- "sun.security.rsa.RSAKeyPairGenerator$Legacy", -- getAliases("PKCS1"), null); -- addA(p, "Signature", "MD2withRSA", -- "sun.security.rsa.RSASignature$MD2withRSA", attrs); -- addA(p, "Signature", "MD5withRSA", -- "sun.security.rsa.RSASignature$MD5withRSA", attrs); -- addA(p, "Signature", "SHA1withRSA", -- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -- addA(p, "Signature", "SHA224withRSA", -- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -- addA(p, "Signature", "SHA256withRSA", -- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -- addA(p, "Signature", "SHA384withRSA", -- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -- addA(p, "Signature", "SHA512withRSA", -- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -- addA(p, "Signature", "SHA512/224withRSA", -- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -- addA(p, "Signature", "SHA512/256withRSA", -- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -- addA(p, "Signature", "SHA3-224withRSA", -- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -- addA(p, "Signature", "SHA3-256withRSA", -- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -- addA(p, "Signature", "SHA3-384withRSA", -- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -- addA(p, "Signature", "SHA3-512withRSA", -- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ -+ if (!systemFipsEnabled) { -+ add(p, "KeyPairGenerator", "RSA", -+ "sun.security.rsa.RSAKeyPairGenerator$Legacy", -+ getAliases("PKCS1"), null); -+ addA(p, "Signature", "MD2withRSA", -+ "sun.security.rsa.RSASignature$MD2withRSA", attrs); -+ addA(p, "Signature", "MD5withRSA", -+ "sun.security.rsa.RSASignature$MD5withRSA", attrs); -+ addA(p, "Signature", "SHA1withRSA", -+ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -+ addA(p, "Signature", "SHA224withRSA", -+ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -+ addA(p, "Signature", "SHA256withRSA", -+ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -+ addA(p, "Signature", "SHA384withRSA", -+ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -+ addA(p, "Signature", "SHA512withRSA", -+ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -+ addA(p, "Signature", "SHA512/224withRSA", -+ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -+ addA(p, "Signature", "SHA512/256withRSA", -+ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-224withRSA", -+ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -+ addA(p, "Signature", "SHA3-256withRSA", -+ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-384withRSA", -+ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -+ addA(p, "Signature", "SHA3-512withRSA", -+ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ } - - addA(p, "KeyFactory", "RSASSA-PSS", - "sun.security.rsa.RSAKeyFactory$PSS", attrs); -- addA(p, "KeyPairGenerator", "RSASSA-PSS", -- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -- addA(p, "Signature", "RSASSA-PSS", -- "sun.security.rsa.RSAPSSSignature", attrs); -+ -+ if (!systemFipsEnabled) { -+ addA(p, "KeyPairGenerator", "RSASSA-PSS", -+ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -+ addA(p, "Signature", "RSASSA-PSS", -+ "sun.security.rsa.RSAPSSSignature", attrs); -+ } -+ - addA(p, "AlgorithmParameters", "RSASSA-PSS", - "sun.security.rsa.PSSParameters", null); - } -diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index f8b01a4ea1e..b325bf7e9fc 100644 ---- a/src/java.base/share/conf/security/java.security -+++ b/src/java.base/share/conf/security/java.security -@@ -85,6 +85,17 @@ security.provider.tbd=Apple - #endif - security.provider.tbd=SunPKCS11 - -+# -+# Security providers used when FIPS mode support is active -+# -+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg -+fips.provider.2=SUN -+fips.provider.3=SunEC -+fips.provider.4=SunJSSE -+fips.provider.5=SunJCE -+fips.provider.6=SunRsaSign -+fips.provider.7=XMLDSig -+ - # - # A list of preferred providers for specific algorithms. These providers will - # be searched for matching algorithms before the list of registered providers. -@@ -295,6 +306,47 @@ policy.ignoreIdentityScope=false - # - keystore.type=pkcs12 - -+# -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=pkcs12 -+ -+# -+# Location of the NSS DB keystore (PKCS11) in FIPS mode. -+# -+# The syntax for this property is identical to the 'nssSecmodDirectory' -+# attribute available in the SunPKCS11 NSS configuration file. Use the -+# 'sql:' prefix to refer to an SQLite DB. -+# -+# If the system property fips.nssdb.path is also specified, it supersedes -+# the security property value defined here. -+# -+# Note: the default value for this property points to an NSS DB that might be -+# readable by multiple operating system users and unsuitable to store keys. -+# -+fips.nssdb.path=sql:/etc/pki/nssdb -+ -+# -+# PIN for the NSS DB keystore (PKCS11) in FIPS mode. -+# -+# Values must take any of the following forms: -+# 1) pin: -+# Value: clear text PIN value. -+# 2) env: -+# Value: environment variable containing the PIN value. -+# 3) file: -+# Value: path to a file containing the PIN value in its first -+# line. -+# -+# If the system property fips.nssdb.pin is also specified, it supersedes -+# the security property value defined here. -+# -+# When used as a system property, UTF-8 encoded values are valid. When -+# used as a security property (such as in this file), encode non-Basic -+# Latin Unicode characters with \uXXXX. -+# -+fips.nssdb.pin=pin: -+ - # - # Controls compatibility mode for JKS and PKCS12 keystore types. - # -@@ -332,6 +384,13 @@ package.definition=sun.misc.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in -new file mode 100644 -index 00000000000..55bbba98b7a ---- /dev/null -+++ b/src/java.base/share/conf/security/nss.fips.cfg.in -@@ -0,0 +1,8 @@ -+name = NSS-FIPS -+nssLibraryDirectory = @NSS_LIBDIR@ -+nssSecmodDirectory = ${fips.nssdb.path} -+nssDbMode = readWrite -+nssModule = fips -+ -+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } -+ -diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy -index 86d45147709..22fd8675503 100644 ---- a/src/java.base/share/lib/security/default.policy -+++ b/src/java.base/share/lib/security/default.policy -@@ -130,6 +130,7 @@ grant codeBase "jrt:/jdk.charsets" { - grant codeBase "jrt:/jdk.crypto.ec" { - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "loadLibrary.sunec"; - permission java.security.SecurityPermission "putProviderProperty.SunEC"; - permission java.security.SecurityPermission "clearProviderProperties.SunEC"; -@@ -150,6 +151,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.util.PropertyPermission "os.name", "read"; - permission java.util.PropertyPermission "os.arch", "read"; - permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; -+ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; -+ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; - permission java.security.SecurityPermission "putProviderProperty.*"; - permission java.security.SecurityPermission "clearProviderProperties.*"; - permission java.security.SecurityPermission "removeProviderProperty.*"; -diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c -new file mode 100644 -index 00000000000..ddf9befe5bc ---- /dev/null -+++ b/src/java.base/share/native/libsystemconf/systemconf.c -@@ -0,0 +1,236 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include -+#include -+#include "jvm_md.h" -+#include -+ -+#ifdef LINUX -+ -+#ifdef SYSCONF_NSS -+#include -+#else -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} -+ -+#else // !LINUX -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ return JNI_FALSE; -+} -+ -+#endif -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 00000000000..48d6d656a28 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,457 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.security.interfaces.RSAPrivateCrtKey; -+import java.security.interfaces.RSAPrivateKey; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.SecretKeyFactory; -+import javax.crypto.spec.SecretKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAPrivateCrtKeyImpl; -+import sun.security.rsa.RSAUtil; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static volatile P11Key importerKey = null; -+ private static SecretKeySpec exporterKey = null; -+ private static volatile P11Key exporterKeyP11 = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ // Do not take the exporterKeyLock with the importerKeyLock held. -+ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); -+ private static volatile CK_MECHANISM importerKeyMechanism = null; -+ private static volatile CK_MECHANISM exporterKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ private static Cipher exporterCipher = null; -+ -+ private static volatile Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ importerKeyLock.lock(); -+ try { -+ // No need to reset the cipher object because no multi-part -+ // operations are performed. -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, -+ long keyClass, long keyType, Map sensitiveAttrs) -+ throws PKCS11Exception { -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be exported in" + -+ " system FIPS mode."); -+ } -+ if (exporterKeyP11 == null) { -+ try { -+ exporterKeyLock.lock(); -+ if (exporterKeyP11 == null) { -+ if (exporterKeyMechanism == null) { -+ // Exporter Key creation has not been tried yet. Try it. -+ createExporterKey(token); -+ } -+ if (exporterKeyP11 == null || exporterCipher == null) { -+ if (debug != null) { -+ debug.println("Exporter Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key exporter"); -+ } -+ if (debug != null) { -+ debug.println("Exporter Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ exporterKeyLock.unlock(); -+ } -+ } -+ long exporterKeyID = exporterKeyP11.getKeyID(); -+ try { -+ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, -+ exporterKeyMechanism, exporterKeyID, hObject); -+ byte[] plainExportedKey = null; -+ exporterKeyLock.lock(); -+ try { -+ // No need to reset the cipher object because no multi-part -+ // operations are performed. -+ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); -+ } finally { -+ exporterKeyLock.unlock(); -+ } -+ if (keyClass == CKO_PRIVATE_KEY) { -+ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); -+ } else if (keyClass == CKO_SECRET_KEY) { -+ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; -+ } else { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key exporter"); -+ } -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } finally { -+ exporterKeyP11.releaseKeyID(); -+ } -+ } -+ -+ private static void exportPrivateKey( -+ Map sensitiveAttrs, long keyType, -+ byte[] plainExportedKey) throws Throwable { -+ if (keyType == CKK_RSA) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", -+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, -+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); -+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( -+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); -+ CK_ATTRIBUTE attr; -+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { -+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); -+ } -+ if (rsaPKey instanceof RSAPrivateCrtKey) { -+ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; -+ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { -+ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); -+ } -+ } else { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", -+ CKA_PRIVATE_EXPONENT); -+ } -+ } else if (keyType == CKK_DSA) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = -+ new sun.security.provider.DSAPrivateKey(plainExportedKey) -+ .getX().toByteArray(); -+ } else if (keyType == CKK_EC) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = -+ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) -+ .getS().toByteArray(); -+ } else { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " unsupported CKO_PRIVATE_KEY key type: " + keyType); -+ } -+ } -+ -+ private static void checkAttrs(Map sensitiveAttrs, -+ String keyName, long... validAttrs) -+ throws PKCS11Exception { -+ int sensitiveAttrsCount = sensitiveAttrs.size(); -+ if (sensitiveAttrsCount <= validAttrs.length) { -+ int validAttrsCount = 0; -+ for (long validAttr : validAttrs) { -+ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; -+ } -+ if (validAttrsCount == sensitiveAttrsCount) return; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " invalid attribute types for a " + keyName + " key object"); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec( -+ (byte[])importerKeyMechanism.pParameter), null); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ if (debug != null) { -+ debug.println("Error generating the Importer Key"); -+ } -+ } -+ } -+ -+ private static void createExporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Exporter Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ byte[] exporterKeyRaw = new byte[32]; -+ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); -+ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); -+ try { -+ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); -+ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); -+ if (exporterKeyP11 != null) { -+ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, -+ new IvParameterSpec( -+ (byte[])exporterKeyMechanism.pParameter), null); -+ } -+ } catch (Throwable t) { -+ // best effort -+ exporterKey = null; -+ exporterKeyP11 = null; -+ exporterCipher = null; -+ // exporterKeyMechanism value is kept initialized to indicate that -+ // Exporter Key creation has been tried and failed. -+ if (debug != null) { -+ debug.println("Error generating the Exporter Key"); -+ } -+ } -+ } -+} -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java -new file mode 100644 -index 00000000000..f8d505ca815 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java -@@ -0,0 +1,149 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.io.BufferedReader; -+import java.io.ByteArrayInputStream; -+import java.io.InputStream; -+import java.io.InputStreamReader; -+import java.io.IOException; -+import java.nio.charset.StandardCharsets; -+import java.nio.file.Files; -+import java.nio.file.Path; -+import java.nio.file.Paths; -+import java.nio.file.StandardOpenOption; -+import java.security.ProviderException; -+ -+import javax.security.auth.callback.Callback; -+import javax.security.auth.callback.CallbackHandler; -+import javax.security.auth.callback.PasswordCallback; -+import javax.security.auth.callback.UnsupportedCallbackException; -+ -+import sun.security.util.Debug; -+import sun.security.util.SecurityProperties; -+ -+final class FIPSTokenLoginHandler implements CallbackHandler { -+ -+ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; -+ -+ private static final Debug debug = Debug.getInstance("sunpkcs11"); -+ -+ public void handle(Callback[] callbacks) -+ throws IOException, UnsupportedCallbackException { -+ if (!(callbacks[0] instanceof PasswordCallback)) { -+ throw new UnsupportedCallbackException(callbacks[0]); -+ } -+ PasswordCallback pc = (PasswordCallback)callbacks[0]; -+ pc.setPassword(getFipsNssdbPin()); -+ } -+ -+ private static char[] getFipsNssdbPin() throws ProviderException { -+ if (debug != null) { -+ debug.println("FIPS: Reading NSS DB PIN for token..."); -+ } -+ String pinProp = SecurityProperties -+ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); -+ if (pinProp != null && !pinProp.isEmpty()) { -+ String[] pinPropParts = pinProp.split(":", 2); -+ if (pinPropParts.length < 2) { -+ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + -+ " property value."); -+ } -+ String prefix = pinPropParts[0].toLowerCase(); -+ String value = pinPropParts[1]; -+ String pin = null; -+ if (prefix.equals("env")) { -+ if (debug != null) { -+ debug.println("FIPS: PIN value from the '" + value + -+ "' environment variable."); -+ } -+ pin = System.getenv(value); -+ } else if (prefix.equals("file")) { -+ if (debug != null) { -+ debug.println("FIPS: PIN value from the '" + value + -+ "' file."); -+ } -+ pin = getPinFromFile(Paths.get(value)); -+ } else if (prefix.equals("pin")) { -+ if (debug != null) { -+ debug.println("FIPS: PIN value from the " + -+ FIPS_NSSDB_PIN_PROP + " property."); -+ } -+ pin = value; -+ } else { -+ throw new ProviderException("Unsupported prefix for " + -+ FIPS_NSSDB_PIN_PROP + "."); -+ } -+ if (pin != null && !pin.isEmpty()) { -+ if (debug != null) { -+ debug.println("FIPS: non-empty PIN."); -+ } -+ /* -+ * C_Login in libj2pkcs11 receives the PIN in a char[] and -+ * discards the upper byte of each char, before passing -+ * the value to the NSS Software Token. However, the -+ * NSS Software Token accepts any UTF-8 PIN value. Thus, -+ * expand the PIN here to account for later truncation. -+ */ -+ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); -+ char[] pinChar = new char[pinUtf8.length]; -+ for (int i = 0; i < pinChar.length; i++) { -+ pinChar[i] = (char)(pinUtf8[i] & 0xFF); -+ } -+ return pinChar; -+ } -+ } -+ if (debug != null) { -+ debug.println("FIPS: empty PIN."); -+ } -+ return null; -+ } -+ -+ /* -+ * This method extracts the token PIN from the first line of a password -+ * file in the same way as NSS modutil. See for example the -newpwfile -+ * argument used to change the password for an NSS DB. -+ */ -+ private static String getPinFromFile(Path f) throws ProviderException { -+ try (InputStream is = -+ Files.newInputStream(f, StandardOpenOption.READ)) { -+ /* -+ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, -+ * reads up to 4096 bytes. In addition, the NSS Software Token -+ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN -+ * in nss/lib/softoken/pkcs11i.h). -+ */ -+ BufferedReader in = -+ new BufferedReader(new InputStreamReader( -+ new ByteArrayInputStream(is.readNBytes(4096)), -+ StandardCharsets.UTF_8)); -+ return in.readLine(); -+ } catch (IOException ioe) { -+ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + -+ " from the '" + f + "' file.", ioe); -+ } -+ } -+} -\ No newline at end of file -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 01fc06ae283..e3ca000d309 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -@@ -37,6 +37,8 @@ import javax.crypto.*; - import javax.crypto.interfaces.*; - import javax.crypto.spec.*; - -+import jdk.internal.access.SharedSecrets; -+ - import sun.security.rsa.RSAUtil.KeyType; - import sun.security.rsa.RSAPublicKeyImpl; - import sun.security.rsa.RSAPrivateCrtKeyImpl; -@@ -72,6 +74,9 @@ abstract class P11Key implements Key, Length { - @Serial - private static final long serialVersionUID = -2575874101938349339L; - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ - private static final String PUBLIC = "public"; - private static final String PRIVATE = "private"; - private static final String SECRET = "secret"; -@@ -414,9 +419,10 @@ abstract class P11Key implements Key, Length { - new CK_ATTRIBUTE(CKA_EXTRACTABLE), - }); - -- boolean keySensitive = -- (attrs[0].getBoolean() && P11Util.isNSS(session.token)) || -- attrs[1].getBoolean() || !attrs[2].getBoolean(); -+ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); -+ boolean keySensitive = (!exportable && -+ ((attrs[0].getBoolean() && P11Util.isNSS(session.token)) || -+ attrs[1].getBoolean() || !attrs[2].getBoolean())); - - return switch (algorithm) { - case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm, -@@ -468,7 +474,8 @@ abstract class P11Key implements Key, Length { - - public String getFormat() { - token.ensureValid(); -- if (sensitive || !extractable || (isNSS && tokenObject)) { -+ if (!plainKeySupportEnabled && -+ (sensitive || !extractable || (isNSS && tokenObject))) { - return null; - } else { - return "RAW"; -@@ -1638,4 +1645,3 @@ final class SessionKeyRef extends PhantomReference { - this.clear(); - } - } -- -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 0a62021633f..0723b69c2bc 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - import java.util.stream.Collectors; - import java.security.*; -@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; - - import com.sun.crypto.provider.ChaCha20Poly1305Parameters; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.misc.InnocuousThread; - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; - import static sun.security.util.SecurityConstants.PROVIDER_VER; -+import sun.security.util.SecurityProperties; - import static sun.security.util.SecurityProviderConstants.getAliases; - - import sun.security.pkcs11.Secmod.*; -@@ -65,6 +70,39 @@ public final class SunPKCS11 extends AuthProvider { - @Serial - private static final long serialVersionUID = -1354835039035306505L; - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ private static final MethodHandle fipsExportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ MethodHandle fipsExportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ fipsExportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "exportKey", -+ MethodType.methodType(void.class, SunPKCS11.class, -+ long.class, long.class, -+ long.class, long.class, Map.class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer-exporter" + -+ " initialization failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ fipsExportKey = fipsExportKeyTmp; -+ } -+ -+ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; -+ - static final Debug debug = Debug.getInstance("sunpkcs11"); - // the PKCS11 object through which we make the native calls - @SuppressWarnings("serial") // Type of field is not Serializable; -@@ -123,6 +161,29 @@ public final class SunPKCS11 extends AuthProvider { - return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { - @Override - public SunPKCS11 run() throws Exception { -+ if (systemFipsEnabled) { -+ /* -+ * The nssSecmodDirectory attribute in the SunPKCS11 -+ * NSS configuration file takes the value of the -+ * fips.nssdb.path System property after expansion. -+ * Security properties expansion is unsupported. -+ */ -+ String nssdbPath = -+ SecurityProperties.privilegedGetOverridable( -+ FIPS_NSSDB_PATH_PROP); -+ if (System.getSecurityManager() != null) { -+ AccessController.doPrivileged( -+ (PrivilegedAction) () -> { -+ System.setProperty( -+ FIPS_NSSDB_PATH_PROP, -+ nssdbPath); -+ return null; -+ }); -+ } else { -+ System.setProperty( -+ FIPS_NSSDB_PATH_PROP, nssdbPath); -+ } -+ } - return new SunPKCS11(new Config(newConfigName)); - } - }); -@@ -325,9 +386,19 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ MethodHandle fipsKeyExporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ fipsKeyExporter = MethodHandles.insertArguments( -+ fipsExportKey, 0, this); -+ } - try { -- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, -- config.getOmitInitialize()); -+ tmpPKCS11 = PKCS11.getInstance( -+ library, functionList, initArgs, -+ config.getOmitInitialize(), fipsKeyImporter, -+ fipsKeyExporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -342,8 +413,9 @@ public final class SunPKCS11 extends AuthProvider { - } else { - initArgs.flags = 0; - } -- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, -- config.getOmitInitialize()); -+ tmpPKCS11 = PKCS11.getInstance(library, -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, -+ fipsKeyExporter); - } - p11 = tmpPKCS11; - -@@ -1388,11 +1460,52 @@ public final class SunPKCS11 extends AuthProvider { - } - - @Override -+ @SuppressWarnings("removal") - public Object newInstance(Object param) - throws NoSuchAlgorithmException { - if (!token.isValid()) { - throw new NoSuchAlgorithmException("Token has been removed"); - } -+ if (systemFipsEnabled && !token.fipsLoggedIn && -+ !getType().equals("KeyStore")) { -+ /* -+ * The NSS Software Token in FIPS 140-2 mode requires a -+ * user login for most operations. See sftk_fipsCheck -+ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore -+ * service, let the caller perform the login with -+ * KeyStore::load. Keytool, for example, does this to pass a -+ * PIN from either the -srcstorepass or -deststorepass -+ * argument. In case of a non-KeyStore service, perform the -+ * login now with the PIN available in the fips.nssdb.pin -+ * property. -+ */ -+ try { -+ if (System.getSecurityManager() != null) { -+ try { -+ AccessController.doPrivileged( -+ (PrivilegedExceptionAction) () -> { -+ token.ensureLoggedIn(null); -+ return null; -+ }); -+ } catch (PrivilegedActionException pae) { -+ Exception e = pae.getException(); -+ if (e instanceof LoginException le) { -+ throw le; -+ } else if (e instanceof PKCS11Exception p11e) { -+ throw p11e; -+ } else { -+ throw new RuntimeException(e); -+ } -+ } -+ } else { -+ token.ensureLoggedIn(null); -+ } -+ } catch (PKCS11Exception | LoginException e) { -+ throw new ProviderException("FIPS: error during the Token" + -+ " login required for the " + getType() + -+ " service.", e); -+ } -+ } - try { - return newInstance0(param); - } catch (PKCS11Exception e) { -@@ -1749,6 +1862,9 @@ public final class SunPKCS11 extends AuthProvider { - try { - session = token.getOpSession(); - p11.C_Logout(session.id()); -+ if (systemFipsEnabled) { -+ token.fipsLoggedIn = false; -+ } - if (debug != null) { - debug.println("logout succeeded"); - } -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -index a6f5f0a8764..9a07c96ca4e 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -@@ -33,6 +33,7 @@ import java.lang.ref.*; - import java.security.*; - import javax.security.auth.login.LoginException; - -+import jdk.internal.access.SharedSecrets; - import sun.security.jca.JCAUtil; - - import sun.security.pkcs11.wrapper.*; -@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; - */ - final class Token implements Serializable { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ - // need to be serializable to allow SecureRandom to be serialized - @Serial - private static final long serialVersionUID = 2541527649100571747L; -@@ -125,6 +129,10 @@ final class Token implements Serializable { - // flag indicating whether we are logged in - private volatile boolean loggedIn; - -+ // Flag indicating the login status for the NSS Software Token in FIPS mode. -+ // This Token is never asynchronously removed. Used from SunPKCS11. -+ volatile boolean fipsLoggedIn; -+ - // time we last checked login status - private long lastLoginCheck; - -@@ -242,7 +250,12 @@ final class Token implements Serializable { - // call provider.login() if not - void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { - if (!isLoggedIn(session)) { -- provider.login(null, null); -+ if (systemFipsEnabled) { -+ provider.login(null, new FIPSTokenLoginHandler()); -+ fipsLoggedIn = true; -+ } else { -+ provider.login(null, null); -+ } - } - } - -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 0fd13fd6fa6..3c959c942a1 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; - - import java.io.File; - import java.io.IOException; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.AccessController; -@@ -174,18 +177,43 @@ public class PKCS11 { - return version; - } - -+ /* -+ * Compatibility wrapper to allow this method to work as before -+ * when FIPS mode support is not active. -+ */ -+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, -+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -+ boolean omitInitialize) throws IOException, PKCS11Exception { -+ return getInstance(pkcs11ModulePath, functionList, -+ pInitArgs, omitInitialize, null, null); -+ } -+ - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -- boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter, -+ MethodHandle fipsKeyExporter) -+ throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null && -+ fipsKeyExporter != null; - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { -- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter, fipsKeyExporter); -+ } else { -+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ } - } else { -- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter, fipsKeyExporter); -+ } else { -+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ } - } - if (omitInitialize == false) { - try { -@@ -2012,4 +2040,194 @@ static class SynchronizedPKCS11 extends PKCS11 { - super.C_GenerateRandom(hSession, randomData); - } - } -+ -+// PKCS11 subclass that allows using plain private or secret keys in -+// FIPS-configured NSS Software Tokens. Only used when System FIPS -+// is enabled. -+static class FIPSPKCS11 extends PKCS11 { -+ private MethodHandle fipsKeyImporter; -+ private MethodHandle fipsKeyExporter; -+ private MethodHandle hC_GetAttributeValue; -+ FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) -+ throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ this.fipsKeyExporter = fipsKeyExporter; -+ try { -+ hC_GetAttributeValue = MethodHandles.insertArguments( -+ MethodHandles.lookup().findSpecial(PKCS11.class, -+ "C_GetAttributeValue", MethodType.methodType( -+ void.class, long.class, long.class, -+ CK_ATTRIBUTE[].class), -+ FIPSPKCS11.class), 0, this); -+ } catch (Throwable t) { -+ throw new RuntimeException( -+ "sun.security.pkcs11.wrapper.PKCS11" + -+ "::C_GetAttributeValue method not found.", t); -+ } -+ } -+ -+ public long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // Creating sensitive key objects from plain key material in a -+ // FIPS-configured NSS Software Token is not allowed. We apply -+ // a key-unwrapping scheme to achieve so. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+ -+ public void C_GetAttributeValue(long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, -+ fipsKeyExporter, hSession, hObject, pTemplate); -+ } -+} -+ -+// FIPSPKCS11 synchronized counterpart. -+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { -+ private MethodHandle fipsKeyImporter; -+ private MethodHandle fipsKeyExporter; -+ private MethodHandle hC_GetAttributeValue; -+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) -+ throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ this.fipsKeyExporter = fipsKeyExporter; -+ try { -+ hC_GetAttributeValue = MethodHandles.insertArguments( -+ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class, -+ "C_GetAttributeValue", MethodType.methodType( -+ void.class, long.class, long.class, -+ CK_ATTRIBUTE[].class), -+ SynchronizedFIPSPKCS11.class), 0, this); -+ } catch (Throwable t) { -+ throw new RuntimeException( -+ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" + -+ "::C_GetAttributeValue method not found.", t); -+ } -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // See FIPSPKCS11::C_CreateObject. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+ -+ public synchronized void C_GetAttributeValue(long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, -+ fipsKeyExporter, hSession, hObject, pTemplate); -+ } -+} -+ -+private static class FIPSPKCS11Helper { -+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ if (attr.type == CKA_CLASS && -+ (attr.getLong() == CKO_PRIVATE_KEY || -+ attr.getLong() == CKO_SECRET_KEY)) { -+ return true; -+ } -+ } -+ return false; -+ } -+ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue, -+ MethodHandle fipsKeyExporter, long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ Map sensitiveAttrs = new HashMap<>(); -+ List nonSensitiveAttrs = new LinkedList<>(); -+ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate, -+ sensitiveAttrs, nonSensitiveAttrs); -+ try { -+ if (sensitiveAttrs.size() > 0) { -+ long keyClass = -1L; -+ long keyType = -1L; -+ try { -+ // Secret and private keys have both class and type -+ // attributes, so we can query them at once. -+ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{ -+ new CK_ATTRIBUTE(CKA_CLASS), -+ new CK_ATTRIBUTE(CKA_KEY_TYPE), -+ }; -+ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs); -+ keyClass = queryAttrs[0].getLong(); -+ keyType = queryAttrs[1].getLong(); -+ } catch (PKCS11Exception e) { -+ // If the query fails, the object is neither a secret nor a -+ // private key. As this case won't be handled with the FIPS -+ // Key Exporter, we keep keyClass initialized to -1L. -+ } -+ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) { -+ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType, -+ sensitiveAttrs); -+ if (nonSensitiveAttrs.size() > 0) { -+ CK_ATTRIBUTE[] pNonSensitiveAttrs = -+ new CK_ATTRIBUTE[nonSensitiveAttrs.size()]; -+ int i = 0; -+ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { -+ pNonSensitiveAttrs[i++] = nonSensAttr; -+ } -+ hC_GetAttributeValue.invoke(hSession, hObject, -+ pNonSensitiveAttrs); -+ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we -+ // update the reference on the previous CK_ATTRIBUTEs -+ i = 0; -+ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { -+ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue; -+ } -+ } -+ return; -+ } -+ } -+ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate); -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } -+ } -+ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate, -+ Map sensitiveAttrs, -+ List nonSensitiveAttrs) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ long type = attr.type; -+ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c -+ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT || -+ type == CKA_PRIME_1 || type == CKA_PRIME_2 || -+ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 || -+ type == CKA_COEFFICIENT) { -+ sensitiveAttrs.put(type, attr); -+ } else { -+ nonSensitiveAttrs.add(attr); -+ } -+ } -+ } -+} - } -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -index 920422376f8..6aa308fa5f8 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -@@ -215,6 +215,14 @@ public class PKCS11Exception extends Exception { - return res; - } - -+ /** -+ * Constructor taking the error code from the RV enum and -+ * extra info for error message. -+ */ -+ public PKCS11Exception(RV errorEnum, String extraInfo) { -+ this(errorEnum.value, extraInfo); -+ } -+ - /** - * Constructor taking the error code (the CKR_* constants in PKCS#11) and - * extra info for error message. -diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -index 7f8c4dba002..e65b11fc3ee 100644 ---- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -@@ -34,6 +34,7 @@ import java.security.ProviderException; - import java.util.HashMap; - import java.util.List; - -+import jdk.internal.access.SharedSecrets; - import sun.security.ec.ed.EdDSAKeyFactory; - import sun.security.ec.ed.EdDSAKeyPairGenerator; - import sun.security.ec.ed.EdDSASignature; -@@ -50,6 +51,10 @@ public final class SunEC extends Provider { - - private static final long serialVersionUID = -2279741672933606418L; - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - private static class ProviderServiceA extends ProviderService { - ProviderServiceA(Provider p, String type, String algo, String cn, - HashMap attrs) { -@@ -240,83 +245,85 @@ public final class SunEC extends Provider { - putXDHEntries(); - putEdDSAEntries(); - -- /* -- * Signature engines -- */ -- putService(new ProviderService(this, "Signature", -- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", -- null, ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", -- ATTRS)); -- -- putService(new ProviderService(this, "Signature", -- "NONEwithECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$RawinP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA1withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA224withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA256withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA384withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA512withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); -- -- putService(new ProviderService(this, "Signature", -- "SHA3-224withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-256withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-384withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-512withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); -- -- /* -- * Key Pair Generator engine -- */ -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); -- -- /* -- * Key Agreement engine -- */ -- putService(new ProviderService(this, "KeyAgreement", -- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); -+ if (!systemFipsEnabled) { -+ /* -+ * Signature engines -+ */ -+ putService(new ProviderService(this, "Signature", -+ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", -+ null, ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "Signature", -+ "NONEwithECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$RawinP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA1withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA224withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA256withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA384withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA512withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); -+ -+ putService(new ProviderService(this, "Signature", -+ "SHA3-224withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-256withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-384withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-512withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); -+ -+ /* -+ * Key Pair Generator engine -+ */ -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); -+ -+ /* -+ * Key Agreement engine -+ */ -+ putService(new ProviderService(this, "KeyAgreement", -+ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); -+ } - } - - private void putXDHEntries() { -@@ -333,23 +340,25 @@ public final class SunEC extends Provider { - "X448", "sun.security.ec.XDHKeyFactory.X448", - ATTRS)); - -- putService(new ProviderService(this, "KeyPairGenerator", -- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", -- ATTRS)); -- -- putService(new ProviderService(this, "KeyAgreement", -- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyAgreement", -- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyAgreement", -- "X448", "sun.security.ec.XDHKeyAgreement.X448", -- ATTRS)); -+ if (!systemFipsEnabled) { -+ putService(new ProviderService(this, "KeyPairGenerator", -+ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "KeyAgreement", -+ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyAgreement", -+ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyAgreement", -+ "X448", "sun.security.ec.XDHKeyAgreement.X448", -+ ATTRS)); -+ } - } - - private void putEdDSAEntries() { -@@ -364,21 +373,23 @@ public final class SunEC extends Provider { - putService(new ProviderServiceA(this, "KeyFactory", - "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); - -- putService(new ProviderService(this, "KeyPairGenerator", -- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", -- ATTRS)); -- -- putService(new ProviderService(this, "Signature", -- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); -+ if (!systemFipsEnabled) { -+ putService(new ProviderService(this, "KeyPairGenerator", -+ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "Signature", -+ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); -+ } - - } - } -diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java -new file mode 100644 -index 00000000000..ce01c655eb8 ---- /dev/null -+++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java -@@ -0,0 +1,349 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+import java.lang.reflect.Method; -+import java.nio.charset.StandardCharsets; -+import java.nio.file.Files; -+import java.nio.file.Path; -+import java.security.KeyStore; -+import java.security.Provider; -+import java.security.Security; -+import java.util.Arrays; -+import java.util.function.Consumer; -+import java.util.List; -+import javax.crypto.Cipher; -+import javax.crypto.spec.SecretKeySpec; -+ -+import jdk.test.lib.process.Proc; -+import jdk.test.lib.util.FileUtils; -+ -+/* -+ * @test -+ * @bug 9999999 -+ * @summary -+ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used -+ * for a successful login into an NSS DB. Some additional unitary testing -+ * is then performed. This test depends on NSS modutil and must be run in -+ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available). -+ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open -+ * @library /test/lib -+ * @requires (jdk.version.major >= 8) -+ * @run main/othervm/timeout=600 NssdbPin -+ * @author Martin Balao (mbalao@redhat.com) -+ */ -+ -+public final class NssdbPin { -+ -+ // Public properties and names -+ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; -+ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; -+ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS"; -+ private static final String NSSDB_TOKEN_NAME = -+ "NSS FIPS 140-2 Certificate DB"; -+ -+ // Data to be tested -+ private static final String[] PINS_TO_TEST = -+ new String[] { -+ "", -+ "1234567890abcdef1234567890ABCDEF\uA4F7" -+ }; -+ private static enum PropType { SYSTEM, SECURITY } -+ private static enum LoginType { IMPLICIT, EXPLICIT } -+ -+ // Internal test fields -+ private static final boolean DEBUG = true; -+ private static class TestContext { -+ String pin; -+ PropType propType; -+ Path workspace; -+ String nssdbPath; -+ Path nssdbPinFile; -+ LoginType loginType; -+ TestContext(String pin, Path workspace) { -+ this.pin = pin; -+ this.workspace = workspace; -+ this.nssdbPath = "sql:" + workspace; -+ this.loginType = LoginType.IMPLICIT; -+ } -+ } -+ -+ public static void main(String[] args) throws Throwable { -+ if (args.length == 3) { -+ // Executed by a child process. -+ mainChild(args[0], args[1], LoginType.valueOf(args[2])); -+ } else if (args.length == 0) { -+ // Executed by the parent process. -+ mainLauncher(); -+ // Test defaults -+ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT); -+ System.out.println("TEST PASS - OK"); -+ } else { -+ throw new Exception("Unexpected number of arguments."); -+ } -+ } -+ -+ private static void mainChild(String expectedPath, String expectedPin, -+ LoginType loginType) throws Throwable { -+ if (DEBUG) { -+ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP, -+ FIPS_NSSDB_PIN_PROP)) { -+ System.out.println(prop + " (System): " + -+ System.getProperty(prop)); -+ System.out.println(prop + " (Security): " + -+ Security.getProperty(prop)); -+ } -+ } -+ -+ /* -+ * Functional cross-test against an NSS DB generated by modutil -+ * with the same PIN. Check that we can perform a crypto operation -+ * that requires a login. The login might be explicit or implicit. -+ */ -+ Provider p = Security.getProvider(FIPS_PROVIDER_NAME); -+ if (DEBUG) { -+ System.out.println(FIPS_PROVIDER_NAME + ": " + p); -+ } -+ if (p == null) { -+ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed."); -+ } -+ if (DEBUG) { -+ System.out.println("Login type: " + loginType); -+ } -+ if (loginType == LoginType.EXPLICIT) { -+ // Do the expansion to account for truncation, so C_Login in -+ // the NSS Software Token gets a UTF-8 encoded PIN. -+ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8); -+ char[] pinChar = new char[pinUtf8.length]; -+ for (int i = 0; i < pinChar.length; i++) { -+ pinChar[i] = (char)(pinUtf8[i] & 0xFF); -+ } -+ KeyStore.getInstance("PKCS11", p).load(null, pinChar); -+ if (DEBUG) { -+ System.out.println("Explicit login succeeded."); -+ } -+ } -+ if (DEBUG) { -+ System.out.println("Trying a crypto operation..."); -+ } -+ final int blockSize = 16; -+ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p); -+ cipher.init(Cipher.ENCRYPT_MODE, -+ new SecretKeySpec(new byte[blockSize], "AES")); -+ if (cipher.doFinal(new byte[blockSize]).length != blockSize) { -+ throw new Exception("Could not perform a crypto operation."); -+ } -+ if (DEBUG) { -+ if (loginType == LoginType.IMPLICIT) { -+ System.out.println("Implicit login succeeded."); -+ } -+ System.out.println("Crypto operation after login succeeded."); -+ } -+ -+ if (loginType == LoginType.IMPLICIT) { -+ /* -+ * Additional unitary testing. Expected to succeed at this point. -+ */ -+ if (DEBUG) { -+ System.out.println("Trying unitary test..."); -+ } -+ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP); -+ if (DEBUG) { -+ System.out.println("Path value (as a System property): " + -+ sysPathProp); -+ } -+ if (!expectedPath.equals(sysPathProp)) { -+ throw new Exception("Path is different than expected: " + -+ sysPathProp + " (actual) vs " + expectedPath + -+ " (expected)."); -+ } -+ Class c = Class -+ .forName("sun.security.pkcs11.FIPSTokenLoginHandler"); -+ Method m = c.getDeclaredMethod("getFipsNssdbPin"); -+ m.setAccessible(true); -+ String pin = null; -+ char[] pinChar = (char[]) m.invoke(c); -+ if (pinChar != null) { -+ byte[] pinUtf8 = new byte[pinChar.length]; -+ for (int i = 0; i < pinUtf8.length; i++) { -+ pinUtf8[i] = (byte) pinChar[i]; -+ } -+ pin = new String(pinUtf8, StandardCharsets.UTF_8); -+ } -+ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) || -+ expectedPin.isEmpty() && pin != null) { -+ throw new Exception("PIN is different than expected: '" + pin + -+ "' (actual) vs '" + expectedPin + "' (expected)."); -+ } -+ if (DEBUG) { -+ System.out.println("PIN value: " + pin); -+ System.out.println("Unitary test succeeded."); -+ } -+ } -+ } -+ -+ private static void mainLauncher() throws Throwable { -+ for (String pin : PINS_TO_TEST) { -+ Path workspace = Files.createTempDirectory(null); -+ try { -+ TestContext ctx = new TestContext(pin, workspace); -+ createNSSDB(ctx); -+ { -+ ctx.loginType = LoginType.IMPLICIT; -+ for (PropType propType : PropType.values()) { -+ ctx.propType = propType; -+ pinLauncher(ctx); -+ envLauncher(ctx); -+ fileLauncher(ctx); -+ } -+ } -+ explicitLoginLauncher(ctx); -+ } finally { -+ FileUtils.deleteFileTreeWithRetry(workspace); -+ } -+ } -+ } -+ -+ private static void pinLauncher(TestContext ctx) throws Throwable { -+ launchTest(p -> {}, "pin:" + ctx.pin, ctx); -+ } -+ -+ private static void envLauncher(TestContext ctx) throws Throwable { -+ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR"; -+ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin), -+ "env:" + NSSDB_PIN_ENV_VAR, ctx); -+ } -+ -+ private static void fileLauncher(TestContext ctx) throws Throwable { -+ // The file containing the PIN (ctx.nssdbPinFile) was created by the -+ // generatePinFile method, called from createNSSDB. -+ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx); -+ } -+ -+ private static void explicitLoginLauncher(TestContext ctx) -+ throws Throwable { -+ ctx.loginType = LoginType.EXPLICIT; -+ ctx.propType = PropType.SYSTEM; -+ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx); -+ } -+ -+ private static void launchTest(Consumer procCb, String pinPropVal, -+ TestContext ctx) throws Throwable { -+ if (DEBUG) { -+ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP + -+ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP + -+ "=" + pinPropVal); -+ } -+ Proc p = Proc.create(NssdbPin.class.getName()) -+ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name()); -+ if (ctx.propType == PropType.SYSTEM) { -+ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); -+ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal); -+ // Make sure that Security properties defaults are not used. -+ p.secprop(FIPS_NSSDB_PATH_PROP, ""); -+ p.secprop(FIPS_NSSDB_PIN_PROP, ""); -+ } else if (ctx.propType == PropType.SECURITY) { -+ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); -+ pinPropVal = escapeForPropsFile(pinPropVal); -+ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal); -+ } else { -+ throw new Exception("Unsupported property type."); -+ } -+ if (DEBUG) { -+ p.inheritIO(); -+ p.prop("java.security.debug", "sunpkcs11"); -+ p.debug(NssdbPin.class.getName()); -+ -+ // Need the launched process to connect to a debugger? -+ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" + -+ // "transport=dt_socket,address=localhost:8000,suspend=y"); -+ } else { -+ p.nodump(); -+ } -+ procCb.accept(p); -+ p.start().waitFor(0); -+ } -+ -+ private static String escapeForPropsFile(String str) throws Throwable { -+ StringBuffer sb = new StringBuffer(); -+ for (int i = 0; i < str.length(); i++) { -+ int cp = str.codePointAt(i); -+ if (Character.UnicodeBlock.of(cp) -+ == Character.UnicodeBlock.BASIC_LATIN) { -+ sb.append(Character.toChars(cp)); -+ } else { -+ sb.append("\\u").append(String.format("%04X", cp)); -+ } -+ } -+ return sb.toString(); -+ } -+ -+ private static void createNSSDB(TestContext ctx) throws Throwable { -+ ProcessBuilder pb = getModutilPB(ctx, "-create"); -+ if (DEBUG) { -+ System.out.println("Creating an NSS DB in " + ctx.workspace + -+ "..."); -+ System.out.println("cmd: " + String.join(" ", pb.command())); -+ } -+ if (pb.start().waitFor() != 0) { -+ throw new Exception("NSS DB creation failed."); -+ } -+ generatePinFile(ctx); -+ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME, -+ "-newpwfile", ctx.nssdbPinFile.toString()); -+ if (DEBUG) { -+ System.out.println("NSS DB created."); -+ System.out.println("Changing NSS DB PIN..."); -+ System.out.println("cmd: " + String.join(" ", pb.command())); -+ } -+ if (pb.start().waitFor() != 0) { -+ throw new Exception("NSS DB PIN change failed."); -+ } -+ if (DEBUG) { -+ System.out.println("NSS DB PIN changed."); -+ } -+ } -+ -+ private static ProcessBuilder getModutilPB(TestContext ctx, String... args) -+ throws Throwable { -+ ProcessBuilder pb = new ProcessBuilder("modutil", "-force"); -+ List pbCommand = pb.command(); -+ if (args != null) { -+ pbCommand.addAll(Arrays.asList(args)); -+ } -+ pbCommand.add("-dbdir"); -+ pbCommand.add(ctx.nssdbPath); -+ if (DEBUG) { -+ pb.inheritIO(); -+ } else { -+ pb.redirectError(ProcessBuilder.Redirect.INHERIT); -+ } -+ return pb; -+ } -+ -+ private static void generatePinFile(TestContext ctx) throws Throwable { -+ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null); -+ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() + -+ "2nd line with garbage"); -+ } -+} -diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java -new file mode 100644 -index 00000000000..87f1ad04505 ---- /dev/null -+++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java -@@ -0,0 +1,77 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+import java.security.Provider; -+import java.security.Security; -+ -+/* -+ * @test -+ * @bug 9999999 -+ * @requires (jdk.version.major >= 8) -+ * @run main/othervm/timeout=30 VerifyMissingAttributes -+ * @author Martin Balao (mbalao@redhat.com) -+ */ -+ -+public final class VerifyMissingAttributes { -+ -+ private static final String[] svcAlgImplementedIn = { -+ "AlgorithmParameterGenerator.DSA", -+ "AlgorithmParameters.DSA", -+ "CertificateFactory.X.509", -+ "KeyStore.JKS", -+ "KeyStore.CaseExactJKS", -+ "KeyStore.DKS", -+ "CertStore.Collection", -+ "CertStore.com.sun.security.IndexedCollection" -+ }; -+ -+ public static void main(String[] args) throws Throwable { -+ Provider sunProvider = Security.getProvider("SUN"); -+ for (String svcAlg : svcAlgImplementedIn) { -+ String filter = svcAlg + " ImplementedIn:Software"; -+ doQuery(sunProvider, filter); -+ } -+ if (Double.parseDouble( -+ System.getProperty("java.specification.version")) >= 17) { -+ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" + -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"; -+ doQuery(Security.getProvider("SunRsaSign"), filter); -+ } -+ System.out.println("TEST PASS - OK"); -+ } -+ -+ private static void doQuery(Provider expectedProvider, String filter) -+ throws Exception { -+ if (expectedProvider == null) { -+ throw new Exception("Provider not found."); -+ } -+ Provider[] providers = Security.getProviders(filter); -+ if (providers == null || providers.length != 1 || -+ providers[0] != expectedProvider) { -+ throw new Exception("Failure retrieving the provider with this" + -+ " query: " + filter); -+ } -+ } -+} diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec index 6458c72..71d04e0 100644 --- a/java-25-openjdk.spec +++ b/java-25-openjdk.spec @@ -310,10 +310,10 @@ %endif # New Version-String scheme-style defines -%global featurever 21 +%global featurever 22 %global fakefeaturever 25 %global interimver 0 -%global updatever 8 +%global updatever 2 %global patchver 0 # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. @@ -374,7 +374,7 @@ %global buildver 9 %global rpmrelease 1 # Settings used by the portable build -%global portablerelease 1 +%global portablerelease 2 # Portable suffix differs between RHEL and CentOS %if 0%{?centos} == 0 %global portablesuffix %{?pkgos:el7_9}%{!?pkgos:el8} @@ -1296,7 +1296,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch ############################################ # Crypto policy and FIPS support patches -# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u +# Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u # as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: @@ -1331,7 +1331,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class # RH1940064: Enable XML Signature provider in FIPS mode # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] -Patch1001: fips-%{featurever}u-%{fipsver}.patch +# Disabled until 25: Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# # @@ -1824,7 +1824,8 @@ sh %{SOURCE12} %{top_level_dir_name} # rpmbuild. pushd %{top_level_dir_name} # Add crypto policy and FIPS support -%patch -P1001 -p1 +# Disabled until 25 +#%patch -P1001 -p1 popd # openjdk # The OpenJDK version file includes the current @@ -2473,6 +2474,12 @@ exit 0 %endif %changelog +* Tue Sep 23 2025 Andrew Hughes - 1:22.0.2.0.9-1 +- Update to jdk-22.0.2+9 (GA) +- Update release notes with features of JDK 22 +- Remove 21u FIPS patch and disable use until we are ready for the 25 version +- Related: RHEL-100678 + * Mon Aug 25 2025 Andrew Hughes - 1:21.0.8.0.9-1 - Create java-25-openjdk package based on java-21-openjdk - Introduce fakefeaturever to pretend we are java-25-openjdk ahead of time diff --git a/sources b/sources index e87b73d..f6f9bc9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-21.0.8+9.tar.xz) = 81be6d151fdca910fbee9ea1a93b20af037d2dbafeb12fa368a6091096a22dcf997cf419bebe0261f016ce0fe1e74acd4fca54ca0840a3d69ad76ae7a1336e4c +SHA512 (openjdk-22.0.2+9.tar.xz) = 960746381f56cb516a2298f75dbf877554b59e73752dc29b040b8629b153174d2ea2f612d3479b511aaac293e4d336c798a58fd1ba4d2b9d5933899f64d04313