diff --git a/.gitignore b/.gitignore index e69de29..a26ed1b 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,40 @@ +/openjdk-jdk17u-jdk-17.0.7+7.tar.xz +/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz +/openjdk-jdk18u-jdk-18.0.1+0.tar.xz +/openjdk-jdk18u-jdk-18.0.1+10.tar.xz +/openjdk-jdk18u-jdk-18.0.1.1+2.tar.xz +/openjdk-jdk18u-jdk-18.0.2+9.tar.xz +/openjdk-jdk19u-jdk-19+36.tar.xz +/openjdk-jdk19u-jdk-19.0.1+10.tar.xz +/openjdk-jdk19u-jdk-19.0.2+7.tar.xz +/openjdk-jdk20u-jdk-20+36.tar.xz +/openjdk-jdk20u-jdk-20.0.1+9.tar.xz +/openjdk-jdk20u-jdk-20.0.2+9.tar.xz +/openjdk-jdk21u-jdk-21+35.tar.xz +/openjdk-21.0.1+12.tar.xz +/openjdk-21.0.2+11.tar.xz +/openjdk-21.0.2+12.tar.xz +/openjdk-21.0.2+13.tar.xz +/openjdk-21.0.3+1-ea.tar.xz +/openjdk-21.0.3+7-ea.tar.xz +/openjdk-21.0.3+9.tar.xz +/openjdk-21.0.4+1-ea.tar.xz +/openjdk-21.0.4+5-ea.tar.xz +/openjdk-21.0.4+7.tar.xz +/openjdk-21.0.5+1-ea.tar.xz +/openjdk-21.0.5+5-ea.tar.xz +/openjdk-21.0.5+9-ea.tar.xz +/openjdk-21.0.5+10.tar.xz +/openjdk-21.0.5+11.tar.xz +/openjdk-21.0.6+6-ea.tar.xz +/openjdk-21.0.6+7.tar.xz +/openjdk-21.0.7+1-ea.tar.xz +/openjdk-21.0.7+2-ea.tar.xz +/openjdk-21.0.7+3-ea.tar.xz +/openjdk-21.0.7+4-ea.tar.xz +/openjdk-21.0.7+5-ea.tar.xz +/openjdk-21.0.7+6.tar.xz +/openjdk-21.0.8+1-ea.tar.xz +/openjdk-21.0.8+2-ea.tar.xz +/openjdk-21.0.8+8-ea.tar.xz +/openjdk-21.0.8+9.tar.xz diff --git a/0001-Allow-devkit-to-work-with-RHEL.patch b/0001-Allow-devkit-to-work-with-RHEL.patch new file mode 100644 index 0000000..2f65815 --- /dev/null +++ b/0001-Allow-devkit-to-work-with-RHEL.patch @@ -0,0 +1,54 @@ +From 7733d625ebdea5a6f323a0c5944fb8ab728d1b2b Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Sat, 25 Nov 2023 17:29:36 +0000 +Subject: [PATCH] Allow devkit to work with RHEL + +--- + make/devkit/Makefile | 2 +- + make/devkit/Tools.gmk | 10 +++++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/make/devkit/Makefile b/make/devkit/Makefile +index c85a7c21d29..8f69d23c325 100644 +--- a/make/devkit/Makefile ++++ b/make/devkit/Makefile +@@ -58,7 +58,7 @@ + COMMA := , + + os := $(shell uname -o) +-cpu := $(shell uname -p) ++cpu := $(shell uname -m) + + # Figure out what platform this is building on. + me := $(cpu)-$(if $(findstring Linux,$(os)),linux-gnu) +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 187320ca26e..001f4b1870c 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -62,6 +62,14 @@ ifeq ($(BASE_OS), OL) + BASE_URL := http://yum.oracle.com/repo/OracleLinux/OL6/4/base/$(ARCH)/ + LINUX_VERSION := OL6.4 + endif ++else ifeq ($(BASE_OS), RHEL) ++ ifeq ($(ARCH), aarch64) ++ BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/RHEL-7/latest-RHEL-ALT-7/compose/Server/$(ARCH)/os/Packages/ ++ LINUX_VERSION := RHEL7.6 ++ else ++ BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/RHEL-7/latest-RHEL-7/compose/Server/$(ARCH)/os/Packages/ ++ LINUX_VERSION := RHEL7.9 ++ endif + else ifeq ($(BASE_OS), Fedora) + ifeq ($(ARCH), riscv64) + DEFAULT_OS_VERSION := rawhide/68692 +@@ -246,7 +254,7 @@ download-rpms: + # Only run this if rpm dir is empty. + ifeq ($(wildcard $(DOWNLOAD_RPMS)/*.rpm), ) + cd $(DOWNLOAD_RPMS) && \ +- wget -r -np -nd $(patsubst %, -A "*%*.rpm", $(RPM_LIST)) $(BASE_URL) ++ wget -r -e robots=off -np -nd $(patsubst %, -A "*%*.rpm", $(RPM_LIST)) $(BASE_URL) + endif + + ########################################################################################## +-- +2.45.2 + diff --git a/0002-Disable-multilib-on-x86_64.patch b/0002-Disable-multilib-on-x86_64.patch new file mode 100644 index 0000000..0459b06 --- /dev/null +++ b/0002-Disable-multilib-on-x86_64.patch @@ -0,0 +1,50 @@ +From e55afc691c0105623e04a6e76369cf1438afb874 Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Fri, 8 Dec 2023 21:22:02 +0000 +Subject: [PATCH] Disable multilib on x86_64 + +--- + make/devkit/Tools.gmk | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 001f4b1870c..9ede781413d 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -225,13 +225,7 @@ RPM_LIST := \ + ########################################################################################## + # Define common directories and files + +-# Ensure we have 32-bit libs also for x64. We enable mixed-mode. +-ifeq (x86_64,$(ARCH)) +- LIBDIRS := lib64 lib +- CFLAGS_lib := -m32 +-else +- LIBDIRS := lib +-endif ++LIBDIRS := lib + + # Define directories + BUILDDIR := $(OUTPUT_ROOT)/$(HOST)/$(TARGET) +@@ -289,8 +283,7 @@ $(foreach p,GCC BINUTILS CCACHE MPFR GMP MPC GDB,$(eval $(call Download,$(p)))) + + RPM_ARCHS := $(ARCH) noarch + ifeq ($(ARCH),x86_64) +- # Enable mixed mode. +- RPM_ARCHS += i386 i686 ++ RPM_ARCHS += i686 + else ifeq ($(ARCH),i686) + RPM_ARCHS += i386 + else ifeq ($(ARCH), armhfp) +@@ -526,7 +519,7 @@ ifeq ($(ARCH), armhfp) + $(BUILDDIR)/$(gcc_ver)/Makefile : CONFIG += --with-float=hard + endif + +-ifneq ($(filter riscv64 ppc64 ppc64le s390x, $(ARCH)), ) ++ifneq ($(filter riscv64 ppc64 ppc64le s390x x86_64, $(ARCH)), ) + # We only support 64-bit on these platforms anyway + CONFIG += --disable-multilib + endif +-- +2.45.2 + diff --git a/0003-Log-devkit-build-to-stdout.patch b/0003-Log-devkit-build-to-stdout.patch new file mode 100644 index 0000000..a508301 --- /dev/null +++ b/0003-Log-devkit-build-to-stdout.patch @@ -0,0 +1,92 @@ +From fbc27183b35df7778cf106450b144474f8e2a35c Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Wed, 30 Oct 2024 00:42:06 +0000 +Subject: [PATCH] Log devkit build to stdout + +Resolves: OPENJDK-3071 +--- + make/devkit/Tools.gmk | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 9ede781413d..b6f895f5a25 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -458,7 +458,7 @@ $(BUILDDIR)/$(binutils_ver)/Makefile \ + --enable-multilib \ + --enable-threads \ + --enable-plugins \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + $(BUILDDIR)/$(mpfr_ver)/Makefile \ +@@ -473,7 +473,7 @@ $(BUILDDIR)/$(mpfr_ver)/Makefile \ + --program-prefix=$(TARGET)- \ + --enable-shared=no \ + --with-gmp=$(PREFIX) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + $(BUILDDIR)/$(gmp_ver)/Makefile \ +@@ -490,7 +490,7 @@ $(BUILDDIR)/$(gmp_ver)/Makefile \ + --program-prefix=$(TARGET)- \ + --enable-shared=no \ + --with-mpfr=$(PREFIX) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + $(BUILDDIR)/$(mpc_ver)/Makefile \ +@@ -506,7 +506,7 @@ $(BUILDDIR)/$(mpc_ver)/Makefile \ + --enable-shared=no \ + --with-mpfr=$(PREFIX) \ + --with-gmp=$(PREFIX) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + # Only valid if glibc target -> linux +@@ -549,7 +549,7 @@ $(BUILDDIR)/$(gcc_ver)/Makefile \ + --with-mpfr=$(PREFIX) \ + --with-gmp=$(PREFIX) \ + --with-mpc=$(PREFIX) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + # need binutils for gcc +@@ -571,7 +571,7 @@ ifeq ($(HOST), $(TARGET)) + $(PATHPRE) $(ENVS) CFLAGS="$(CFLAGS)" $(GDB_CFG) \ + $(CONFIG) \ + --with-sysroot=$(SYSROOT) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + $(gdb): $(gcc) +@@ -593,7 +593,7 @@ $(BUILDDIR)/$(ccache_ver)/Makefile \ + cd $(@D) ; \ + $(PATHPRE) $(ENVS) $(CCACHE_CFG) \ + $(CONFIG) \ +- ) > $(@D)/log.config 2>&1 ++ ) 2>&1 | tee $(@D)/log.config + @echo 'done' + + gccpatch = $(TARGETDIR)/gcc-patched +@@ -641,9 +641,9 @@ endif + # Always need to build cross tools for build host self. + $(TARGETDIR)/%.done : $(BUILDDIR)/%/Makefile + $(info Building $(basename $@). Log in $( $(&1 ++ $(PATHPRE) $(ENVS) $(MAKE) $(BUILDPAR) -f $< -C $(&1 | tee $( $(&1 ++ $(PATHPRE) $(MAKE) $(INSTALLPAR) -f $< -C $(&1 | tee $( +Date: Wed, 20 Mar 2024 13:01:47 -0400 +Subject: [PATCH] devkit: Remove .comment sections from sysroot objects + +Otherwise the comment sections of C runtime objects, including those +in static libraries like libc_nonshared.a, contribute RPM package +version strings to the .comment section in devkit-produced binaries +and libraries. These RPM package strings change frequently, even +across minor toolchain updates. Their presence interferes when +comparing binaries built with devkits that use different sysroot RPM +package sets. +--- + make/devkit/Tools.gmk | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index b6f895f5a25..37ea1a6a287 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -324,6 +324,9 @@ $(foreach p,$(RPM_FILE_LIST),$(eval $(call unrpm,$(p)))) + # have it anyway, but just to make sure... + # Patch libc.so and libpthread.so to force linking against libraries in sysroot + # and not the ones installed on the build machine. ++# Remove comment sections from static libraries and C runtime objects ++# to prevent leaking RHEL-specific package versions into ++# devkit-produced binaries. + $(libs) : $(rpms) + @echo Patching libc and pthreads + @(for f in `find $(SYSROOT) -name libc.so -o -name libpthread.so`; do \ +@@ -333,6 +336,7 @@ $(libs) : $(rpms) + -e 's|/lib/||g' ) > $$f.tmp ; \ + mv $$f.tmp $$f ; \ + done) ++ @find $(SYSROOT) -name '*.[ao]' -exec objcopy --remove-section .comment '{}' ';' + @mkdir -p $(SYSROOT)/usr/lib + @touch $@ + +-- +2.45.2 + diff --git a/0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch b/0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch new file mode 100644 index 0000000..005c8b6 --- /dev/null +++ b/0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch @@ -0,0 +1,35 @@ +From c370e1194c707f3f6c470e147ec497cc4e76957e Mon Sep 17 00:00:00 2001 +From: Thomas Fitzsimmons +Date: Fri, 22 Mar 2024 16:03:17 -0400 +Subject: [PATCH] Tools.gmk: Configure binutils with + --enable-deterministic-archives + +--- + make/devkit/Tools.gmk | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 37ea1a6a287..22c6007000b 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -445,6 +445,9 @@ endif + + # Makefile creation. Simply run configure in build dir. + # Setting CFLAGS to -O2 generates a much faster ld. ++# Use --enable-deterministic-archives so that make targets that ++# generate "ar" archives, such as "static-libs-image", produce ++# deterministic .a files. + $(bfdmakes) \ + $(BUILDDIR)/$(binutils_ver)/Makefile \ + : $(BINUTILS_CFG) +@@ -459,6 +462,7 @@ $(BUILDDIR)/$(binutils_ver)/Makefile \ + --with-sysroot=$(SYSROOT) \ + --disable-nls \ + --program-prefix=$(TARGET)- \ ++ --enable-deterministic-archives \ + --enable-multilib \ + --enable-threads \ + --enable-plugins \ +-- +2.45.2 + diff --git a/0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch b/0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch new file mode 100644 index 0000000..367c79c --- /dev/null +++ b/0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch @@ -0,0 +1,35 @@ +From 5958274571b957617d0572101a92217fd5b2f312 Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Wed, 27 Nov 2024 17:04:19 +0000 +Subject: [PATCH] Tools.gmk: Add --enable-linker-build-id to gcc build + +This causes --build-id to be passed to the linker, and the +.note.gnu.build-id section is added (OPENJDK-3068) +--- + make/devkit/Tools.gmk | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 22c6007000b..57d48ec5114 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -539,6 +539,8 @@ endif + # skip native language. + # and link and assemble with the binutils we created + # earlier, so --with-gnu* ++# Add --enable-linker-build-id so the .note.gnu.build-id ++# section is added by the linker (OPENJDK-3068) + $(BUILDDIR)/$(gcc_ver)/Makefile \ + : $(GCC_CFG) + $(info Configuring $@. Log in $(@D)/log.config) +@@ -557,6 +559,7 @@ $(BUILDDIR)/$(gcc_ver)/Makefile \ + --with-mpfr=$(PREFIX) \ + --with-gmp=$(PREFIX) \ + --with-mpc=$(PREFIX) \ ++ --enable-linker-build-id \ + ) 2>&1 | tee $(@D)/log.config + @echo 'done' + +-- +2.45.2 + diff --git a/0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch b/0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch new file mode 100644 index 0000000..240dcad --- /dev/null +++ b/0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch @@ -0,0 +1,38 @@ +From 2617c050a909265444b32063b2d271eca42dcaa6 Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Fri, 17 Jan 2025 21:11:01 +0000 +Subject: [PATCH] Tools.gmk: Exclude systemtap-sdt-devel on s390x & ppc64* + +There is no DTrace support on s390x (JDK-8305174) and ppc64 +(JDK-8304867) so we don't need the RPMs. They also cause issues with +static linkage of libstdc++.a on s390x. It fails with 'error: +relocation refers to local symbol "" [9], which is defined in a +discarded section'. + +Resolves: OPENJDK-3070 +--- + make/devkit/Tools.gmk | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 57d48ec5114..07928f69ceb 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -219,9 +219,13 @@ RPM_LIST := \ + zlib zlib-devel \ + libffi libffi-devel \ + fontconfig fontconfig-devel \ +- systemtap-sdt-devel \ + # + ++# Only include SystemTap on supported architectures ++ifeq ($(filter ppc64 ppc64le s390x, $(ARCH)), ) ++ RPM_LIST += systemtap-sdt-devel ++endif ++ + ########################################################################################## + # Define common directories and files + +-- +2.45.2 + diff --git a/0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch b/0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch new file mode 100644 index 0000000..28ba831 --- /dev/null +++ b/0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch @@ -0,0 +1,33 @@ +From 9766818f55726cea630b432f09cce8f9c17c014d Mon Sep 17 00:00:00 2001 +From: Andrew Hughes +Date: Fri, 17 Jan 2025 21:27:58 +0000 +Subject: [PATCH] Tools.gmk: Use update repository on RHEL rather than GA + +It looks like we were using 7.6 & 7.9 GA repositories rather than +the latest updates. + +Resolves: OPENJDK-3589 +--- + make/devkit/Tools.gmk | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk +index 07928f69ceb..5b39560ab11 100644 +--- a/make/devkit/Tools.gmk ++++ b/make/devkit/Tools.gmk +@@ -64,10 +64,10 @@ ifeq ($(BASE_OS), OL) + endif + else ifeq ($(BASE_OS), RHEL) + ifeq ($(ARCH), aarch64) +- BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/RHEL-7/latest-RHEL-ALT-7/compose/Server/$(ARCH)/os/Packages/ ++ BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/updates/RHEL-ALT-7/latest-RHEL-ALT-7/compose/Server/$(ARCH)/os/Packages/ + LINUX_VERSION := RHEL7.6 + else +- BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/RHEL-7/latest-RHEL-7/compose/Server/$(ARCH)/os/Packages/ ++ BASE_URL := https://download.eng.brq.redhat.com/rhel-7/rel-eng/updates/RHEL-7/latest-RHEL-7/compose/Server/$(ARCH)/os/Packages/ + LINUX_VERSION := RHEL7.9 + endif + else ifeq ($(BASE_OS), Fedora) +-- +2.45.2 + diff --git a/CheckVendor.java b/CheckVendor.java new file mode 100644 index 0000000..29b296b --- /dev/null +++ b/CheckVendor.java @@ -0,0 +1,65 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 4) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + String vendorVersionString = System.getProperty("java.vendor.version"); + String expectedVendorVersionString = args[3]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL %s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + if (!expectedVendorVersionString.equals(vendorVersionString)) { + System.err.printf("Invalid vendor version string %s, expected %s\n", + vendorVersionString, expectedVendorVersionString); + System.exit(5); + } + + System.err.printf("Vendor information verified as %s, %s, %s, %s\n", + vendor, vendorURL, vendorBugURL, vendorVersionString); + } +} diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..86b331e --- /dev/null +++ b/NEWS @@ -0,0 +1,3526 @@ +Key: + +JDK-X - https://bugs.openjdk.java.net/browse/JDK-X +CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY + +New in release OpenJDK 21.0.8 (2025-07-15): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2108 + +* CVEs + - CVE-2025-30749 + - CVE-2025-30754 + - CVE-2025-50059 + - CVE-2025-50106 +* Changes + - JDK-6956385: URLConnection.getLastModified() leaks file handles for jar:file and file: URLs + - JDK-8051591: Test javax/swing/JTabbedPane/8007563/Test8007563.java fails + - JDK-8136895: Writer not closed with disk full error, file resource leaked + - JDK-8180450: secondary_super_cache does not scale well + - JDK-8183348: Better cleanup for jdk/test/sun/security/pkcs12/P12SecretKey.java + - JDK-8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails + - JDK-8202100: Merge vm/share/InMemoryJavaCompiler w/ jdk/test/lib/compiler/InMemoryJavaCompiler + - JDK-8210471: GZIPInputStream constructor could leak an un-end()ed Inflater + - JDK-8211400: nsk.share.gc.Memory::getArrayLength returns wrong value + - JDK-8220213: com/sun/jndi/dns/ConfigTests/Timeout.java failed intermittent + - JDK-8249831: Test sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java is marked with @ignore + - JDK-8253440: serviceability/sa/TestJhsdbJstackLineNumbers.java failed with "Didn't find enough line numbers" + - JDK-8256211: assert fired in java/net/httpclient/DependentPromiseActionsTest (infrequent) + - JDK-8258483: [TESTBUG] gtest CollectorPolicy.young_scaled_initial_ergo_vm fails if heap is too small + - JDK-8267174: Many test files have the wrong Copyright header + - JDK-8270269: Desktop.browse method fails if earlier CoInitialize call as COINIT_MULTITHREADED + - JDK-8276995: Bug in jdk.jfr.event.gc.collection.TestSystemGC + - JDK-8279016: JFR Leak Profiler is broken with Shenandoah + - JDK-8280991: [XWayland] No displayChanged event after setDisplayMode call + - JDK-8281511: java/net/ipv6tests/UdpTest.java fails with checkTime failed + - JDK-8282726: java/net/vthread/BlockingSocketOps.java timeout/hang intermittently on Windows + - JDK-8286204: [Accessibility,macOS,VoiceOver] VoiceOver reads the spinner value 10 as 1 when user iterates to 10 for the first time on macOS + - JDK-8286789: Test forceEarlyReturn002.java timed out + - JDK-8286875: ProgrammableUpcallHandler::on_entry/on_exit access thread fields from native + - JDK-8294155: Exception thrown before awaitAndCheck hangs PassFailJFrame + - JDK-8295804: javax/swing/JFileChooser/JFileChooserSetLocationTest.java failed with "setLocation() is not working properly" + - JDK-8297692: Avoid sending per-region GCPhaseParallel JFR events in G1ScanCollectionSetRegionClosure + - JDK-8303770: Remove Baltimore root certificate expiring in May 2025 + - JDK-8305010: Test vmTestbase/nsk/jvmti/scenarios/sampling/SP05/sp05t003/TestDescription.java timed out: thread not suspended + - JDK-8307318: Test serviceability/sa/ClhsdbCDSJstackPrintAll.java failed: ArrayIndexOutOfBoundsException + - JDK-8307824: Clean up Finalizable.java and finalize terminology in vmTestbase/nsk/share + - JDK-8308033: The jcmd thread dump related tests should test virtual threads + - JDK-8308966: Add intrinsic for float/double modulo for x86 AVX2 and AVX512 + - JDK-8309667: TLS handshake fails because of ConcurrentModificationException in PKCS12KeyStore.engineGetEntry + - JDK-8309841: Jarsigner should print a warning if an entry is removed + - JDK-8309978: [x64] Fix useless padding + - JDK-8310066: Improve test coverage for JVMTI GetThreadState on carrier and mounted vthread + - JDK-8310525: DynamicLauncher for JDP test needs to try harder to find a free port + - JDK-8310643: Misformatted copyright messages in FFM + - JDK-8312246: NPE when HSDB visits bad oop + - JDK-8312475: org.jline.util.PumpReader signed byte problem + - JDK-8313290: Misleading exception message from STS.Subtask::get when task forked after shutdown + - JDK-8313430: [JVMCI] fatal error: Never compilable: in JVMCI shutdown + - JDK-8313654: Test WaitNotifySuspendedVThreadTest.java timed out + - JDK-8314056: Remove runtime platform check from frem/drem + - JDK-8314136: Test java/net/httpclient/CancelRequestTest.java failed: WARNING: tracker for HttpClientImpl(42) has outstanding operations + - JDK-8314236: Overflow in Collections.rotate + - JDK-8314319: LogCompilation doesn't reset lateInlining when it encounters a failure. + - JDK-8314840: 3 gc/epsilon tests ignore external vm options + - JDK-8314842: zgc/genzgc tests ignore vm flags + - JDK-8315128: jdk/jfr/event/runtime/TestResidentSetSizeEvent.java fails with "The size should be less than or equal to peak" + - JDK-8315484: java/awt/dnd/RejectDragDropActionTest.java timed out + - JDK-8315669: Open source several Swing PopupMenu related tests + - JDK-8315742: Open source several Swing Scroll related tests + - JDK-8315827: Kitchensink.java and RenaissanceStressTest.java time out with jvmti module errors + - JDK-8315871: Opensource five more Swing regression tests + - JDK-8315876: Open source several Swing CSS related tests + - JDK-8315951: Open source several Swing HTMLEditorKit related tests + - JDK-8315981: Opensource five more random Swing tests + - JDK-8316061: Open source several Swing RootPane and Slider related tests + - JDK-8316324: Opensource five miscellaneous Swing tests + - JDK-8316388: Opensource five Swing component related regression tests + - JDK-8316452: java/lang/instrument/modules/AppendToClassPathModuleTest.java ignores VM flags + - JDK-8316497: ColorConvertOp - typo for non-ICC conversions needs one-line fix + - JDK-8316580: HttpClient with StructuredTaskScope does not close when a task fails + - JDK-8316629: j.text.DateFormatSymbols setZoneStrings() exception is unhelpful + - JDK-8317264: Pattern.Bound has `static` fields that should be `static final`. + - JDK-8318509: x86 count_positives intrinsic broken for -XX:AVX3Threshold=0 + - JDK-8318636: Add jcmd to print annotated process memory map + - JDK-8318700: MacOS Zero cannot run gtests due to wrong JVM path + - JDK-8318811: Compiler directives parser swallows a character after line comments + - JDK-8318915: Enhance checks in BigDecimal.toPlainString() + - JDK-8319439: Move BufferNode from PtrQueue files to new files + - JDK-8319572: Test jdk/incubator/vector/LoadJsvmlTest.java ignores VM flags + - JDK-8319690: [AArch64] C2 compilation hits offset_ok_for_immed: assert "c2 compiler bug" + - JDK-8320687: sun.jvmstat.monitor.MonitoredHost.getMonitoredHost() throws unexpected exceptions when invoked concurrently + - JDK-8320948: NPE due to unreported compiler error + - JDK-8321204: C2: assert(false) failed: node should be in igvn hash table + - JDK-8321479: java -D-D crashes + - JDK-8321931: memory_swap_current_in_bytes reports 0 as "unlimited" + - JDK-8322141: SequenceInputStream.transferTo should not return as soon as Long.MAX_VALUE bytes have been transferred + - JDK-8322475: Extend printing for System.map + - JDK-8323795: jcmd Compiler.codecache should print total size of code cache + - JDK-8324345: Stack overflow during C2 compilation when splitting memory phi + - JDK-8324678: Replace NULL with nullptr in HotSpot gtests + - JDK-8324681: Replace NULL with nullptr in HotSpot jtreg test native code files + - JDK-8324799: Use correct extension for C++ test headers + - JDK-8324880: Rename get_stack_trace.h + - JDK-8325055: Rename Injector.h + - JDK-8325180: Rename jvmti_FollowRefObjects.h + - JDK-8325347: Rename native_thread.h + - JDK-8325367: Rename nsk_list.h + - JDK-8325435: [macos] Menu or JPopupMenu not closed when main window is resized + - JDK-8325456: Rename nsk_mutex.h + - JDK-8325458: Rename mlvmJvmtiUtils.h + - JDK-8325680: Uninitialised memory in deleteGSSCB of GSSLibStub.c:179 + - JDK-8325682: Rename nsk_strace.h + - JDK-8325910: Rename jnihelper.h + - JDK-8326090: Rename jvmti_aod.h + - JDK-8326389: [test] improve assertEquals failure output + - JDK-8326524: Rename agent_common.h + - JDK-8326586: Improve Speed of System.map + - JDK-8327071: [Testbug] g-tests for cgroup leave files in /tmp on linux + - JDK-8327169: serviceability/dcmd/vm/SystemMapTest.java and SystemDumpMapTest.java may fail after JDK-8326586 + - JDK-8327370: (ch) sun.nio.ch.Poller.register throws AssertionError + - JDK-8327461: KeyStore getEntry is not thread-safe + - JDK-8328107: Shenandoah/C2: TestVerifyLoopOptimizations test failure + - JDK-8328301: Convert Applet test ManualHTMLDataFlavorTest.java to main program + - JDK-8328482: Convert and Open source few manual applet test to main based + - JDK-8328484: Convert and Opensource few JFileChooser applet test to main + - JDK-8328648: Remove applet usage from JFileChooser tests bug4150029 + - JDK-8328670: Automate and open source few closed manual applet test + - JDK-8328673: Convert closed text/html/CSS manual applet test to main + - JDK-8328864: NullPointerException in sun.security.jca.ProviderList.getService() + - JDK-8329261: G1: interpreter post-barrier x86 code asserts index size of wrong buffer + - JDK-8329729: java/util/Properties/StoreReproducibilityTest.java times out + - JDK-8330106: C2: VectorInsertNode::make() shouldn't call ConINode::make() directly + - JDK-8330158: C2: Loop strip mining uses ABS with min int + - JDK-8330534: Update nsk/jdwp tests to use driver instead of othervm + - JDK-8330598: java/net/httpclient/Http1ChunkedTest.java fails with java.util.MissingFormatArgumentException: Format specifier '%s' + - JDK-8330936: [ubsan] exclude function BilinearInterp and ShapeSINextSpan in libawt java2d from ubsan checks + - JDK-8331088: Incorrect TraceLoopPredicate output + - JDK-8331735: UpcallLinker::on_exit races with GC when copying frame anchor + - JDK-8332252: Clean up vmTestbase/vm/share + - JDK-8332506: SIGFPE In ObjectSynchronizer::is_async_deflation_needed() + - JDK-8332631: Update nsk.share.jpda.BindServer to don't use finalization + - JDK-8332641: Update nsk.share.jpda.Jdb to don't use finalization + - JDK-8332880: JFR GCHelper class recognizes "Archive" regions as valid + - JDK-8332921: Ctrl+C does not call shutdown hooks after JLine upgrade + - JDK-8333013: Update vmTestbase/nsk/share/LocalProcess.java to don't use finalization + - JDK-8333117: Remove support of remote and manual debuggee launchers + - JDK-8333680: com/sun/tools/attach/BasicTests.java fails with "SocketException: Permission denied: connect" + - JDK-8333805: Replaying compilation with null static final fields results in a crash + - JDK-8333890: Fatal error in auto-vectorizer with float16 kernel. + - JDK-8334644: Automate javax/print/attribute/PageRangesException.java + - JDK-8334780: Crash: assert(h_array_list.not_null()) failed: invariant + - JDK-8334895: OpenJDK fails to configure on linux aarch64 when CDS is disabled after JDK-8331942 + - JDK-8335181: Incorrect handling of HTTP/2 GOAWAY frames in HttpClient + - JDK-8335643: serviceability/dcmd/vm tests fail for ZGC after JDK-8322475 + - JDK-8335662: [AArch64] C1: guarantee(val < (1ULL << nbits)) failed: Field too big for insn + - JDK-8335684: Test ThreadCpuTime.java should pause like ThreadCpuTimeArray.java + - JDK-8335710: serviceability/dcmd/vm/SystemDumpMapTest.java and SystemMapTest.java fail on Linux Alpine after 8322475 + - JDK-8335836: serviceability/jvmti/StartPhase/AllowedFunctions/AllowedFunctions.java fails with unexpected exit code: 112 + - JDK-8335860: compiler/vectorization/TestFloat16VectorConvChain.java fails with non-standard AVX/SSE settings + - JDK-8336042: Caller/callee param size mismatch in deoptimization causes crash + - JDK-8336499: Failure when creating non-CRT RSA private keys in SunPKCS11 + - JDK-8336587: failure_handler lldb command times out on macosx-aarch64 core file + - JDK-8336827: compiler/vectorization/TestFloat16VectorConvChain.java timeouts on ppc64 platforms after JDK-8335860 + - JDK-8337221: CompileFramework: test library to conveniently compile java and jasm sources for fuzzing + - JDK-8337299: vmTestbase/nsk/jdb/stop_at/stop_at002/stop_at002.java failure goes undetected + - JDK-8337681: PNGImageWriter uses much more memory than necessary + - JDK-8337795: Type annotation attached to incorrect type during class reading + - JDK-8337958: Out-of-bounds array access in secondary_super_cache + - JDK-8337981: ShenandoahHeap::is_in should check for alive regions + - JDK-8337998: CompletionFailure in getEnclosingType attaching type annotations + - JDK-8338010: WB_IsFrameDeoptimized miss ResourceMark + - JDK-8338064: Give better error for ConcurrentHashTable corruption + - JDK-8338136: Hotspot should support multiple large page sizes on Windows + - JDK-8338154: Fix -Wzero-as-null-pointer-constant warnings in gtest framework + - JDK-8338202: Shenandoah: Improve handshake closure labels + - JDK-8338314: JFR: Split JFRCheckpoint VM operation + - JDK-8339148: Make os::Linux::active_processor_count() public + - JDK-8339288: Improve diagnostic logging runtime/cds/DeterministicDump.java + - JDK-8339300: CollectorPolicy.young_scaled_initial_ergo_vm gtest fails on ppc64 based platforms + - JDK-8339538: Wrong timeout computations in DnsClient + - JDK-8339639: Opensource few AWT PopupMenu tests + - JDK-8339678: Update runtime/condy tests to be executed with VM flags + - JDK-8339727: Open source several AWT focus tests - series 1 + - JDK-8339769: Incorrect error message during startup if working directory does not exist + - JDK-8339794: Open source closed choice tests #1 + - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract + - JDK-8339836: Open source several AWT Mouse tests - Batch 1 + - JDK-8339842: Open source several AWT focus tests - series 2 + - JDK-8339895: Open source several AWT focus tests - series 3 + - JDK-8339906: Open source several AWT focus tests - series 4 + - JDK-8339935: Open source several AWT focus tests - series 5 + - JDK-8339982: Open source several AWT Mouse tests - Batch 2 + - JDK-8339984: Open source AWT MenuItem related tests + - JDK-8339995: Open source several AWT focus tests - series 6 + - JDK-8340024: In ClassReader, extract a constant for the superclass supertype_index + - JDK-8340077: Open source few Checkbox tests - Set2 + - JDK-8340084: Open source AWT Frame related tests + - JDK-8340143: Open source several Java2D rendering loop tests. + - JDK-8340146: ZGC: TestAllocateHeapAt.java should not run with UseLargePages + - JDK-8340164: Open source few Component tests - Set1 + - JDK-8340173: Open source some Component/Panel/EventQueue tests - Set2 + - JDK-8340176: Replace usage of -noclassgc with -Xnoclassgc in test/jdk/java/lang/management/MemoryMXBean/LowMemoryTest2.java + - JDK-8340193: Open source several AWT Dialog tests - Batch 1 + - JDK-8340228: Open source couple more miscellaneous AWT tests + - JDK-8340271: Open source several AWT Robot tests + - JDK-8340279: Open source several AWT Dialog tests - Batch 2 + - JDK-8340332: Open source mixed AWT tests - Set3 + - JDK-8340366: Open source several AWT Dialog tests - Batch 3 + - JDK-8340367: Opensource few AWT image tests + - JDK-8340393: Open source closed choice tests #2 + - JDK-8340407: Open source a few more Component related tests + - JDK-8340417: Open source some MenuBar tests - Set1 + - JDK-8340432: Open source some MenuBar tests - Set2 + - JDK-8340433: Open source closed choice tests #3 + - JDK-8340437: Open source few more AWT Frame related tests + - JDK-8340458: Open source additional Component tests (part 2) + - JDK-8340555: Open source DnD tests - Set4 + - JDK-8340560: Open Source several AWT/2D font and rendering tests + - JDK-8340605: Open source several AWT PopupMenu tests + - JDK-8340621: Open source several AWT List tests + - JDK-8340625: Open source additional Component tests (part 3) + - JDK-8340639: Open source few more AWT List tests + - JDK-8340713: Open source DnD tests - Set5 + - JDK-8340784: Remove PassFailJFrame constructor with screenshots + - JDK-8340790: Open source several AWT Dialog tests - Batch 4 + - JDK-8340809: Open source few more AWT PopupMenu tests + - JDK-8340874: Open source some of the AWT Geometry/Button tests + - JDK-8340907: Open source closed frame tests # 2 + - JDK-8340966: Open source few Checkbox and Cursor tests - Set1 + - JDK-8340967: Open source few Cursor tests - Set2 + - JDK-8340978: Open source few DnD tests - Set6 + - JDK-8340985: Open source some Desktop related tests + - JDK-8341000: Open source some of the AWT Window tests + - JDK-8341004: Open source AWT FileDialog related tests + - JDK-8341072: Open source several AWT Canvas and Rectangle related tests + - JDK-8341128: open source some 2d graphics tests + - JDK-8341148: Open source several Choice related tests + - JDK-8341162: Open source some of the AWT window test + - JDK-8341170: Open source several Choice related tests (part 2) + - JDK-8341177: Opensource few List and a Window test + - JDK-8341191: Open source few more AWT FileDialog tests + - JDK-8341239: Open source closed frame tests # 3 + - JDK-8341257: Open source few DND tests - Set1 + - JDK-8341258: Open source few various AWT tests - Set1 + - JDK-8341278: Open source few TrayIcon tests - Set7 + - JDK-8341298: Open source more AWT window tests + - JDK-8341373: Open source closed frame tests # 4 + - JDK-8341378: Open source few TrayIcon tests - Set8 + - JDK-8341447: Open source closed frame tests # 5 + - JDK-8341535: sun/awt/font/TestDevTransform.java fails with RuntimeException: Different rendering + - JDK-8341637: java/net/Socket/UdpSocket.java fails with "java.net.BindException: Address already in use" (macos-aarch64) + - JDK-8341779: [REDO BACKPORT] type annotations are not visible to javac plugins across compilation boundaries (JDK-8225377) + - JDK-8341972: java/awt/dnd/DnDRemoveFocusOwnerCrashTest.java timed out after JDK-8341257 + - JDK-8342075: HttpClient: improve HTTP/2 flow control checks + - JDK-8342376: More reliable OOM handling in ExceptionDuringDumpAtObjectsInitPhase test + - JDK-8342524: Use latch in AbstractButton/bug6298940.java instead of delay + - JDK-8342633: javax/management/security/HashedPasswordFileTest.java creates tmp file in src dir + - JDK-8342958: Use jvmArgs consistently in microbenchmarks + - JDK-8343019: Primitive caches must use boxed instances from the archive + - JDK-8343037: Missing @since tag on JColorChooser.showDialog overload + - JDK-8343103: Enable debug logging for vmTestbase/nsk/jvmti/scenarios/sampling/SP05/sp05t003/TestDescription.java + - JDK-8343124: Tests fails with java.lang.IllegalAccessException: class com.sun.javatest.regtest.agent.MainWrapper$MainTask cannot access + - JDK-8343144: UpcallLinker::on_entry racingly clears pending exception with GC safepoints + - JDK-8343170: java/awt/Cursor/JPanelCursorTest/JPanelCursorTest.java does not show the default cursor + - JDK-8343224: print/Dialog/PaperSizeError.java fails with MediaSizeName is not A4: A4 + - JDK-8343342: java/io/File/GetXSpace.java fails on Windows with CD-ROM drive + - JDK-8343345: Use -jvmArgsPrepend when running microbenchmarks in RunTests.gmk + - JDK-8343529: serviceability/sa/ClhsdbWhere.java fails AssertionFailure: Corrupted constant pool + - JDK-8343754: Problemlist jdk/jfr/event/oldobject/TestShenandoah.java after JDK-8279016 + - JDK-8343855: HTTP/2 ConnectionWindowUpdateSender may miss some unprocessed DataFrames from closed streams + - JDK-8343891: Test javax/swing/JTabbedPane/TestJTabbedPaneBackgroundColor.java failed + - JDK-8343936: Adjust timeout in test javax/management/monitor/DerivedGaugeMonitorTest.java + - JDK-8344316: security/auth/callback/TextCallbackHandler/Password.java make runnable with JTReg and add the UI + - JDK-8344346: java/net/httpclient/ShutdownNow.java fails with java.lang.AssertionError: client was still running, but exited after further delay: timeout should be adjusted + - JDK-8344361: Restore null return for invalid services from legacy providers + - JDK-8344414: ZGC: Another division by zero in rule_major_allocation_rate + - JDK-8344925: translet-name ignored when package-name is also set + - JDK-8345133: Test sun/security/tools/jarsigner/TsacertOptionTest.java failed: Warning found in stdout + - JDK-8345134: Test sun/security/tools/jarsigner/ConciseJarsigner.java failed: unable to find valid certification path to requested target + - JDK-8345146: [PPC64] Make intrinsic conversions between bit representations of half precision values and floats + - JDK-8345341: Fix incorrect log message in JDI stop002t test + - JDK-8345357: test/jdk/javax/swing/JRadioButton/8033699/bug8033699.java fails in ubuntu22.04 + - JDK-8345447: test/jdk/javax/swing/JToolBar/4529206/bug4529206.java fails in ubuntu22.04 + - JDK-8345547: test/jdk/javax/swing/text/DefaultEditorKit/4278839/bug4278839.java fails in ubuntu22.04 + - JDK-8345598: Upgrade NSS binaries for interop tests + - JDK-8345625: Better HTTP connections + - JDK-8345728: [Accessibility,macOS,Screen Magnifier]: JCheckbox unchecked state does not magnify but works for checked state + - JDK-8345838: Remove the appcds/javaldr/AnonVmClassesDuringDump.java test + - JDK-8346049: jdk/test/lib/security/timestamp/TsaServer.java warnings + - JDK-8346082: Output JVMTI agent information in hserr files + - JDK-8346264: "Total compile time" counter should include time spent in failing/bailout compiles + - JDK-8346581: JRadioButton/ButtonGroupFocusTest.java fails in CI on Linux + - JDK-8346888: [ubsan] block.cpp:1617:30: runtime error: 9.97582e+36 is outside the range of representable values of type 'int' + - JDK-8347000: Bug in com/sun/net/httpserver/bugs/B6361557.java test + - JDK-8347019: Test javax/swing/JRadioButton/8033699/bug8033699.java still fails: Focus is not on Radio Button Single as Expected + - JDK-8347083: Incomplete logging in nsk/jvmti/ResourceExhausted/resexhausted00* tests + - JDK-8347126: gc/stress/TestStressG1Uncommit.java gets OOM-killed + - JDK-8347173: java/net/DatagramSocket/InterruptibleDatagramSocket.java fails with virtual thread factory + - JDK-8347286: (fs) Remove some extensions from java/nio/file/Files/probeContentType/Basic.java + - JDK-8347296: WinInstallerUiTest fails in local test runs if the path to test work directory is longer that regular + - JDK-8347373: HTTP/2 flow control checks may count unprocessed data twice + - JDK-8347506: Compatible OCSP readtimeout property with OCSP timeout + - JDK-8347596: Update HSS/LMS public key encoding + - JDK-8347629: Test FailOverDirectExecutionControlTest.java fails with -Xcomp + - JDK-8347995: Race condition in jdk/java/net/httpclient/offline/FixedResponseHttpClient.java + - JDK-8348107: test/jdk/java/net/httpclient/HttpsTunnelAuthTest.java fails intermittently + - JDK-8348110: Update LCMS to 2.17 + - JDK-8348299: Update List/ItemEventTest/ItemEventTest.java + - JDK-8348323: Corrupted timezone string in JVM crash log + - JDK-8348596: Update FreeType to 2.13.3 + - JDK-8348597: Update HarfBuzz to 10.4.0 + - JDK-8348598: Update Libpng to 1.6.47 + - JDK-8348600: Update PipeWire to 1.3.81 + - JDK-8348865: JButton/bug4796987.java never runs because Windows XP is unavailable + - JDK-8348936: [Accessibility,macOS,VoiceOver] VoiceOver doesn't announce untick on toggling the checkbox with "space" key on macOS + - JDK-8348989: Better Glyph drawing + - JDK-8349111: Enhance Swing supports + - JDK-8349200: [JMH] time.format.ZonedDateTimeFormatterBenchmark fails + - JDK-8349348: Refactor ClassLoaderDeadlock.sh and Deadlock.sh to run fully in java + - JDK-8349358: [JMH] Cannot access class jdk.internal.vm.ContinuationScope + - JDK-8349492: Update sun/security/pkcs12/KeytoolOpensslInteropTest.java to use a recent Openssl version + - JDK-8349501: Relocate supporting classes in security/testlibrary to test/lib/jdk tree + - JDK-8349594: Enhance TLS protocol support + - JDK-8349623: [ASAN] Gtest os_linux.glibc_mallinfo_wrapper_vm fails + - JDK-8349637: Integer.numberOfLeadingZeros outputs incorrectly in certain cases + - JDK-8349751: AIX build failure after upgrade pipewire to 1.3.81 + - JDK-8350201: Out of bounds access on Linux aarch64 in os::print_register_info + - JDK-8350211: CTW: Attempt to preload all classes in constant pool + - JDK-8350224: Test javax/swing/JComboBox/TestComboBoxComponentRendering.java fails in ubuntu 23.x and later + - JDK-8350260: Improve HTML instruction formatting in PassFailJFrame + - JDK-8350313: Include timings for leaving safepoint in safepoint logging + - JDK-8350383: Test: add more test case for string compare (UL case) + - JDK-8350386: Test TestCodeCacheFull.java fails with option -XX:-UseCodeCacheFlushing + - JDK-8350412: [21u] AArch64: Ambiguous frame layout leads to incorrect traces in JFR + - JDK-8350483: AArch64: turn on signum intrinsics by default on Ampere CPUs + - JDK-8350498: Remove two Camerfirma root CA certificates + - JDK-8350546: Several java/net/InetAddress tests fails UnknownHostException + - JDK-8350616: Skip ValidateHazardPtrsClosure in non-debug builds + - JDK-8350650: Bump update version for OpenJDK: jdk-21.0.8 + - JDK-8350682: [JMH] vector.IndexInRangeBenchmark failed with IndexOutOfBoundsException for size=1024 + - JDK-8350786: Some java/lang jtreg tests miss requires vm.hasJFR + - JDK-8350924: javax/swing/JMenu/4213634/bug4213634.java fails + - JDK-8350991: Improve HTTP client header handling + - JDK-8351086: (fc) Make java/nio/channels/FileChannel/BlockDeviceSize.java test manual + - JDK-8351500: G1: NUMA migrations cause crashes in region allocation + - JDK-8351665: Remove unused UseNUMA in os_aix.cpp + - JDK-8351933: Inaccurate masking of TC subfield decrement in ForkJoinPool + - JDK-8352076: [21u] Problem list tests that fail in 21 and would be fixed by 8309622 + - JDK-8352109: java/awt/Desktop/MailTest.java fails in platforms where Action.MAIL is not supported + - JDK-8352302: Test sun/security/tools/jarsigner/TimestampCheck.java is failing + - JDK-8352512: TestVectorZeroCount: counter not reset between iterations + - JDK-8352676: Opensource JMenu tests - series1 + - JDK-8352680: Opensource few misc swing tests + - JDK-8352684: Opensource JInternalFrame tests - series1 + - JDK-8352706: httpclient HeadTest does not run on HTTP2 + - JDK-8352716: (tz) Update Timezone Data to 2025b + - JDK-8352908: Open source several swing tests batch1 + - JDK-8352942: jdk/jfr/startupargs/TestMemoryOptions.java fails with 32-bit build + - JDK-8353070: Clean up and open source couple AWT Graphics related tests (Part 1) + - JDK-8353138: Screen capture for test TaskbarPositionTest.java, failure case + - JDK-8353190: Use "/native" Run Option for TestAvailableProcessors Execution + - JDK-8353237: [AArch64] Incorrect result of VectorizedHashCode intrinsic on Cortex-A53 + - JDK-8353320: Open source more Swing text tests + - JDK-8353446: Open source several AWT Menu tests - Batch 2 + - JDK-8353475: Open source two Swing DefaultCaret tests + - JDK-8353685: Open some JComboBox bugs 4 + - JDK-8353709: Debug symbols bundle should contain full debug files when building --with-external-symbols-in-bundles=public + - JDK-8353787: Increased number of SHA-384-Digest java.util.jar.Attributes$Name instances leading to higher memory footprint + - JDK-8353942: Open source Swing Tests - Set 5 + - JDK-8354255: [jittester] Remove TempDir debug output + - JDK-8354530: AIX: sporadic unexpected errno when calling setsockopt in Net.joinOrDrop + - JDK-8354554: Open source several clipboard tests batch1 + - JDK-8354802: MAX_SECS definition is unused in os_linux + - JDK-8354893: [REDO BACKPORT] javac crashes while adding type annotations to the return type of a constructor (JDK-8320001) + - JDK-8355498: [AIX] Adapt code for C++ VLA rule + - JDK-8356053: Test java/awt/Toolkit/Headless/HeadlessToolkit.java fails by timeout + - JDK-8356096: ISO 4217 Amendment 179 Update + - JDK-8356571: Re-enable -Wtype-limits for GCC in LCMS + - JDK-8357105: C2: compilation fails with "assert(false) failed: empty program detected during loop optimization" + - JDK-8357193: [VS 2022 17.14] Warning C5287 in debugInit.c: enum type mismatch during build + - JDK-8359170: Add 2 TLS and 2 CS Sectigo roots + - JDK-8360147: Better Glyph drawing redux + - JDK-8360406: [21u] Disable logic for attaching type annotations to class files until 8359336 is fixed + - JDK-8361672: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.8 + +Notes on individual issues: +=========================== + +tools/javac: + +JDK-8341779: [REDO BACKPORT] type annotations are not visible to javac plugins across compilation boundaries (JDK-8225377) +========================================================================================================================== +The compiler in previous releases of OpenJDK 21 would only provide +access to type annotations on types loaded from source code files. If +the type was instead loaded from bytecode, then any type annotations +would be absent. + +With this release, `TypeMirror` now provides access to annotations for +types loaded from bytecode. These type annotations can be obtained +using `AnnotationMirror#getAnnotationMirrors` and will be included in +the output of `AnnotationMirror#toString`. + +Programs that rely on type annotations being absent from elements +loaded from bytecode will need to be updated accordingly. Due to +ongoing issues with this new feature (see JDK-8360406), it is not +enabled by default and the option `-XDaddTypeAnnotationsToSymbol=true` +must be specified in order for bytecode type annotations to be +included. + +core-libs/java.net: + +JDK-8342075: HttpClient: improve HTTP/2 flow control checks +=========================================================== +This release of OpenJDK 21 enhances the HTTP/2 client implementation +in `java.net.http.HttpClient` to report flow control errors back to +the server. While this should be transparent in most cases, it may +lead to streams being reset or connections being closed if connecting +to a HTTP/2 server that does not correctly handle these errors. + +Flow control limits can be adjusted using the following existing +properties: + +* `jdk.httpclient.connectionWindowSize` + - Specifies the HTTP/2 client connection window size in bytes. + - Default value: `2^26` + - Range: `2^16-1` to `2^31-1`. + +* `jdk.httpclient.windowSize` + - Specifies the HTTP/2 client stream window size in bytes. + - Default value: `16777216` (16MB) + - Range: `2^14` to `2^31-1` + +Specifying an invalid value leads to the default value being used. +The implementation guarantees that the actual value used for the +connection window size will be no smaller than the stream window size. + +hotspot/runtime: + +JDK-8318636: Add jcmd to print annotated process memory map +=========================================================== +Two new diagnostic commands have been added to `jcmd`, which print the +virtual memory map of the JVM either to standard output or a file. If +Native Memory Tracking (NMT) is enabled, NMT information about the +virtual memory segments will be included. + +The new commands are: + +* `jcmd System.map` -- prints the virtual memory map of the JVM +identified by `` to the standard output. + +* `jcmd System.dump_map` -- prints the virtual memory map of the +JVM identified by `` to a file `vm_memory_map_.txt` in the +current directory. + +security-libs/java.security: + +JDK-8303770: Remove Baltimore root certificate expiring in May 2025 +=================================================================== +The following root certificate from Baltimore has been removed from +the `cacerts` keystore: + +Alias Name: baltimorecybertrustca [jdk] +Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE + +JDK-8347506: Compatible OCSP readtimeout property with OCSP timeout +=================================================================== +The initial release of OpenJDK 21 introduced the +`com.sun.security.ocsp.readtimeout` property, which was paired with +the existing `com.sun.security.ocsp.timeout` to give greater control +over the timeouts for OCSP connections and certificate retrieval. The +existence of two separate properties allows the timeout for reading +data to be set separately from the timeout for the transport layer. + +When `com.sun.security.ocsp.readtimeout` was backported to OpenJDK +17.0.15, the default value of `com.sun.security.ocsp.readtimeout` was +changed from 15 seconds to the value of +`com.sun.security.ocsp.timeout`, which itself has a default of 15 +seconds. This change is brought forward to OpenJDK 21 with this +release. + +If neither property is set, both will default to 15 seconds as in +previous OpenJDK 21 releases. If only `com.sun.security.ocsp.timeout` +is set, `com.sun.security.ocsp.readtimeout` will use the same value +which retains the behaviour from before the +`com.sun.security.ocsp.readtimeout` property was introduced. + +JDK-8347596: Update HSS/LMS public key encoding +=============================================== +The X.509 encoding format for HSS/LMS public keys has been updated to +align with the latest standard outlined in RFC 9708 [0]. Notably, the +OCTET_STRING wrapping around the public key value has been removed. +For compatibility, the JDK will still detect the presence of DER +encoding when reading keys encoded by earlier releases. + +[0] https://www.rfc-editor.org/rfc/rfc9708.html#name-hss-lms-public-key-identifi + +JDK-8350498: Remove two Camerfirma root CA certificates +======================================================= +The following expired root certificates from Camerfirma have been +removed from the `cacerts` keystore: + +Alias name: camerfirmachamberscommerceca [jdk] +CN=Chambers of Commerce Root +OU=http://www.chambersign.org +O=AC Camerfirma SA CIF A82743287 +C=EU +SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3 + +Alias name: camerfirmachambersignca [jdk] +CN=Global Chambersign Root - 2008 +O=AC Camerfirma S.A. +SERIALNUMBER=A82743287 +L=Madrid (see current address at www.camerfirma.com/address) +C=EU +SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA + +JDK-8359170: Add 2 TLS and 2 CS Sectigo roots +============================================= +The following root certificates have been added to the cacerts +truststore: + +Name: Sectigo Limited +Alias Name: sectigocodesignroote46 +Distinguished Name: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB + +Name: Sectigo Limited +Alias Name: sectigocodesignrootr46 +Distinguished Name: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB + +Name: Sectigo Limited +Alias Name: sectigotlsroote46 +Distinguished Name: Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB + +Name: Sectigo Limited +Alias Name: sectigotlsrootr46 +Distinguished Name: Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB + +New in release OpenJDK 21.0.7 (2025-04-15): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2107 + +* CVEs + - CVE-2025-21587 + - CVE-2025-30691 + - CVE-2025-30698 +* Changes + - JDK-8198237: [macos] Test java/awt/Frame/ExceptionOnSetExtendedStateTest/ExceptionOnSetExtendedStateTest.java fails + - JDK-8211851: (ch) java/nio/channels/AsynchronousSocketChannel/StressLoopback.java times out (aix) + - JDK-8226933: [TEST_BUG]GTK L&F: There is no swatches or RGB tab in JColorChooser + - JDK-8226938: [TEST_BUG]GTK L&F: There is no Details button in FileChooser Dialog + - JDK-8227529: With malformed --app-image the error messages are awful + - JDK-8277240: java/awt/Graphics2D/ScaledTransform/ScaledTransform.java dialog does not get disposed + - JDK-8283664: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintTextTest.java + - JDK-8286875: ProgrammableUpcallHandler::on_entry/on_exit access thread fields from native + - JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic + - JDK-8294316: SA core file support is broken on macosx-x64 starting with macOS 12.x + - JDK-8295159: DSO created with -ffast-math breaks Java floating-point arithmetic + - JDK-8302111: Serialization considerations + - JDK-8304701: Request with timeout aborts later in-flight request on HTTP/1.1 cxn + - JDK-8309841: Jarsigner should print a warning if an entry is removed + - JDK-8311546: Certificate name constraints improperly validated with leading period + - JDK-8312570: [TESTBUG] Jtreg compiler/loopopts/superword/TestDependencyOffsets.java fails on 512-bit SVE + - JDK-8313633: [macOS] java/awt/dnd/NextDropActionTest/NextDropActionTest.java fails with java.lang.RuntimeException: wrong next drop action! + - JDK-8313905: Checked_cast assert in CDS compare_by_loader + - JDK-8314752: Use google test string comparison macros + - JDK-8314909: tools/jpackage/windows/Win8282351Test.java fails with java.lang.AssertionError: Expected [0]. Actual [1618]: + - JDK-8315486: vmTestbase/nsk/jdwp/ThreadReference/ForceEarlyReturn/forceEarlyReturn002/forceEarlyReturn002.java timed out + - JDK-8315825: Open some swing tests + - JDK-8315882: Open some swing tests 2 + - JDK-8315883: Open source several Swing JToolbar tests + - JDK-8315952: Open source several Swing JToolbar JTooltip JTree tests + - JDK-8316056: Open source several Swing JTree tests + - JDK-8316146: Open some swing tests 4 + - JDK-8316149: Open source several Swing JTree JViewport KeyboardManager tests + - JDK-8316218: Open some swing tests 5 + - JDK-8316371: Open some swing tests 6 + - JDK-8316627: JViewport Test headless failure + - JDK-8316885: jcmd: Compiler.CodeHeap_Analytics cmd does not inform about missing aggregate + - JDK-8317283: jpackage tests run osx-specific checks on windows and linux + - JDK-8317636: Improve heap walking API tests to verify correctness of field indexes + - JDK-8317808: HTTP/2 stream cancelImpl may leave subscriber registered + - JDK-8317919: pthread_attr_init handle return value and destroy pthread_attr_t object + - JDK-8319233: AArch64: Build failure with clang due to -Wformat-nonliteral warning + - JDK-8320372: test/jdk/sun/security/x509/DNSName/LeadingPeriod.java validity check failed + - JDK-8320676: Manual printer tests have no Pass/Fail buttons, instructions close set 1 + - JDK-8320691: Timeout handler on Windows takes 2 hours to complete + - JDK-8320706: RuntimePackageTest.testUsrInstallDir test fails on Linux + - JDK-8320916: jdk/jfr/event/gc/stacktrace/TestParallelMarkSweepAllocationPendingStackTrace.java failed with "OutOfMemoryError: GC overhead limit exceeded" + - JDK-8321818: vmTestbase/nsk/stress/strace/strace015.java failed with 'Cannot read the array length because "" is null' + - JDK-8322983: Virtual Threads: exclude 2 tests + - JDK-8324672: Update jdk/java/time/tck/java/time/TCKInstant.java now() to be more robust + - JDK-8324807: Manual printer tests have no Pass/Fail buttons, instructions close set 2 + - JDK-8324838: test_nmt_locationprinting.cpp broken in the gcc windows build + - JDK-8325042: Remove unused JVMDITools test files + - JDK-8325529: Remove unused imports from `ModuleGenerator` test file + - JDK-8325659: Normalize Random usage by incubator vector tests + - JDK-8325937: runtime/handshake/HandshakeDirectTest.java causes "monitor end should be strictly below the frame pointer" assertion failure on AArch64 + - JDK-8326421: Add jtreg test for large arrayCopy disjoint case. + - JDK-8326525: com/sun/tools/attach/BasicTests.java does not verify AgentLoadException case + - JDK-8327098: GTest needs larger combination limit + - JDK-8327390: JitTester: Implement temporary folder functionality + - JDK-8327460: Compile tests with the same visibility rules as product code + - JDK-8327476: Upgrade JLine to 3.26.1 + - JDK-8327505: Test com/sun/jmx/remote/NotificationMarshalVersions/TestSerializationMismatch.java fails + - JDK-8327857: Remove applet usage from JColorChooser tests Test4222508 + - JDK-8327859: Remove applet usage from JColorChooser tests Test4319113 + - JDK-8327986: ASAN reports use-after-free in DirectivesParserTest.empty_object_vm + - JDK-8327994: Update code gen in CallGeneratorHelper + - JDK-8328005: Convert java/awt/im/JTextFieldTest.java applet test to main + - JDK-8328085: C2: Use after free in PhaseChaitin::Register_Allocate() + - JDK-8328121: Remove applet usage from JColorChooser tests Test4759306 + - JDK-8328130: Remove applet usage from JColorChooser tests Test4759934 + - JDK-8328185: Convert java/awt/image/MemoryLeakTest/MemoryLeakTest.java applet test to main + - JDK-8328227: Remove applet usage from JColorChooser tests Test4887836 + - JDK-8328368: Convert java/awt/image/multiresolution/MultiDisplayTest/MultiDisplayTest.java applet test to main + - JDK-8328370: Convert java/awt/print/Dialog/PrintApplet.java applet test to main + - JDK-8328380: Remove applet usage from JColorChooser tests Test6348456 + - JDK-8328387: Convert java/awt/Frame/FrameStateTest/FrameStateTest.html applet test to main + - JDK-8328403: Remove applet usage from JColorChooser tests Test6977726 + - JDK-8328553: Get rid of JApplet in test/jdk/sanity/client/lib/SwingSet2/src/DemoModule.java + - JDK-8328558: Convert javax/swing/JCheckBox/8032667/bug8032667.java applet test to main + - JDK-8328717: Convert javax/swing/JColorChooser/8065098/bug8065098.java applet test to main + - JDK-8328719: Convert java/awt/print/PageFormat/SetOrient.html applet test to main + - JDK-8328730: Convert java/awt/print/bug8023392/bug8023392.html applet test to main + - JDK-8328753: Open source few Undecorated Frame tests + - JDK-8328819: Remove applet usage from JFileChooser tests bug6698013 + - JDK-8328827: Convert java/awt/print/PrinterJob/PrinterDialogsModalityTest/PrinterDialogsModalityTest.html applet test to main + - JDK-8329210: Delete Redundant Printer Dialog Modality Test + - JDK-8329320: Simplify awt/print/PageFormat/NullPaper.java test + - JDK-8329322: Convert PageFormat/Orient.java to use PassFailJFrame + - JDK-8329692: Add more details to FrameStateTest.java test instructions + - JDK-8330647: Two CDS tests fail with -UseCompressedOops and UseSerialGC/UseParallelGC + - JDK-8330702: Update failure handler to don't generate Error message if cores actions are empty + - JDK-8331735: UpcallLinker::on_exit races with GC when copying frame anchor + - JDK-8331959: Update PKCS#11 Cryptographic Token Interface to v3.1 + - JDK-8331977: Crash: SIGSEGV in dlerror() + - JDK-8331993: Add counting leading/trailing zero tests for Integer + - JDK-8332158: [XWayland] test/jdk/java/awt/Mouse/EnterExitEvents/ResizingFrameTest.java + - JDK-8332494: java/util/zip/EntryCount64k.java failing with java.lang.RuntimeException: '\\A\\Z' missing from stderr + - JDK-8332917: failure_handler should execute gdb "info threads" command on linux + - JDK-8333116: test/jdk/tools/jpackage/share/ServiceTest.java test fails + - JDK-8333360: PrintNullString.java doesn't use float arguments + - JDK-8333391: Test com/sun/jdi/InterruptHangTest.java failed: Thread was never interrupted during sleep + - JDK-8333403: Write a test to check various components events are triggered properly + - JDK-8333647: C2 SuperWord: some additional PopulateIndex tests + - JDK-8334305: Remove all code for nsk.share.Log verbose mode + - JDK-8334371: [AIX] Beginning with AIX 7.3 TL1 mmap() supports 64K memory pages + - JDK-8334490: Normalize string with locale invariant `toLowerCase()` + - JDK-8334777: Test javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java failed with NullPointerException + - JDK-8335288: SunPKCS11 initialization will call C_GetMechanismInfo on unsupported mechanisms + - JDK-8335468: [XWayland] JavaFX hangs when calling java.awt.Robot.getPixelColor + - JDK-8335789: [TESTBUG] XparColor.java test fails with Error. Parse Exception: Invalid or unrecognized bugid: @ + - JDK-8336012: Fix usages of jtreg-reserved properties + - JDK-8336498: [macos] [build]: install-file macro may run into permission denied error + - JDK-8336692: Redo fix for JDK-8284620 + - JDK-8336942: Improve test coverage for class loading elements with annotations of different retentions + - JDK-8337222: gc/TestDisableExplicitGC.java fails due to unexpected CodeCache GC + - JDK-8337494: Clarify JarInputStream behavior + - JDK-8337660: C2: basic blocks with only BoxLock nodes are wrongly treated as empty + - JDK-8337692: Better TLS connection support + - JDK-8337886: java/awt/Frame/MaximizeUndecoratedTest.java fails in OEL due to a slight color difference + - JDK-8337951: Test sun/security/validator/samedn.sh CertificateNotYetValidException: NotBefore validation + - JDK-8337994: [REDO] Native memory leak when not recording any events + - JDK-8338100: C2: assert(!n_loop->is_member(get_loop(lca))) failed: control must not be back in the loop + - JDK-8338303: Linux ppc64le with toolchain clang - detection failure in early JVM startup + - JDK-8338426: Test java/nio/channels/Selector/WakeupNow.java failed + - JDK-8338430: Improve compiler transformations + - JDK-8338571: [TestBug] DefaultCloseOperation.java test not working as expected wrt instruction after JDK-8325851 fix + - JDK-8338595: Add more linesize for MIME decoder in macro bench test Base64Decode + - JDK-8338668: Test javax/swing/JFileChooser/8080628/bug8080628.java doesn't test for GTK L&F + - JDK-8339154: Cleanups and JUnit conversion of test/jdk/java/util/zip/Available.java + - JDK-8339261: Logs truncated in test javax/net/ssl/DTLS/DTLSRehandshakeTest.java + - JDK-8339356: Test javax/net/ssl/SSLSocket/Tls13PacketSize.java failed with java.net.SocketException: An established connection was aborted by the software in your host machine + - JDK-8339475: Clean up return code handling for pthread calls in library coding + - JDK-8339524: Clean up a few ExtendedRobot tests + - JDK-8339542: compiler/codecache/CheckSegmentedCodeCache.java fails + - JDK-8339687: Rearrange reachabilityFence()s in jdk.test.lib.util.ForceGC + - JDK-8339728: [Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class + - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract + - JDK-8339834: Replace usages of -mx and -ms in some tests + - JDK-8339883: Open source several AWT/2D related tests + - JDK-8339902: Open source couple TextField related tests + - JDK-8339943: Frame not disposed in java/awt/dnd/DropActionChangeTest.java + - JDK-8340078: Open source several 2D tests + - JDK-8340116: test/jdk/sun/security/tools/jarsigner/PreserveRawManifestEntryAndDigest.java can fail due to regex + - JDK-8340313: Crash due to invalid oop in nmethod after C1 patching + - JDK-8340411: open source several 2D imaging tests + - JDK-8340480: Bad copyright notices in changes from JDK-8339902 + - JDK-8340687: Open source closed frame tests #1 + - JDK-8340719: Open source AWT List tests + - JDK-8340824: C2: Memory for TypeInterfaces not reclaimed by hashcons() + - JDK-8340969: jdk/jfr/startupargs/TestStartDuration.java should be marked as flagless + - JDK-8341037: Use standard layouts in DefaultFrameIconTest.java and MenuCrash.java + - JDK-8341111: open source several AWT tests including menu shortcut tests + - JDK-8341135: Incorrect format string after JDK-8339475 + - JDK-8341194: [REDO] Implement C2 VectorizedHashCode on AArch64 + - JDK-8341316: [macos] javax/swing/ProgressMonitor/ProgressMonitorEscapeKeyPress.java fails sometimes in macos + - JDK-8341412: Various test failures after JDK-8334305 + - JDK-8341424: GHA: Collect hs_errs from build time failures + - JDK-8341453: java/awt/a11y/AccessibleJTableTest.java fails in some cases where the test tables are not visible + - JDK-8341715: PPC64: ObjectMonitor::_owner should be reset unconditionally in nmethod unlocking + - JDK-8341820: Check return value of hcreate_r + - JDK-8341862: PPC64: C1 unwind_handler fails to unlock synchronized methods with LM_MONITOR + - JDK-8341881: [REDO] java/nio/file/attribute/BasicFileAttributeView/CreationTime.java#tmp fails on alinux3 + - JDK-8341978: Improve JButton/bug4490179.java + - JDK-8341982: Simplify JButton/bug4323121.java + - JDK-8342098: Write a test to compare the images + - JDK-8342145: File libCreationTimeHelper.c compile fails on Alpine + - JDK-8342270: Test sun/security/pkcs11/Provider/RequiredMechCheck.java needs write access to src tree + - JDK-8342498: Add test for Allocation elimination after use as alignment reference by SuperWord + - JDK-8342508: Use latch in BasicMenuUI/bug4983388.java instead of delay + - JDK-8342541: Exclude List/KeyEventsTest/KeyEventsTest.java from running on macOS + - JDK-8342562: Enhance Deflater operations + - JDK-8342602: Remove JButton/PressedButtonRightClickTest test + - JDK-8342609: jpackage test helper function incorrectly removes a directory instead of its contents only + - JDK-8342634: javax/imageio/plugins/wbmp/WBMPStreamTruncateTest.java creates temp file in src dir + - JDK-8342635: javax/swing/JFileChooser/FileSystemView/WindowsDefaultIconSizeTest.java creates tmp file in src dir + - JDK-8342704: GHA: Report truncation is broken after JDK-8341424 + - JDK-8342811: java/net/httpclient/PlainProxyConnectionTest.java failed: Unexpected connection count: 5 + - JDK-8342858: Make target mac-jdk-bundle fails on chmod command + - JDK-8342988: GHA: Build JTReg in single step + - JDK-8343007: Enhance Buffered Image handling + - JDK-8343100: Consolidate EmptyFolderTest and EmptyFolderPackageTest jpackage tests into single java file + - JDK-8343101: Rework BasicTest.testTemp test cases + - JDK-8343102: Remove `--compress` from jlink command lines from jpackage tests + - JDK-8343118: [TESTBUG] java/awt/PrintJob/PrintCheckboxTest/PrintCheckboxManualTest.java fails with rror. Can't find HTML file PrintCheckboxManualTest.html + - JDK-8343128: PassFailJFrame.java test result: Error. Bad action for script: build} + - JDK-8343129: Disable unstable check of ThreadsListHandle.sanity_vm ThreadList values + - JDK-8343144: UpcallLinker::on_entry racingly clears pending exception with GC safepoints + - JDK-8343149: Cleanup os::print_tos_pc on AIX + - JDK-8343178: Test BasicTest.java javac compile fails cannot find symbol + - JDK-8343205: CompileBroker::possibly_add_compiler_threads excessively polls available memory + - JDK-8343314: Move common properties from jpackage jtreg test declarations to TEST.properties file + - JDK-8343343: Misc crash dump improvements on more platforms after JDK-8294160 + - JDK-8343378: Exceptions in javax/management DeadLockTest.java do not cause test failure + - JDK-8343396: Use OperatingSystem, Architecture, and OSVersion in jpackage tests + - JDK-8343491: javax/management/remote/mandatory/connection/DeadLockTest.java failing with NoSuchObjectException: no such object in table + - JDK-8343599: Kmem limit and max values swapped when printing container information + - JDK-8343882: BasicAnnoTests doesn't handle multiple annotations at the same position + - JDK-8344275: tools/jpackage/windows/Win8301247Test.java fails on localized Windows platform + - JDK-8344326: Move jpackage tests from "jdk.jpackage.tests" package to the default package + - JDK-8344581: [TESTBUG] java/awt/Robot/ScreenCaptureRobotTest.java failing on macOS + - JDK-8344589: Update IANA Language Subtag Registry to Version 2024-11-19 + - JDK-8344646: The libjsig deprecation warning should go to stderr not stdout + - JDK-8345296: AArch64: VM crashes with SIGILL when prctl is disallowed + - JDK-8345368: java/io/File/createTempFile/SpecialTempFile.java fails on Windows Server 2025 + - JDK-8345370: Bump update version for OpenJDK: jdk-21.0.7 + - JDK-8345375: Improve debuggability of test/jdk/java/net/Socket/CloseAvailable.java + - JDK-8345414: Google CAInterop test failures + - JDK-8345468: test/jdk/javax/swing/JScrollBar/4865918/bug4865918.java fails in ubuntu22.04 + - JDK-8345569: [ubsan] adjustments to filemap.cpp and virtualspace.cpp for macOS aarch64 + - JDK-8345614: Improve AnnotationFormatError message for duplicate annotation interfaces + - JDK-8345676: [ubsan] ProcessImpl_md.c:561:40: runtime error: applying zero offset to null pointer on macOS aarch64 + - JDK-8345684: OperatingSystemMXBean.getSystemCpuLoad() throws NPE + - JDK-8345750: Shenandoah: Test TestJcmdHeapDump.java#aggressive intermittent assert(gc_cause() == GCCause::_no_gc) failed: Over-writing cause + - JDK-8346055: javax/swing/text/StyledEditorKit/4506788/bug4506788.java fails in ubuntu22.04 + - JDK-8346108: [21u][BACKOUT] 8337994: [REDO] Native memory leak when not recording any events + - JDK-8346324: javax/swing/JScrollBar/4865918/bug4865918.java fails in CI + - JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs + - JDK-8346671: java/nio/file/Files/probeContentType/Basic.java fails on Windows 2025 + - JDK-8346713: [testsuite] NeverActAsServerClassMachine breaks TestPLABAdaptToMinTLABSize.java TestPinnedHumongousFragmentation.java TestPinnedObjectContents.java + - JDK-8346828: javax/swing/JScrollBar/4865918/bug4865918.java still fails in CI + - JDK-8346847: [s390x] minimal build failure + - JDK-8346880: [aix] java/lang/ProcessHandle/InfoTest.java still fails: "reported cputime less than expected" + - JDK-8346881: [ubsan] logSelection.cpp:154:24 / logSelectionList.cpp:72:94 : runtime error: applying non-zero offset 1 to null pointer + - JDK-8346887: DrawFocusRect() may cause an assertion failure + - JDK-8346972: Test java/nio/channels/FileChannel/LoopingTruncate.java fails sometimes with IOException: There is not enough space on the disk + - JDK-8347038: [JMH] jdk.incubator.vector.SpiltReplicate fails NoClassDefFoundError + - JDK-8347129: cpuset cgroups controller is required for no good reason + - JDK-8347171: (dc) java/nio/channels/DatagramChannel/InterruptibleOrNot.java fails with virtual thread factory + - JDK-8347256: Epsilon: Demote heap size and AlwaysPreTouch warnings to info level + - JDK-8347267: [macOS]: UnixOperatingSystem.c:67:40: runtime error: division by zero + - JDK-8347268: [ubsan] logOutput.cpp:357:21: runtime error: applying non-zero offset 1 to null pointer + - JDK-8347424: Fix and rewrite sun/security/x509/DNSName/LeadingPeriod.java test + - JDK-8347427: JTabbedPane/8134116/Bug8134116.java has no license header + - JDK-8347576: Error output in libjsound has non matching format strings + - JDK-8347740: java/io/File/createTempFile/SpecialTempFile.java failing + - JDK-8347847: Enhance jar file support + - JDK-8347911: Limit the length of inflated text chunks + - JDK-8347965: (tz) Update Timezone Data to 2025a + - JDK-8348562: ZGC: segmentation fault due to missing node type check in barrier elision analysis + - JDK-8348625: [21u, 17u] Revert JDK-8185862 to restore old java.awt.headless behavior on Windows + - JDK-8348675: TrayIcon tests fail in Ubuntu 24.10 Wayland + - JDK-8349039: Adjust exception No type named in database + - JDK-8349603: [21u, 17u, 11u] Update GHA JDKs after Jan/25 updates + - JDK-8349729: [21u] AIX jtreg tests fail to compile with qvisibility=hidden + - JDK-8352097: (tz) zone.tab update missed in 2025a backport + - JDK-8353904: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.7 + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8309841: Jarsigner should print a warning if an entry is removed +==================================================================== +In previous OpenJDK releases, the jarsigner tool did not detect the +case where a file was removed from a signed JAR file but its signature +was still present. With this release, `jarsigner -verify` checks that +every signature has a matching file entry and prints a warning if this +is not the case. The `-verbose` option can also be added to the +command to see the names of the mismatched entries. + +security-libs/javax.net.ssl: + +JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs +============================================================================= +In accordance with similar plans recently announced by Google, +Mozilla, Apple and Microsoft, the JDK will not trust Transport Layer +Security (TLS) certificates issued after the 15th of April 2025 which +are anchored by Camerfirma root certificates. + +Certificates issued on or before April 15th, 2025 will continue to +be trusted until they expire. + +If a server's certificate chain is anchored by an affected +certificate, attempts to negotiate a TLS session will fail with an +Exception that indicates the trust anchor is not trusted. For example, + +"TLS server certificate issued after 2025-04-15 and anchored by a +distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - +2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see +current address at www.camerfirma.com/address), C=EU" + +To check whether a certificate in a JDK keystore is affected by this +change, you can the `keytool` utility: + +keytool -v -list -alias -keystore + +If any of the certificates in the chain are affected by this change, +then you will need to update the certificate or contact the +organisation responsible for managing the certificate. + +These restrictions apply to the following Camerfirma root certificates +included in the JDK: + +Alias name: camerfirmachamberscommerceca [jdk] +CN=Chambers of Commerce Root +OU=http://www.chambersign.org +O=AC Camerfirma SA CIF A82743287 +C=EU +SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3 + +Alias name: camerfirmachambersca [jdk] +CN=Chambers of Commerce Root - 2008 +O=AC Camerfirma S.A. +SERIALNUMBER=A82743287 +L=Madrid (see current address at www.camerfirma.com/address) +C=EU +SHA256: 06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0 + +Alias name: camerfirmachambersignca [jdk] +CN=Global Chambersign Root - 2008 +O=AC Camerfirma S.A. +SERIALNUMBER=A82743287 +L=Madrid (see current address at www.camerfirma.com/address) +C=EU +SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA + +Users can, *at their own risk*, remove this restriction by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) so "CAMERFIRMA_TLS" is no +longer listed in the `jdk.security.caDistrustPolicies` security +property. + +security-libs/javax.crypto:pkcs11: + +JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic +========================================================================== +In OpenJDK 14, the notion of legacy mechanisms was introduced into the +SunPKCS11 provider. If a mechanism was found to be using a weak +algorithm, it was determined to be legacy and disabled. + +However, this approach has proved inflexible. There was no way for the +user to override the legacy determination and enable the mechanism +anyway. Also, a mechanism being used for signing would be declared +legacy and disabled if it had a weak encryption algorithm, even though +encryption was not being used. Similarly, a weak signing algorithm +would prevent the mechanism's use as a cipher for encryption or +decryption. + +This OpenJDK release resolves these issues. It introduces the PKCS11 +provider configuration attribute "allowLegacy" which can be set to +`true` if the user wishes to override the legacy determination. By +default, it is set to `false`. The legacy determination now also +considers the service type and will only check encryption algorithms +for Ciphers and only signature algorithms for Signatures. + +New in release OpenJDK 21.0.6 (2025-01-21): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2106 + +* CVEs + - CVE-2025-21502 +* Changes + - JDK-6942632: Hotspot should be able to use more than 64 logical processors on Windows + - JDK-8028127: Regtest java/security/Security/SynchronizedAccess.java is incorrect + - JDK-8195675: Call to insertText with single character from custom Input Method ignored + - JDK-8207908: JMXStatusTest.java fails assertion intermittently + - JDK-8225220: When the Tab Policy is checked,the scroll button direction displayed incorrectly. + - JDK-8240343: JDI stopListening/stoplis001 "FAILED: listening is successfully stopped without starting listening" + - JDK-8283214: [macos] Screen magnifier does not show the magnified text for JComboBox + - JDK-8296787: Unify debug printing format of X.509 cert serial numbers + - JDK-8296972: [macos13] java/awt/Frame/MaximizedToIconified/MaximizedToIconified.java: getExtendedState() != 6 as expected. + - JDK-8306446: java/lang/management/ThreadMXBean/Locks.java transient failures + - JDK-8308429: jvmti/StopThread/stopthrd007 failed with "NoClassDefFoundError: Could not initialize class jdk.internal.misc.VirtualThreads" + - JDK-8309218: java/util/concurrent/locks/Lock/OOMEInAQS.java still times out with ZGC, Generational ZGC, and SerialGC + - JDK-8311301: MethodExitTest may fail with stack buffer overrun + - JDK-8311656: Shenandoah: Unused ShenandoahSATBAndRemarkThreadsClosure::_claim_token + - JDK-8312518: [macos13] setFullScreenWindow() shows black screen on macOS 13 & above + - JDK-8313374: --enable-ccache's CCACHE_BASEDIR breaks builds + - JDK-8313878: Exclude two compiler/rtm/locking tests on ppc64le + - JDK-8315701: [macos] Regression: KeyEvent has different keycode on different keyboard layouts + - JDK-8316428: G1: Nmethod count statistics only count last code root set iterated + - JDK-8316893: Compile without -fno-delete-null-pointer-checks + - JDK-8316895: SeenThread::print_action_queue called on a null pointer + - JDK-8316907: Fix nonnull-compare warnings + - JDK-8317116: Provide layouts for multiple test UI in PassFailJFrame + - JDK-8317575: AArch64: C2_MacroAssembler::fast_lock uses rscratch1 for cmpxchg result + - JDK-8318105: [jmh] the test java.security.HSS failed with 2 active threads + - JDK-8318442: java/net/httpclient/ManyRequests2.java fails intermittently on Linux + - JDK-8319640: ClassicFormat::parseObject (from DateTimeFormatter) does not conform to the javadoc and may leak DateTimeException + - JDK-8319673: Few security tests ignore VM flags + - JDK-8319678: Several tests from corelibs areas ignore VM flags + - JDK-8319960: RISC-V: compiler/intrinsics/TestInteger/LongUnsignedDivMod.java failed with "counts: Graph contains wrong number of nodes" + - JDK-8319970: AArch64: enable tests compiler/intrinsics/Test(Long|Integer)UnsignedDivMod.java on aarch64 + - JDK-8319973: AArch64: Save and restore FPCR in the call stub + - JDK-8320192: SHAKE256 does not work correctly if n >= 137 + - JDK-8320397: RISC-V: Avoid passing t0 as temp register to MacroAssembler:: cmpxchg_obj_header/cmpxchgptr + - JDK-8320575: generic type information lost on mandated parameters of record's compact constructors + - JDK-8320586: update manual test/jdk/TEST.groups + - JDK-8320665: update jdk_core at open/test/jdk/TEST.groups + - JDK-8320673: PageFormat/CustomPaper.java has no Pass/Fail buttons; multiple instructions + - JDK-8320682: [AArch64] C1 compilation fails with "Field too big for insn" + - JDK-8320892: AArch64: Restore FPU control state after JNI + - JDK-8321299: runtime/logging/ClassLoadUnloadTest.java doesn't reliably trigger class unloading + - JDK-8321470: ThreadLocal.nextHashCode can be static final + - JDK-8321474: TestAutoCreateSharedArchiveUpgrade.java should be updated with JDK 21 + - JDK-8321543: Update NSS to version 3.96 + - JDK-8321550: Update several runtime/cds tests to use vm flags or mark as flagless + - JDK-8321616: Retire binary test vectors in test/jdk/java/util/zip/ZipFile + - JDK-8321940: Improve CDSHeapVerifier in handling of interned strings + - JDK-8322166: Files.isReadable/isWritable/isExecutable expensive when file does not exist + - JDK-8322754: click JComboBox when dialog about to close causes IllegalComponentStateException + - JDK-8322809: SystemModulesMap::classNames and moduleNames arrays do not match the order + - JDK-8322830: Add test case for ZipFile opening a ZIP with no entries + - JDK-8323562: SaslInputStream.read() may return wrong value + - JDK-8323688: C2: Fix UB of jlong overflow in PhaseIdealLoop::is_counted_loop() + - JDK-8324841: PKCS11 tests still skip execution + - JDK-8324861: Exceptions::wrap_dynamic_exception() doesn't have ResourceMark + - JDK-8325038: runtime/cds/appcds/ProhibitedPackage.java can fail with UseLargePages + - JDK-8325399: Add tests for virtual threads doing Selector operations + - JDK-8325506: Ensure randomness is only read from provided SecureRandom object + - JDK-8325525: Create jtreg test case for JDK-8325203 + - JDK-8325610: CTW: Add StressIncrementalInlining to stress options + - JDK-8325762: Use PassFailJFrame.Builder.splitUI() in PrintLatinCJKTest.java + - JDK-8325851: Hide PassFailJFrame.Builder constructor + - JDK-8325906: Problemlist vmTestbase/vm/mlvm/meth/stress/compiler/deoptimize/Test.java#id1 until JDK-8320865 is fixed + - JDK-8326100: DeflaterDictionaryTests should use Deflater.getBytesWritten instead of Deflater.getTotalOut + - JDK-8326121: vmTestbase/gc/g1/unloading/tests/unloading_keepRef_rootClass_inMemoryCompilation_keep_cl failed with Full gc happened. Test was useless. + - JDK-8326611: Clean up vmTestbase/nsk/stress/stack tests + - JDK-8326898: NSK tests should listen on loopback addresses only + - JDK-8327924: Simplify TrayIconScalingTest.java + - JDK-8328021: Convert applet test java/awt/List/SetFontTest/SetFontTest.html to main program + - JDK-8328242: Add a log area to the PassFailJFrame + - JDK-8328303: 3 JDI tests timed out with UT enabled + - JDK-8328379: Convert URLDragTest.html applet test to main + - JDK-8328402: Implement pausing functionality for the PassFailJFrame + - JDK-8328619: sun/management/jmxremote/bootstrap/SSLConfigFilePermissionTest.java failed with BindException: Address already in use + - JDK-8328665: serviceability/jvmti/vthread/PopFrameTest failed with a timeout + - JDK-8328723: IP Address error when client enables HTTPS endpoint check on server socket + - JDK-8329353: ResolvedReferencesNotNullTest.java failed with Incorrect resolved references array, quxString should not be archived + - JDK-8329533: TestCDSVMCrash fails on libgraal + - JDK-8330045: Enhance array handling + - JDK-8330278: Have SSLSocketTemplate.doClientSide use loopback address + - JDK-8330621: Make 5 compiler tests use ProcessTools.executeProcess + - JDK-8331391: Enhance the keytool code by invoking the buildTrustedCerts method for essential options + - JDK-8331393: AArch64: u32 _partial_subtype_ctr loaded/stored as 64 + - JDK-8331864: Update Public Suffix List to 1cbd6e7 + - JDK-8332112: Update nsk.share.Log to don't print summary during VM shutdown hook + - JDK-8332340: Add JavacBench as a test case for CDS + - JDK-8332461: ubsan : dependencies.cpp:906:3: runtime error: load of value 4294967295, which is not a valid value for type 'DepType' + - JDK-8332724: x86 MacroAssembler may over-align code + - JDK-8332777: Update JCStress test suite + - JDK-8332866: Crash in ImageIO JPEG decoding when MEM_STATS in enabled + - JDK-8332901: Select{Current,New}ItemTest.java for Choice don't open popup on macOS + - JDK-8333098: ubsan: bytecodeInfo.cpp:318:59: runtime error: division by zero + - JDK-8333108: Update vmTestbase/nsk/share/DebugeeProcess.java to don't use finalization + - JDK-8333144: docker tests do not work when ubsan is configured + - JDK-8333235: vmTestbase/nsk/jdb/kill/kill001/kill001.java fails with C1 + - JDK-8333248: VectorGatherMaskFoldingTest.java failed when maximum vector bits is 64 + - JDK-8333317: Test sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java failed with: Invalid ECDH ServerKeyExchange signature + - JDK-8333427: langtools/tools/javac/newlines/NewLineTest.java is failing on Japanese Windows + - JDK-8333728: ubsan: shenandoahFreeSet.cpp:1347:24: runtime error: division by zero + - JDK-8333754: Add a Test against ECDSA and ECDH NIST Test vector + - JDK-8333824: Unused ClassValue in VarHandles + - JDK-8334057: JLinkReproducibleTest.java support receive test.tool.vm.opts + - JDK-8334405: java/nio/channels/Selector/SelectWithConsumer.java#id0 failed in testWakeupDuringSelect + - JDK-8334475: UnsafeIntrinsicsTest.java#ZGenerationalDebug assert(!assert_on_failure) failed: Has low-order bits set + - JDK-8334560: [PPC64]: postalloc_expand_java_dynamic_call_sched does not copy all fields + - JDK-8334562: Automate com/sun/security/auth/callback/TextCallbackHandler/Default.java test + - JDK-8334567: [test] runtime/os/TestTracePageSizes move ppc handling + - JDK-8334719: (se) Deferred close of SelectableChannel may result in a Selector doing the final close before concurrent I/O on channel has completed + - JDK-8335142: compiler/c1/TestTraceLinearScanLevel.java occasionally times out with -Xcomp + - JDK-8335172: Add manual steps to run security/auth/callback/TextCallbackHandler/Password.java test + - JDK-8335267: [XWayland] move screencast tokens from .awt to .java folder + - JDK-8335344: test/jdk/sun/security/tools/keytool/NssTest.java fails to compile + - JDK-8335428: Enhanced Building of Processes + - JDK-8335449: runtime/cds/DeterministicDump.java fails with File content different at byte ... + - JDK-8335530: Java file extension missing in AuthenticatorTest + - JDK-8335664: Parsing jsr broken: assert(bci>= 0 && bci < c->method()->code_size()) failed: index out of bounds + - JDK-8335709: C2: assert(!loop->is_member(get_loop(useblock))) failed: must be outside loop + - JDK-8335912, JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files + - JDK-8336240: Test com/sun/crypto/provider/Cipher/DES/PerformanceTest.java fails with java.lang.ArithmeticException + - JDK-8336257: Additional tests in jmxremote/startstop to match on PID not app name + - JDK-8336315: tools/jpackage/windows/WinChildProcessTest.java Failed: Check is calculator process is alive + - JDK-8336413: gtk headers : Fix typedef redeclaration of GMainContext and GdkPixbuf + - JDK-8336564: Enhance mask blit functionality redux + - JDK-8336640: Shenandoah: Parallel worker use in parallel_heap_region_iterate + - JDK-8336854: CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout + - JDK-8336911: ZGC: Division by zero in heuristics after JDK-8332717 + - JDK-8337066: Repeated call of StringBuffer.reverse with double byte string returns wrong result + - JDK-8337067: Test runtime/classFileParserBug/Bad_NCDFE_Msg.java won't compile + - JDK-8337320: Update ProblemList.txt with tests known to fail on XWayland + - JDK-8337331: crash: pinned virtual thread will lead to jvm crash when running with the javaagent option + - JDK-8337410: The makefiles should set problemlist and adjust timeout basing on the given VM flags + - JDK-8337780: RISC-V: C2: Change C calling convention for sp to NS + - JDK-8337810: ProblemList BasicDirectoryModel/LoaderThreadCount.java on Windows + - JDK-8337826: Improve logging in OCSPTimeout and SimpleOCSPResponder to help diagnose JDK-8309754 + - JDK-8337851: Some tests have name which confuse jtreg + - JDK-8337876: [IR Framework] Add support for IR tests with @Stable + - JDK-8337966: (fs) Files.readAttributes fails with Operation not permitted on older docker releases + - JDK-8338058: map_or_reserve_memory_aligned Windows enhance remap assertion + - JDK-8338101: remove old remap assertion in map_or_reserve_memory_aligned after JDK-8338058 + - JDK-8338109: java/awt/Mouse/EnterExitEvents/ResizingFrameTest.java duplicate in ProblemList + - JDK-8338110: Exclude Fingerprinter::do_type from ubsan checks + - JDK-8338112: Test testlibrary_tests/ir_framework/tests/TestPrivilegedMode.java fails with release build + - JDK-8338344: Test TestPrivilegedMode.java intermittent fails java.lang.NoClassDefFoundError: jdk/test/lib/Platform + - JDK-8338380: Update TLSCommon/interop/AbstractServer to specify an interface to listen for connections + - JDK-8338389: [JFR] Long strings should be added to the string pool + - JDK-8338402: GHA: some of bundles may not get removed + - JDK-8338449: ubsan: division by zero in sharedRuntimeTrans.cpp + - JDK-8338550: Do libubsan1 installation in test container only if requested + - JDK-8338748: [17u,21u] Test Disconnect.java compile error: cannot find symbol after JDK-8299813 + - JDK-8338751: ConfigureNotify behavior has changed in KWin 6.2 + - JDK-8338759: Add extra diagnostic to java/net/InetAddress/ptr/Lookup.java + - JDK-8338924: C1: assert(0 <= i && i < _len) failed: illegal index 5 for length 5 + - JDK-8339080: Bump update version for OpenJDK: jdk-21.0.6 + - JDK-8339180: Enhanced Building of Processes: Follow-on Issue + - JDK-8339248: RISC-V: Remove li64 macro assembler routine and related code + - JDK-8339384: Unintentional IOException in jdk.jdi module when JDWP end of stream occurs + - JDK-8339386: Assertion on AIX - original PC must be in the main code section of the compiled method + - JDK-8339416: [s390x] Provide implementation for resolve_global_jobject + - JDK-8339487: ProcessHandleImpl os_getChildren sysctl call - retry in case of ENOMEM and enhance exception message + - JDK-8339548: GHA: RISC-V: Use Debian snapshot archive for bootstrap + - JDK-8339560: Unaddressed comments during code review of JDK-8337664 + - JDK-8339591: Mark jdk/jshell/ExceptionMessageTest.java intermittent + - JDK-8339637: (tz) Update Timezone Data to 2024b + - JDK-8339644: Improve parsing of Day/Month in tzdata rules + - JDK-8339648: ZGC: Division by zero in rule_major_allocation_rate + - JDK-8339725: Concurrent GC crashed due to GetMethodDeclaringClass + - JDK-8339731: java.desktop/share/classes/javax/swing/text/html/default.css typo in margin settings + - JDK-8339741: RISC-V: C ABI breakage for integer on stack + - JDK-8339787: Add some additional diagnostic output to java/net/ipv6tests/UdpTest.java + - JDK-8339803: Acknowledge case insensitive unambiguous keywords in tzdata files + - JDK-8339892: Several security shell tests don't set TESTJAVAOPTS + - JDK-8340007: Refactor KeyEvent/FunctionKeyTest.java + - JDK-8340008: KeyEvent/KeyTyped/Numpad1KeyTyped.java has 15 seconds timeout + - JDK-8340109: Ubsan: ciEnv.cpp:1660:65: runtime error: member call on null pointer of type 'struct CompileTask' + - JDK-8340210: Add positionTestUI() to PassFailJFrame.Builder + - JDK-8340214: C2 compilation asserts with "no node with a side effect" in PhaseIdealLoop::try_sink_out_of_loop + - JDK-8340230: Tests crash: assert(is_in_encoding_range || k->is_interface() || k->is_abstract()) failed: sanity + - JDK-8340306: Add border around instructions in PassFailJFrame + - JDK-8340308: PassFailJFrame: Make rows default to number of lines in instructions + - JDK-8340365: Position the first window of a window list + - JDK-8340383: VM issues warning failure to find kernel32.dll on Windows nanoserver + - JDK-8340387: Update OS detection code to recognize Windows Server 2025 + - JDK-8340398: [JVMCI] Unintuitive behavior of UseJVMCICompiler option + - JDK-8340418: GHA: MacOS AArch64 bundles can be removed prematurely + - JDK-8340461: Amend description for logArea + - JDK-8340466: Add description for PassFailJFrame constructors + - JDK-8340552: Harden TzdbZoneRulesCompiler against missing zone names + - JDK-8340590: RISC-V: C2: Small improvement to vector gather load and scatter store + - JDK-8340632: ProblemList java/nio/channels/DatagramChannel/ for Macos + - JDK-8340657: [PPC64] SA determines wrong unextendedSP + - JDK-8340684: Reading from an input stream backed by a closed ZipFile has no test coverage + - JDK-8340785: Update description of PassFailJFrame and samples + - JDK-8340799: Add border inside instruction frame in PassFailJFrame + - JDK-8340801: Disable ubsan checks in some awt/2d coding + - JDK-8340804: doc/building.md update Xcode instructions to note that full install is required + - JDK-8340812: LambdaForm customization via MethodHandle::updateForm is not thread safe + - JDK-8340815: Add SECURITY.md file + - JDK-8340899: Remove wildcard bound in PositionWindows.positionTestWindows + - JDK-8340923: The class LogSelection copies uninitialized memory + - JDK-8341024: [test] build/AbsPathsInImage.java fails with OOM when using ubsan-enabled binaries + - JDK-8341146: RISC-V: Unnecessary fences used for load-acquire in template interpreter + - JDK-8341235: Improve default instruction frame title in PassFailJFrame + - JDK-8341261: Tests assume UnlockExperimentalVMOptions is disabled by default + - JDK-8341562: RISC-V: Generate comments in -XX:+PrintInterpreter to link to source code + - JDK-8341688: Aarch64: Generate comments in -XX:+PrintInterpreter to link to source code + - JDK-8341722: Fix some warnings as errors when building on Linux with toolchain clang + - JDK-8341806: Gcc version detection failure on Alinux3 + - JDK-8341927: Replace hardcoded security providers with new test.provider.name system property + - JDK-8341997: Tests create files in src tree instead of scratch dir + - JDK-8342014: RISC-V: ZStoreBarrierStubC2 clobbers rflags + - JDK-8342063: [21u][aix] Backport introduced redundant line in ProblemList + - JDK-8342181: Update tests to use stronger Key and Salt size + - JDK-8342183: Update tests to use stronger algorithms and keys + - JDK-8342188: Update tests to use stronger key parameters and certificates + - JDK-8342409: [s390x] C1 unwind_handler fails to unlock synchronized methods with LM_MONITOR + - JDK-8342496: C2/Shenandoah: SEGV in compiled code when running jcstress + - JDK-8342578: GHA: RISC-V: Bootstrap using Debian snapshot is still failing + - JDK-8342607: Enhance register printing on x86_64 platforms + - JDK-8342669: [21u] Fix TestArrayAllocatorMallocLimit after backport of JDK-8315097 + - JDK-8342681: TestLoadBypassesNullCheck.java fails improperly specified VM option + - JDK-8342701: [PPC64] TestOSRLotsOfLocals.java crashes + - JDK-8342765: [21u] RTM tests assume UnlockExperimentalVMOptions is disabled by default + - JDK-8342823: Ubsan: ciEnv.cpp:1614:65: runtime error: member call on null pointer of type 'struct CompileTask' + - JDK-8342905: Thread.setContextClassloader from thread in FJP commonPool task no longer works after JDK-8327501 redux + - JDK-8342962: [s390x] TestOSRLotsOfLocals.java crashes + - JDK-8343285: java.lang.Process is unresponsive and CPU usage spikes to 100% + - JDK-8343474: [updates] Customize README.md to specifics of update project + - JDK-8343506: [s390x] multiple test failures with ubsan + - JDK-8343724: [PPC64] Disallow OptoScheduling + - JDK-8343848: Fix typo of property name in TestOAEPPadding after 8341927 + - JDK-8343877: Test AsyncClose.java intermittent fails - Socket.getInputStream().read() wasn't preempted + - JDK-8343884: [s390x] Disallow OptoScheduling + - JDK-8343923: GHA: Switch to Xcode 15 on MacOS AArch64 runners + - JDK-8344164: [s390x] ProblemList hotspot/jtreg/runtime/NMT/VirtualAllocCommitMerge.java + - JDK-8344628: Test TestEnableJVMCIProduct.java run with virtual thread intermittent fails + - JDK-8344993: [21u] [REDO] Backport JDK-8327501 and JDK-8328366 to JDK 21 + - JDK-8345055: [21u] ProblemList failing rtm tests on ppc platforms + - JDK-8347010: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.6 + +Notes on individual issues: +=========================== + +core-libs/java.util.jar: + +JDK-8335912/JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files +=================================================================================================================== +In previous OpenJDK releases, when the jar tool extracted files from +an archive, it would overwrite any existing files with the same name +in the target directory. With this release, a new option ('-k' or +'--keep-old-files') may be specified so that existing files are not +overwritten. + +The option may be specified in short or long option form, as in the +following examples: + +* jar xkf foo.jar +* jar --extract --keep-old-files --file foo.jar + +By default, the old behaviour remains in place and files will be +overwritten. + +core-libs/java.time: + +JDK-8339637: (tz) Update Timezone Data to 2024b +=============================================== +This OpenJDK release upgrades the in-tree copy of the IANA timezone +database to 2024b. This timezone update is primarily concerned with +improving historical data for Mexico, Monogolia and Portugal. It also +makes Asia/Choibalsan an alias for Asia/Ulaanbaatar and makes the MET +timezone the same as CET. + +The 2024b update also makes a number of legacy timezone IDs equal to +geographical names rather than fixed offsets, as follows: + +* EST => America/Panama instead of -5:00 +* MST => America/Phoenix instead of -7:00 +* HST => Pacific/Honolulu instead of -10:00 + +For long term support releases of OpenJDK, this change is overridden +locally to retain the existing fixed offset mapping. + +New in release OpenJDK 21.0.5 (2024-10-15): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2105 + +* CVEs + - CVE-2024-21208 + - CVE-2024-21210 + - CVE-2024-21217 + - CVE-2024-21235 +* Security fixes + - JDK-8307383: Enhance DTLS connections + - JDK-8311208: Improve CDS Support + - JDK-8328286: Enhance HTTP client + - JDK-8328544: Improve handling of vectorization + - JDK-8328726: Better Kerberos support + - JDK-8331446: Improve deserialization support + - JDK-8332644: Improve graph optimizations + - JDK-8335713: Enhance vectorization analysis +* Other changes + - JDK-6355567: AdobeMarkerSegment causes failure to read valid JPEG + - JDK-6967482: TAB-key does not work in JTables after selecting details-view in JFileChooser + - JDK-7022325: TEST_BUG: test/java/util/zip/ZipFile/ReadLongZipFileName.java leaks files if it fails + - JDK-8051959: Add thread and timestamp options to java.security.debug system property + - JDK-8073061: (fs) Files.copy(foo, bar, REPLACE_EXISTING) deletes bar even if foo is not readable + - JDK-8166352: FilePane.createDetailsView() removes JTable TAB, SHIFT-TAB functionality + - JDK-8170817: G1: Returning MinTLABSize from unsafe_max_tlab_alloc causes TLAB flapping + - JDK-8211847: [aix] java/lang/ProcessHandle/InfoTest.java fails: "reported cputime less than expected" + - JDK-8211854: [aix] java/net/ServerSocket/AcceptInheritHandle.java fails: read times out + - JDK-8222884: ConcurrentClassDescLookup.java times out intermittently + - JDK-8238169: BasicDirectoryModel getDirectories and DoChangeContents.run can deadlock + - JDK-8241550: [macOS] SSLSocketImpl/ReuseAddr.java failed due to "BindException: Address already in use" + - JDK-8242564: javadoc crashes:: class cast exception com.sun.tools.javac.code.Symtab$6 + - JDK-8260633: [macos] java/awt/dnd/MouseEventAfterStartDragTest/MouseEventAfterStartDragTest.html test failed + - JDK-8261433: Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit + - JDK-8269428: java/util/concurrent/ConcurrentHashMap/ToArray.java timed out + - JDK-8269657: Test java/nio/channels/DatagramChannel/Loopback.java failed: Unexpected message + - JDK-8280120: [IR Framework] Add attribute to @IR to enable/disable IR matching based on the architecture + - JDK-8280392: java/awt/Focus/NonFocusableWindowTest/NonfocusableOwnerTest.java failed with "RuntimeException: Test failed." + - JDK-8280988: [XWayland] Click on title to request focus test failures + - JDK-8280990: [XWayland] XTest emulated mouse click does not bring window to front + - JDK-8283223: gc/stringdedup/TestStringDeduplicationFullGC.java#Parallel failed with "RuntimeException: String verification failed" + - JDK-8287325: AArch64: fix virtual threads with -XX:UseBranchProtection=pac-ret + - JDK-8291809: Convert compiler/c2/cr7200264/TestSSE2IntVect.java to IR verification test + - JDK-8294148: Support JSplitPane for instructions and test UI + - JDK-8299058: AssertionError in sun.net.httpserver.ServerImpl when connection is idle + - JDK-8299487: Test java/net/httpclient/whitebox/SSLTubeTestDriver.java timed out + - JDK-8299790: os::print_hex_dump is racy + - JDK-8299813: java/nio/channels/DatagramChannel/Disconnect.java fails with jtreg test timeout due to lost datagram + - JDK-8301686: TLS 1.3 handshake fails if server_name doesn't match resuming session + - JDK-8303920: Avoid calling out to python in DataDescriptorSignatureMissing test + - JDK-8305072: Win32ShellFolder2.compareTo is inconsistent + - JDK-8305825: getBounds API returns wrong value resulting in multiple Regression Test Failures on Ubuntu 23.04 + - JDK-8307193: Several Swing jtreg tests use class.forName on L&F classes + - JDK-8307352: AARCH64: Improve itable_stub + - JDK-8307778: com/sun/jdi/cds tests fail with jtreg's Virtual test thread factory + - JDK-8307788: vmTestbase/gc/gctests/LargeObjects/large003/TestDescription.java timed out + - JDK-8308286: Fix clang warnings in linux code + - JDK-8308660: C2 compilation hits 'node must be dead' assert + - JDK-8309067: gtest/AsyncLogGtest.java fails again in stderrOutput_vm + - JDK-8309621: [XWayland][Screencast] screen capture failure with sun.java2d.uiScale other than 1 + - JDK-8309685: Fix -Wconversion warnings in assembler and register code + - JDK-8309894: compiler/vectorapi/VectorLogicalOpIdentityTest.java fails on SVE system with UseSVE=0 + - JDK-8310072: JComboBox/DisabledComboBoxFontTestAuto: Enabled and disabled ComboBox does not match in these LAFs: GTK+ + - JDK-8310108: Skip ReplaceCriticalClassesForSubgraphs when EnableJVMCI is specified + - JDK-8310201: Reduce verbose locale output in -XshowSettings launcher option + - JDK-8310334: [XWayland][Screencast] screen capture error message in debug + - JDK-8310628: GcInfoBuilder.c missing JNI Exception checks + - JDK-8310683: Refactor StandardCharset/standard.java to use JUnit + - JDK-8310906: Fix -Wconversion warnings in runtime, oops and some code header files. + - JDK-8311306: Test com/sun/management/ThreadMXBean/ThreadCpuTimeArray.java failed: out of expected range + - JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin + - JDK-8311989: Test java/lang/Thread/virtual/Reflection.java timed out + - JDK-8312049: runtime/logging/ClassLoadUnloadTest can be improved + - JDK-8312111: open/test/jdk/java/awt/Robot/ModifierRobotKey/ModifierRobotKeyTest.java fails on ubuntu 23.04 + - JDK-8312140: jdk/jshell tests failed with JDI socket timeouts + - JDK-8312200: Fix Parse::catch_call_exceptions memory leak + - JDK-8312229: Crash involving yield, switch and anonymous classes + - JDK-8313674: (fc) java/nio/channels/FileChannel/BlockDeviceSize.java should test for more block devices + - JDK-8313697: [XWayland][Screencast] consequent getPixelColor calls are slow + - JDK-8313983: jmod create --target-platform should replace existing ModuleTarget attribute + - JDK-8314163: os::print_hex_dump prints incorrectly for big endian platforms and unit sizes larger than 1 + - JDK-8314225: SIGSEGV in JavaThread::is_lock_owned + - JDK-8314515: java/util/concurrent/SynchronousQueue/Fairness.java failed with "Error: fair=false i=8 j=0" + - JDK-8314614: jdk/jshell/ImportTest.java failed with "InternalError: Failed remote listen" + - JDK-8315024: Vector API FP reduction tests should not test for exact equality + - JDK-8315031: YoungPLABSize and OldPLABSize not aligned by ObjectAlignmentInBytes + - JDK-8315422: getSoTimeout() would be in try block in SSLSocketImpl + - JDK-8315505: CompileTask timestamp printed can overflow + - JDK-8315576: compiler/codecache/CodeCacheFullCountTest.java fails after JDK-8314837 + - JDK-8315804: Open source several Swing JTabbedPane JTextArea JTextField tests + - JDK-8315923: pretouch_memory by atomic-add-0 fragments huge pages unexpectedly + - JDK-8315965: Open source various AWT applet tests + - JDK-8315969: compiler/rangechecks/TestRangeCheckHoistingScaledIV.java: make flagless + - JDK-8316104: Open source several Swing SplitPane and RadioButton related tests + - JDK-8316131: runtime/cds/appcds/TestParallelGCWithCDS.java fails with JNI error + - JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java java.lang.Exception: Could not find leak + - JDK-8316211: Open source several manual applet tests + - JDK-8316240: Open source several add/remove MenuBar manual tests + - JDK-8316285: Opensource JButton manual tests + - JDK-8316306: Open source and convert manual Swing test + - JDK-8316328: Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes + - JDK-8316361: C2: assert(!failure) failed: Missed optimization opportunity in PhaseIterGVN with -XX:VerifyIterativeGVN=10 + - JDK-8316389: Open source few AWT applet tests + - JDK-8316756: C2 EA fails with "missing memory path" when encountering unsafe_arraycopy stub call + - JDK-8317112: Add screenshot for Frame/DefaultSizeTest.java + - JDK-8317128: java/nio/file/Files/CopyAndMove.java failed with AccessDeniedException + - JDK-8317240: Promptly free OopMapEntry after fail to insert the entry to OopMapCache + - JDK-8317288: [macos] java/awt/Window/Grab/GrabTest.java: Press on the outside area didn't cause ungrab + - JDK-8317299: safepoint scalarization doesn't keep track of the depth of the JVM state + - JDK-8317360: Missing null checks in JfrCheckpointManager and JfrStringPool initialization routines + - JDK-8317372: Refactor some NumberFormat tests to use JUnit + - JDK-8317446: ProblemList gc/arguments/TestNewSizeFlags.java on macosx-aarch64 in Xcomp + - JDK-8317449: ProblemList serviceability/jvmti/stress/StackTrace/NotSuspended/GetStackTraceNotSuspendedStressTest.java on several platforms + - JDK-8317635: Improve GetClassFields test to verify correctness of field order + - JDK-8317696: Fix compilation with clang-16 + - JDK-8317738: CodeCacheFullCountTest failed with "VirtualMachineError: Out of space in CodeCache for method handle intrinsic" + - JDK-8317831: compiler/codecache/CheckLargePages.java fails on OL 8.8 with unexpected memory string + - JDK-8318071: IgnoreUnrecognizedVMOptions flag still causes failure in ArchiveHeapTestClass + - JDK-8318479: [jmh] the test security.CacheBench failed for multiple threads run + - JDK-8318605: Enable parallelism in vmTestbase/nsk/stress/stack tests + - JDK-8319197: Exclude hb-subset and hb-style from compilation + - JDK-8319406: x86: Shorter movptr(reg, imm) for 32-bit immediates + - JDK-8319773: Avoid inflating monitors when installing hash codes for LM_LIGHTWEIGHT + - JDK-8319793: C2 compilation fails with "Bad graph detected in build_loop_late" after JDK-8279888 + - JDK-8319817: Charset constructor should make defensive copy of aliases + - JDK-8319818: Address GCC 13.2.0 warnings (stringop-overflow and dangling-pointer) + - JDK-8320079: The ArabicBox.java test has no control buttons + - JDK-8320212: Disable GCC stringop-overflow warning for affected files + - JDK-8320379: C2: Sort spilling/unspilling sequence for better ld/st merging into ldp/stp on AArch64 + - JDK-8320602: Lock contention in SchemaDVFactory.getInstance() + - JDK-8320608: Many jtreg printing tests are missing the @printer keyword + - JDK-8320655: awt screencast robot spin and sync issues with native libpipewire api + - JDK-8320675: PrinterJob/SecurityDialogTest.java hangs + - JDK-8320945: problemlist tests failing on latest Windows 11 update + - JDK-8321025: Enable Neoverse N1 optimizations for Neoverse V2 + - JDK-8321176: [Screencast] make a second attempt on screencast failure + - JDK-8321206: Make Locale related system properties `StaticProperty` + - JDK-8321220: JFR: RecordedClass reports incorrect modifiers + - JDK-8321278: C2: Partial peeling fails with assert "last_peel <- first_not_peeled" + - JDK-8321509: False positive in get_trampoline fast path causes crash + - JDK-8321933: TestCDSVMCrash.java spawns two processes + - JDK-8322008: Exclude some CDS tests from running with -Xshare:off + - JDK-8322062: com/sun/jdi/JdwpAllowTest.java does not performs negative testing with prefix length + - JDK-8322330: JavadocHelperTest.java OOMEs with Parallel GC and ZGC + - JDK-8322726: C2: Unloaded signature class kills argument value + - JDK-8322743: C2: prevent lock region elimination in OSR compilation + - JDK-8322766: Micro bench SSLHandshake should use default algorithms + - JDK-8322881: java/nio/file/Files/CopyMoveVariations.java fails with AccessDeniedException due to permissions of files in /tmp + - JDK-8322971: KEM.getInstance() should check if a 3rd-party security provider is signed + - JDK-8322996: BoxLockNode creation fails with assert(reg < CHUNK_SIZE) failed: sanity + - JDK-8323122: AArch64: Increase itable stub size estimate + - JDK-8323196: jdk/jfr/api/consumer/filestream/TestOrdered.java failed with "Events are not ordered! Reuse = false" + - JDK-8323274: C2: array load may float above range check + - JDK-8323552: AbstractMemorySegmentImpl#mismatch returns -1 when comparing distinct areas of the same instance of MemorySegment + - JDK-8323577: C2 SuperWord: remove AlignVector restrictions on IR tests added in JDK-8305055 + - JDK-8323584: AArch64: Unnecessary ResourceMark in NativeCall::set_destination_mt_safe + - JDK-8323670: A few client tests intermittently throw ConcurrentModificationException + - JDK-8323682: C2: guard check is not generated in Arrays.copyOfRange intrinsic when allocation is eliminated by EA + - JDK-8323782: Race: Thread::interrupt vs. AbstractInterruptibleChannel.begin + - JDK-8323801: tag doesn't strikethrough the text + - JDK-8323972: C2 compilation fails with assert(!x->as_Loop()->is_loop_nest_inner_loop()) failed: loop was transformed + - JDK-8324174: assert(m->is_entered(current)) failed: invariant + - JDK-8324577: [REDO] - [IMPROVE] OPEN_MAX is no longer the max limit on macOS >= 10.6 for RLIMIT_NOFILE + - JDK-8324580: SIGFPE on THP initialization on kernels < 4.10 + - JDK-8324641: [IR Framework] Add Setup method to provide custom arguments and set fields + - JDK-8324668: JDWP process management needs more efficient file descriptor handling + - JDK-8324755: Enable parallelism in vmTestbase/gc/gctests/LargeObjects tests + - JDK-8324781: runtime/Thread/TestAlwaysPreTouchStacks.java failed with Expected a higher ratio between stack committed and reserved + - JDK-8324808: Manual printer tests have no Pass/Fail buttons, instructions close set 3 + - JDK-8324969: C2: prevent elimination of unbalanced coarsened locking regions + - JDK-8324983: Race in CompileBroker::possibly_add_compiler_threads + - JDK-8325022: Incorrect error message on client authentication + - JDK-8325037: x86: enable and fix hotspot/jtreg/compiler/vectorization/TestRoundVectFloat.java + - JDK-8325083: jdk/incubator/vector/Double512VectorTests.java crashes in Assembler::vex_prefix_and_encode + - JDK-8325179: Race in BasicDirectoryModel.validateFileCache + - JDK-8325218: gc/parallel/TestAlwaysPreTouchBehavior.java fails + - JDK-8325382: (fc) FileChannel.transferTo throws IOException when position equals size + - JDK-8325384: sun/security/ssl/SSLSessionImpl/ResumptionUpdateBoundValues.java failing intermittently when main thread is a virtual thread + - JDK-8325469: Freeze/Thaw code can crash in the presence of OSR frames + - JDK-8325494: C2: Broken graph after not skipping CastII node anymore for Assertion Predicates after JDK-8309902 + - JDK-8325520: Vector loads and stores with indices and masks incorrectly compiled + - JDK-8325542: CTW: Runner can produce negative StressSeed + - JDK-8325587: Shenandoah: ShenandoahLock should allow blocking in VM + - JDK-8325616: JFR ZGC Allocation Stall events should record stack traces + - JDK-8325620: HTMLReader uses ConvertAction instead of specified CharacterAction for , , + - JDK-8325754: Dead AbstractQueuedSynchronizer$ConditionNodes survive minor garbage collections + - JDK-8325763: Revert properties: vm.opt.x.* + - JDK-8326106: Write and clear stack trace table outside of safepoint + - JDK-8326129: Java Record Pattern Match leads to infinite loop + - JDK-8326332: Unclosed inline tags cause misalignment in summary tables + - JDK-8326717: Disable stringop-overflow in shenandoahLock.cpp + - JDK-8326734: text-decoration applied to lost when mixed with or + - JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails + - JDK-8327040: Problemlist ActionListenerCalledTwiceTest.java test failing in macos14 + - JDK-8327137: Add test for ConcurrentModificationException in BasicDirectoryModel + - JDK-8327401: Some jtreg tests fail on Wayland without any tracking bug + - JDK-8327423: C2 remove_main_post_loops: check if main-loop belongs to pre-loop, not just assert + - JDK-8327424: ProblemList serviceability/sa/TestJmapCore.java on all platforms with ZGC + - JDK-8327501: Common ForkJoinPool prevents class unloading in some cases + - JDK-8327650: Test java/nio/channels/DatagramChannel/StressNativeSignal.java timed out + - JDK-8327787: Convert javax/swing/border/Test4129681.java applet test to main + - JDK-8327840: Automate javax/swing/border/Test4129681.java + - JDK-8327990: [macosx-aarch64] Various tests fail with -XX:+AssertWXAtThreadSync + - JDK-8328011: Convert java/awt/Frame/GetBoundsResizeTest/GetBoundsResizeTest.java applet test to main + - JDK-8328075: Shenandoah: Avoid forwarding when objects don't move in full-GC + - JDK-8328110: Allow simultaneous use of PassFailJFrame with split UI and additional windows + - JDK-8328115: Convert java/awt/font/TextLayout/TestJustification.html applet test to main + - JDK-8328158: Convert java/awt/Choice/NonFocusablePopupMenuTest to automatic main test + - JDK-8328218: Delete test java/awt/Window/FindOwner/FindOwner.html + - JDK-8328234: Remove unused nativeUtils files + - JDK-8328238: Convert few closed manual applet tests to main + - JDK-8328269: NonFocusablePopupMenuTest.java should be marked as headful + - JDK-8328273: sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java failed with java.rmi.server.ExportException: Port already in use + - JDK-8328366: Thread.setContextClassloader from thread in FJP commonPool task no longer works after JDK-8327501 + - JDK-8328560: java/awt/event/MouseEvent/ClickDuringKeypress/ClickDuringKeypress.java imports Applet + - JDK-8328561: test java/awt/Robot/ManualInstructions/ManualInstructions.java isn't used + - JDK-8328642: Convert applet test MouseDraggedOutCauseScrollingTest.html to main + - JDK-8328647: TestGarbageCollectorMXBean.java fails with C1-only and -Xcomp + - JDK-8328697: SubMenuShowTest and SwallowKeyEvents tests stabilization + - JDK-8328785: IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0 + - JDK-8328896: Fontmetrics for large Fonts has zero width + - JDK-8328953: JEditorPane.read throws ChangedCharSetException + - JDK-8328999: Update GIFlib to 5.2.2 + - JDK-8329004: Update Libpng to 1.6.43 + - JDK-8329088: Stack chunk thawing races with concurrent GC stack iteration + - JDK-8329103: assert(!thread->in_asgct()) failed during multi-mode profiling + - JDK-8329126: No native wrappers generated anymore with -XX:-TieredCompilation after JDK-8251462 + - JDK-8329134: Reconsider TLAB zapping + - JDK-8329258: TailCall should not use frame pointer register for jump target + - JDK-8329510: Update ProblemList for JFileChooser/8194044/FileSystemRootTest.java + - JDK-8329559: Test javax/swing/JFrame/bug4419914.java failed because The End and Start buttons are not placed correctly and Tab focus does not move as expected + - JDK-8329665: fatal error: memory leak: allocating without ResourceMark + - JDK-8329667: [macos] Issue with JTree related fix for JDK-8317771 + - JDK-8329995: Restricted access to `/proc` can cause JFR initialization to crash + - JDK-8330027: Identity hashes of archived objects must be based on a reproducible random seed + - JDK-8330063: Upgrade jQuery to 3.7.1 + - JDK-8330133: libj2pkcs11.so crashes on some pkcs#11 v3.0 libraries + - JDK-8330146: assert(!_thread->is_in_any_VTMS_transition()) failed + - JDK-8330520: linux clang build fails in os_linux.cpp with static_assert with no message is a C++17 extension + - JDK-8330576: ZYoungCompactionLimit should have range check + - JDK-8330611: AES-CTR vector intrinsic may read out of bounds (x86_64, AVX-512) + - JDK-8330748: ByteArrayOutputStream.writeTo(OutputStream) pins carrier + - JDK-8330814: Cleanups for KeepAliveCache tests + - JDK-8330819: C2 SuperWord: bad dominance after pre-loop limit adjustment with base that has CastLL after pre-loop + - JDK-8330849: Add test to verify memory usage with recursive locking + - JDK-8330981: ZGC: Should not dedup strings in the finalizer graph + - JDK-8331011: [XWayland] TokenStorage fails under Security Manager + - JDK-8331063: Some HttpClient tests don't report leaks + - JDK-8331077: nroff man page update for jar tool + - JDK-8331142: Add test for number of loader threads in BasicDirectoryModel + - JDK-8331153: JFR: Improve logging of jdk/jfr/api/consumer/filestream/TestOrdered.java + - JDK-8331164: createJMHBundle.sh download jars fail when url needed to be redirected + - JDK-8331266: Bump update version for OpenJDK: jdk-21.0.5 + - JDK-8331405: Shenandoah: Optimize ShenandoahLock with TTAS + - JDK-8331411: Shenandoah: Reconsider spinning duration in ShenandoahLock + - JDK-8331421: ubsan: vmreg.cpp checking error member call on misaligned address + - JDK-8331495: Limit BasicDirectoryModel/LoaderThreadCount.java to Windows only + - JDK-8331518: Tests should not use the "Classpath" exception form of the legal header + - JDK-8331572: Allow using OopMapCache outside of STW GC phases + - JDK-8331573: Rename CollectedHeap::is_gc_active to be explicitly about STW GCs + - JDK-8331575: C2: crash when ConvL2I is split thru phi at LongCountedLoop + - JDK-8331605: jdk/test/lib/TestMutuallyExclusivePlatformPredicates.java test failure + - JDK-8331626: unsafe.cpp:162:38: runtime error in index_oop_from_field_offset_long - applying non-zero offset 4563897424 to null pointer + - JDK-8331714: Make OopMapCache installation lock-free + - JDK-8331731: ubsan: relocInfo.cpp:155:30: runtime error: applying non-zero offset to null pointer + - JDK-8331746: Create a test to verify that the cmm id is not ignored + - JDK-8331771: ZGC: Remove OopMapCacheAlloc_lock ordering workaround + - JDK-8331789: ubsan: deoptimization.cpp:403:29: runtime error: load of value 208, which is not a valid value for type 'bool' + - JDK-8331798: Remove unused arg of checkErgonomics() in TestMaxHeapSizeTools.java + - JDK-8331854: ubsan: copy.hpp:218:10: runtime error: addition of unsigned offset to 0x7fc2b4024518 overflowed to 0x7fc2b4024510 + - JDK-8331863: DUIterator_Fast used before it is constructed + - JDK-8331885: C2: meet between unloaded and speculative types is not symmetric + - JDK-8331931: JFR: Avoid loading regex classes during startup + - JDK-8331999: BasicDirectoryModel/LoaderThreadCount.java frequently fails on Windows in CI + - JDK-8332008: Enable issuestitle check + - JDK-8332113: Update nsk.share.Log to be always verbose + - JDK-8332154: Memory leak in SynchronousQueue + - JDK-8332174: Remove 2 (unpaired) RLO Unicode characters in ff_Adlm.xml + - JDK-8332248: (fc) java/nio/channels/FileChannel/BlockDeviceSize.java failed with RuntimeException + - JDK-8332424: Update IANA Language Subtag Registry to Version 2024-05-16 + - JDK-8332431: NullPointerException in JTable of SwingSet2 + - JDK-8332473: ubsan: growableArray.hpp:290:10: runtime error: null pointer passed as argument 1, which is declared to never be null + - JDK-8332490: JMH org.openjdk.bench.java.util.zip.InflaterInputStreams.inflaterInputStreamRead OOM + - JDK-8332499: Gtest codestrings.validate_vm fail on linux x64 when hsdis is present + - JDK-8332524: Instead of printing "TLSv1.3," it is showing "TLS13" + - JDK-8332589: ubsan: unix/native/libjava/ProcessImpl_md.c:562:5: runtime error: null pointer passed as argument 2, which is declared to never be null + - JDK-8332675: test/hotspot/jtreg/gc/testlibrary/Helpers.java compileClass javadoc does not match after 8321812 + - JDK-8332699: ubsan: jfrEventSetting.inline.hpp:31:43: runtime error: index 163 out of bounds for type 'jfrNativeEventSetting [162]' + - JDK-8332717: ZGC: Division by zero in heuristics + - JDK-8332720: ubsan: instanceKlass.cpp:3550:76: runtime error: member call on null pointer of type 'struct Array' + - JDK-8332818: ubsan: archiveHeapLoader.cpp:70:27: runtime error: applying non-zero offset 18446744073707454464 to null pointer + - JDK-8332825: ubsan: guardedMemory.cpp:35:11: runtime error: null pointer passed as argument 2, which is declared to never be null + - JDK-8332885: Clarify failure_handler self-tests + - JDK-8332894: ubsan: vmError.cpp:2090:26: runtime error: division by zero + - JDK-8332898: failure_handler: log directory of commands + - JDK-8332903: ubsan: opto/output.cpp:1002:18: runtime error: load of value 171, which is not a valid value for type 'bool' + - JDK-8332904: ubsan ppc64le: c1_LIRGenerator_ppc.cpp:581:21: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int' + - JDK-8332905: C2 SuperWord: bad AD file, with RotateRightV and first operand not a pack + - JDK-8332920: C2: Partial Peeling is wrongly applied for CmpU with negative limit + - JDK-8332935: Crash: assert(*lastPtr != 0) failed: Mismatched JNINativeInterface tables, check for new entries + - JDK-8332936: Test vmTestbase/metaspace/gc/watermark_70_80/TestDescription.java fails with no GC's recorded + - JDK-8332959: C2: ZGC fails with 'Incorrect load shift' when invoking Object.clone() reflectively on an array + - JDK-8333088: ubsan: shenandoahAdaptiveHeuristics.cpp:245:44: runtime error: division by zero + - JDK-8333093: Incorrect comment in zAddress_aarch64.cpp + - JDK-8333099: Missing check for is_LoadVector in StoreNode::Identity + - JDK-8333149: ubsan : memset on nullptr target detected in jvmtiEnvBase.cpp get_object_monitor_usage + - JDK-8333178: ubsan: jvmti_tools.cpp:149:16: runtime error: null pointer passed as argument 2, which is declared to never be null + - JDK-8333270: HandlersOnComplexResetUpdate and HandlersOnComplexUpdate tests fail with "Unexpected reference" if timeoutFactor is less than 1/3 + - JDK-8333277: ubsan: mlib_ImageScanPoly.c:292:43: runtime error: division by zero + - JDK-8333353: Delete extra empty line in CodeBlob.java + - JDK-8333354: ubsan: frame.inline.hpp:91:25: and src/hotspot/share/runtime/frame.inline.hpp:88:29: runtime error: member call on null pointer of type 'const struct SmallRegisterMap' + - JDK-8333361: ubsan,test : libHeapMonitorTest.cpp:518:9: runtime error: null pointer passed as argument 2, which is declared to never be null + - JDK-8333363: ubsan: instanceKlass.cpp: runtime error: member call on null pointer of type 'struct AnnotationArray' + - JDK-8333366: C2: CmpU3Nodes are not pushed back to worklist in PhaseCCP leading to non-fixpoint assertion failure + - JDK-8333398: Uncomment the commented test in test/jdk/java/util/jar/JarFile/mrjar/MultiReleaseJarAPI.java + - JDK-8333462: Performance regression of new DecimalFormat() when compare to jdk11 + - JDK-8333477: Delete extra empty spaces in Makefiles + - JDK-8333542: Breakpoint in parallel code does not work + - JDK-8333622: ubsan: relocInfo_x86.cpp:101:56: runtime error: pointer index expression with base (-1) overflowed + - JDK-8333639: ubsan: cppVtables.cpp:81:55: runtime error: index 14 out of bounds for type 'long int [1]' + - JDK-8333652: RISC-V: compiler/vectorapi/VectorGatherMaskFoldingTest.java fails when using RVV + - JDK-8333716: Shenandoah: Check for disarmed method before taking the nmethod lock + - JDK-8333724: Problem list security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1 + - JDK-8333804: java/net/httpclient/ForbiddenHeadTest.java threw an exception with 0 failures + - JDK-8333887: ubsan: unsafe.cpp:247:13: runtime error: store to null pointer of type 'volatile int' + - JDK-8334078: RISC-V: TestIntVect.java fails after JDK-8332153 when running without RVV + - JDK-8334123: log the opening of Type 1 fonts + - JDK-8334166: Enable binary check + - JDK-8334239: Introduce macro for ubsan method/function exclusions + - JDK-8334297: (so) java/nio/channels/SocketChannel/OpenLeak.java should not depend on SecurityManager + - JDK-8334332: TestIOException.java fails if run by root + - JDK-8334333: MissingResourceCauseTestRun.java fails if run by root + - JDK-8334339: Test java/nio/file/attribute/BasicFileAttributeView/CreationTime.java fails on alinux3 + - JDK-8334418: Update IANA Language Subtag Registry to Version 2024-06-14 + - JDK-8334421: assert(!oldbox->is_unbalanced()) failed: this should not be called for unbalanced region + - JDK-8334482: Shenandoah: Deadlock when safepoint is pending during nmethods iteration + - JDK-8334592: ProblemList serviceability/jvmti/stress/StackTrace/NotSuspended/GetStackTraceNotSuspendedStressTest.java in jdk21 on all platforms + - JDK-8334594: Generational ZGC: Deadlock after OopMap rewrites in 8331572 + - JDK-8334600: TEST java/net/MulticastSocket/IPMulticastIF.java fails on linux-aarch64 + - JDK-8334618: ubsan: support setting additional ubsan check options + - JDK-8334653: ISO 4217 Amendment 177 Update + - JDK-8334769: Shenandoah: Move CodeCache_lock close to its use in ShenandoahConcurrentNMethodIterator + - JDK-8334867: Add back assertion from JDK-8325494 + - JDK-8335007: Inline OopMapCache table + - JDK-8335134: Test com/sun/jdi/BreakpointOnClassPrepare.java timeout + - JDK-8335150: Test LogGeneratedClassesTest.java fails on rpmbuild mock enviroment + - JDK-8335237: ubsan: vtableStubs.hpp is_vtable_stub exclude from ubsan checks + - JDK-8335283: Build failure due to 'no_sanitize' attribute directive ignored + - JDK-8335409: Can't allocate and retain memory from resource area in frame::oops_interpreted_do oop closure after 8329665 + - JDK-8335493: check_gc_overhead_limit should reset SoftRefPolicy::_should_clear_all_soft_refs + - JDK-8335536: Fix assertion failure in IdealGraphPrinter when append is true + - JDK-8335743: jhsdb jstack cannot print some information on the waiting thread + - JDK-8335775: Remove extraneous 's' in comment of rawmonitor.cpp test file + - JDK-8335904: Fix invalid comment in ShenandoahLock + - JDK-8335967: "text-decoration: none" does not work with "A" HTML tags + - JDK-8336284: Test TestClhsdbJstackLock.java/TestJhsdbJstackLock.java fails with -Xcomp after JDK-8335743 + - JDK-8336301: test/jdk/java/nio/channels/AsyncCloseAndInterrupt.java leaves around a FIFO file upon test completion + - JDK-8336342: Fix known X11 library locations in sysroot + - JDK-8336343: Add more known sysroot library locations for ALSA + - JDK-8336926: jdk/internal/util/ReferencedKeyTest.java can fail with ConcurrentModificationException + - JDK-8336928: GHA: Bundle artifacts removal broken + - JDK-8337038: Test java/nio/file/attribute/BasicFileAttributeView/CreationTime.java shoud set as /native + - JDK-8337283: configure.log is truncated when build dir is on different filesystem + - JDK-8337622: IllegalArgumentException in java.lang.reflect.Field.get + - JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs + - JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods are inconsistent with their setVerbose methods + - JDK-8338286: GHA: Demote x86_32 to hotspot build only + - JDK-8338696: (fs) BasicFileAttributes.creationTime() falls back to epoch if birth time is unavailable (Linux) + - JDK-8339869: [21u] Test CreationTime.java fails with UnsatisfiedLinkError after 8334339 + - JDK-8341057: Add 2 SSL.com TLS roots + - JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 + - JDK-8341674: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.5 + - JDK-8341989: [21u] Back out JDK-8327501 and JDK-8328366 + +Notes on individual issues: +=========================== + +security-libs/javax.net.ssl: + +JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs +JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 +==================================================================================================== +In accordance with similar plans recently announced by Google and +Mozilla, the JDK will not trust Transport Layer Security (TLS) +certificates issued after the 11th of November 2024 which are anchored +by Entrust root certificates. This includes certificates branded as +AffirmTrust, which are managed by Entrust. + +Certificates issued on or before November 11th, 2024 will continue to +be trusted until they expire. + +If a server's certificate chain is anchored by an affected +certificate, attempts to negotiate a TLS session will fail with an +Exception that indicates the trust anchor is not trusted. For example, + +"TLS server certificate issued after 2024-11-11 and anchored by a +distrusted legacy Entrust root CA: CN=Entrust.net Certification +Authority (2048), OU=(c) 1999 Entrust.net Limited, +OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), +O=Entrust.net" + +To check whether a certificate in a JDK keystore is affected by this +change, you can the `keytool` utility: + +keytool -v -list -alias -keystore + +If any of the certificates in the chain are affected by this change, +then you will need to update the certificate or contact the +organisation responsible for managing the certificate. + +These restrictions apply to the following Entrust root certificates +included in the JDK: + +Alias name: entrustevca [jdk] +CN=Entrust Root Certification Authority +OU=(c) 2006 Entrust, Inc. +OU=www.entrust.net/CPS is incorporated by reference +O=Entrust, Inc. +C=US +SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C + +Alias name: entrustrootcaec1 [jdk] +CN=Entrust Root Certification Authority - EC1 +OU=(c) 2012 Entrust, Inc. - for authorized use only +OU=See www.entrust.net/legal-terms +O=Entrust, Inc. +C=US +SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 + +Alias name: entrustrootcag2 [jdk] +CN=Entrust Root Certification Authority - G2 +OU=(c) 2009 Entrust, Inc. - for authorized use only +OU=See www.entrust.net/legal-terms +O=Entrust, Inc. +C=US +SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 + +Alias name: entrustrootcag4 [jdk] +CN=Entrust Root Certification Authority - G4 +OU=(c) 2015 Entrust, Inc. - for authorized use only +OU=See www.entrust.net/legal-terms +O=Entrust, Inc. +C=US +SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 + +Alias name: entrust2048ca [jdk] +CN=Entrust.net Certification Authority (2048) +OU=(c) 1999 Entrust.net Limited +OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.) +O=Entrust.net +SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77 + +Alias name: affirmtrustcommercialca [jdk] +CN=AffirmTrust Commercial +O=AffirmTrust +C=US +SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 + +Alias name: affirmtrustnetworkingca [jdk] +CN=AffirmTrust Networking +O=AffirmTrust +C=US +SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B + +Alias name: affirmtrustpremiumca [jdk] +CN=AffirmTrust Premium +O=AffirmTrust +C=US +SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A + +Alias name: affirmtrustpremiumeccca [jdk] +CN=AffirmTrust Premium ECC +O=AffirmTrust +C=US +SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 + +Users can, *at their own risk*, remove this restriction by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) so "ENTRUST_TLS" is no +longer listed in the `jdk.security.caDistrustPolicies` security +property. + +security-libs/javax.crypto: + +JDK-8322971: `KEM.getInstance()` Should Check If a Third-Party Security Provider Is Signed +========================================================================================== +The JDK's cryptographic framework authenticates third party security +provider implementations by determining the provider's codebase and +verifying its signature. In previous OpenJDK releases, this +authentication did not take place for Key Encapsulation Mechanism +(KEM) implementations. With this release, KEM implementations are +authenticated in a manner consistent with other JDK service types, +such as Cipher and Mac providers. + +tools/launcher: + +JDK-8310201: Reduce verbose locale output in -XshowSettings launcher option +=========================================================================== + +In previous releases of OpenJDK, the `-XshowSettings` launcher option printed a +long list of available locales which obscured other settings. In this release, +the `-XshowSettings` launcher option no longer prints the list of available +locales by default. To view all settings related to available locales, users +can now use the -XshowSettings:locale option. + +security-libs/java.security: + +JDK-8051959: Add thread and timestamp options to java.security.debug system property +==================================================================================== +This release adds the following additional options to the +`java.security.debug` property which can be applied to any specified +component: + +* `+timestamp`: Print a timestamp with each debug statement. +* `+thread`: Print thread and caller information for each debug statement. + +For example, `-Djava.security.debug=all+timestamp+thread` turns on +debug information for all components with both timestamps and thread +information. + +In contrast, `-Djava.security.debug=properties+timestamp` turns on +debug information only for security properties and includes a +timestamp. + +You can use `-Djava.security.debug=help` to display a complete list of +supported components and options. + +JDK-8341057: Add 2 SSL.com TLS roots +==================================== +The following root certificates have been added to the cacerts +truststore: + +Name: SSL.com +Alias Name: ssltlsrootecc2022 +Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US + +Name: SSL.com +Alias Name: ssltlsrootrsa2022 +Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US + +core-libs/java.net: + +JDK-8328286: Enhance HTTP client +================================ +This OpenJDK release limits the maximum header field size accepted by +the HTTP client within the JDK for all supported versions of the HTTP +protocol. The header field size is computed as the sum of the size of +the uncompressed header name, the size of the uncompressed header +value and a overhead of 32 bytes for each field section line. If a +peer sends a field section that exceeds this limit, a +`java.net.ProtocolException` will be raised. + +This release also introduces a new system property, +`jdk.http.maxHeaderSize`. This property can be used to alter the +maximum header field size (in bytes) or disable it by setting the +value to zero or a negative value. The default value is 393,216 bytes +or 384kB. + +core-svc/java.lang.management: + +JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods are inconsistent with their setVerbose methods +========================================================================================================== +In previous OpenJDK releases, the behaviour of the `isVerbose` and +`setVerbose` methods in `ClassLoadingMXBean` and `MemoryMXBean` was +inconsistent. The `setVerbose` method would only alter the level of +logging to `stdout`, setting it to `info` when passed the argument +`true`, and `off` when passed `false`. However, the `isVerbose` method +would check if logging was enabled on any output, causing it to return +`true` due to the presence of file logging, even when +`setVerbose(false)` had been called to turn off `stdout` logging. +With this release, the `isVerbose` methods only return `true` if +`stdout` logging is enabled. + +New in release OpenJDK 21.0.4 (2024-07-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2104 + +* CVEs + - CVE-2024-21131 + - CVE-2024-21138 + - CVE-2024-21140 + - CVE-2024-21145 + - CVE-2024-21147 +* Security fixes + - JDK-8314794: Improve UTF8 String supports + - JDK-8319859: Better symbol storage + - JDK-8320097: Improve Image transformations + - JDK-8320548: Improved loop handling + - JDK-8323231: Improve array management + - JDK-8323390: Enhance mask blit functionality + - JDK-8324559: Improve 2D image handling + - JDK-8325600: Better symbol storage + - JDK-8327413: Enhance compilation efficiency +* Other changes + - JDK-7001133: OutOfMemoryError by CustomMediaSizeName implementation + - JDK-8159927: Add a test to verify JMOD files created in the images do not have debug symbols + - JDK-8185862: AWT Assertion Failure in ::GetDIBits(hBMDC, hBM, 0, 1, 0, gpBitmapInfo, 0) 'awt_Win32GraphicsDevice.cpp', at line 185 + - JDK-8187759: Background not refreshed when painting over a transparent JFrame + - JDK-8223696: java/net/httpclient/MaxStreams.java failed with didn't finish within the time-out + - JDK-8259866: two java.util tests failed with "IOException: There is not enough space on the disk" + - JDK-8266242: java/awt/GraphicsDevice/CheckDisplayModes.java failing on macOS 11 ARM + - JDK-8278527: java/util/concurrent/tck/JSR166TestCase.java fails nanoTime test + - JDK-8280056: gtest/LargePageGtests.java#use-large-pages failed "os.release_one_mapping_multi_commits_vm" + - JDK-8281658: Add a security category to the java -XshowSettings option + - JDK-8288936: Wrong lock ordering writing G1HeapRegionTypeChange JFR event + - JDK-8288989: Make tests not depend on the source code + - JDK-8293069: Make -XX:+Verbose less verbose + - JDK-8293850: need a largest_committed metric for each category of NMT's output + - JDK-8294699: Launcher causes lingering busy cursor + - JDK-8294985: SSLEngine throws IAE during parsing of X500Principal + - JDK-8295111: dpkg appears to have problems resolving symbolically linked native libraries + - JDK-8299023: TestPLABResize.java and TestPLABPromotion.java are failing intermittently + - JDK-8301183: (zipfs) jdk/jdk/nio/zipfs/TestLocOffsetFromZip64EF.java failing with ZipException:R0 on OL9 + - JDK-8303525: Refactor/cleanup open/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java + - JDK-8303773: Replace "main.wrapper" with "test.thread.factory" property in test code + - JDK-8303891: Speed up Zip64SizeTest using a small ZIP64 file + - JDK-8303959: tools/jpackage/share/RuntimePackageTest.java fails with java.lang.AssertionError missing files + - JDK-8303972: (zipfs) Make test/jdk/jdk/nio/zipfs/TestLocOffsetFromZip64EF.java independent of the zip command line + - JDK-8304839: Move TestScaffold.main() to the separate class DebugeeWrapper + - JDK-8305645: System Tray icons get corrupted when Windows primary monitor changes + - JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none" + - JDK-8306040: HttpResponseInputStream.available() returns 1 on empty stream + - JDK-8308144: Uncontrolled memory consumption in SSLFlowDelegate.Reader + - JDK-8308453: Convert JKS test keystores in test/jdk/javax/net/ssl/etc to PKCS12 + - JDK-8309142: Refactor test/langtools/tools/javac/versions/Versions.java + - JDK-8309752: com/sun/jdi/SetLocalWhileThreadInNative.java fails with virtual test thread factory due to OpaqueFrameException + - JDK-8309757: com/sun/jdi/ReferrersTest.java fails with virtual test thread factory + - JDK-8309763: Move tests in test/jdk/sun/misc/URLClassPath directory to test/jdk/jdk/internal/loader + - JDK-8309871: jdk/jfr/api/consumer/recordingstream/TestSetEndTime.java timed out + - JDK-8309890: TestStringDeduplicationInterned.java waits for the wrong condition + - JDK-8310070: Test: javax/net/ssl/DTLS/DTLSWontNegotiateV10.java timed out + - JDK-8310228: Improve error reporting for uncaught native exceptions on Windows + - JDK-8310234: Refactor Locale tests to use JUnit + - JDK-8310355: Move the stub test from initialize_final_stubs() to test/hotspot/gtest + - JDK-8310513: [s390x] Intrinsify recursive ObjectMonitor locking + - JDK-8310731: Configure a javax.net.ssl.SNIMatcher for the HTTP/1.1 test servers in java/net/httpclient tests + - JDK-8310818: Refactor more Locale tests to use JUnit + - JDK-8310913: Move ReferencedKeyMap to jdk.internal so it may be shared + - JDK-8311792: java/net/httpclient/ResponsePublisher.java fails intermittently with AssertionError: Found some outstanding operations + - JDK-8311823: JFR: Uninitialized EventEmitter::_thread_id field + - JDK-8311881: jdk/javax/swing/ProgressMonitor/ProgressTest.java does not show the ProgressMonitorInputStream all the time + - JDK-8311964: Some jtreg tests failing on x86 with error 'unrecognized VM options' (C2 flags) + - JDK-8312014: [s390x] TestSigInfoInHsErrFile.java Failure + - JDK-8312194: test/hotspot/jtreg/applications/ctw/modules/jdk_crypto_ec.java cannot handle empty modules + - JDK-8312218: Print additional debug information when hitting assert(in_hash) + - JDK-8312320: Remove javax/rmi/ssl/SSLSocketParametersTest.sh from ProblemList + - JDK-8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection + - JDK-8312498: Thread::getState and JVM TI GetThreadState should return TIMED_WAITING virtual thread is timed parked + - JDK-8312777: notifyJvmtiMount before notifyJvmtiUnmount + - JDK-8313394: Array Elements in OldObjectSample event has the incorrect description + - JDK-8313612: Use JUnit in lib-test/jdk tests + - JDK-8313702: Update IANA Language Subtag Registry to Version 2023-08-02 + - JDK-8313710: jcmd: typo in the documentation of JFR.start and JFR.dump + - JDK-8313899: JVMCI exception Translation can fail in TranslatedException. + - JDK-8314573: G1: Heap resizing at Remark does not take existing eden regions into account + - JDK-8314824: Fix serviceability/jvmti/8036666/GetObjectLockCount.java to use vm flags + - JDK-8314828: Mark 3 jcmd command-line options test as vm.flagless + - JDK-8314832: Few runtime/os tests ignore vm flags + - JDK-8314975: JavadocTester should set source path if not specified + - JDK-8315071: Modify TrayIconScalingTest.java, PrintLatinCJKTest.java to use new PassFailJFrame's builder pattern usage + - JDK-8315117: Update Zlib Data Compression Library to Version 1.3 + - JDK-8315373: Change VirtualThread to unmount after freezing, re-mount before thawing + - JDK-8315485: (fs) Move java/nio/file/Path/Misc.java tests into java/nio/file/Path/PathOps.java + - JDK-8315503: G1: Code root scan causes long GC pauses due to imbalanced iteration + - JDK-8315559: Delay TempSymbol cleanup to avoid symbol table churn + - JDK-8315605: G1: Add number of nmethods in code roots scanning statistics + - JDK-8315609: Open source few more swing text/html tests + - JDK-8315652: RISC-V: Features string uses wrong separator for jtreg + - JDK-8315663: Open source misc awt tests + - JDK-8315677: Open source few swing JFileChooser and other tests + - JDK-8315741: Open source few swing JFormattedTextField and JPopupMenu tests + - JDK-8315824: Open source several Swing Text/HTML related tests + - JDK-8315834: Open source several Swing JSpinner related tests + - JDK-8315889: Open source several Swing HTMLDocument related tests + - JDK-8315898: Open source swing JMenu tests + - JDK-8315998: Remove dead ClassLoaderDataGraphKlassIteratorStatic + - JDK-8316002: Remove unnecessary seen_dead_loader in ClassLoaderDataGraph::do_unloading + - JDK-8316053: Open some swing tests 3 + - JDK-8316138: Add GlobalSign 2 TLS root certificates + - JDK-8316154: Opensource JTextArea manual tests + - JDK-8316164: Opensource JMenuBar manual test + - JDK-8316186: RISC-V: Remove PlatformCmpxchg<4> + - JDK-8316228: jcmd tests are broken by 8314828 + - JDK-8316242: Opensource SwingGraphics manual test + - JDK-8316451: 6 java/lang/instrument/PremainClass tests ignore VM flags + - JDK-8316460: 4 javax/management tests ignore VM flags + - JDK-8316559: Refactor some util/Calendar tests to JUnit + - JDK-8316563: test tools/jpackage/linux/LinuxResourceTest.java fails on CentOS Linux release 8.5.2111 and Fedora 27 + - JDK-8316608: Enable parallelism in vmTestbase/gc/vector tests + - JDK-8316669: ImmutableOopMapSet destructor not called + - JDK-8316670: Remove effectively unused nmethodBucket::_count + - JDK-8316696: Remove the testing base classes: IntlTest and CollatorTest + - JDK-8316924: java/lang/Thread/virtual/stress/ParkALot.java times out + - JDK-8316959: Improve InlineCacheBuffer pending queue management + - JDK-8317007: Add bulk removal of dead nmethods during class unloading + - JDK-8317235: Remove Access API use in nmethod class + - JDK-8317287: [macos14] InterJVMGetDropSuccessTest.java: Child VM: abnormal termination + - JDK-8317350: Move code cache purging out of CodeCache::UnloadingScope + - JDK-8317440: Lock rank checking fails when code root set is modified with the Servicelock held after JDK-8315503 + - JDK-8317600: VtableStubs::stub_containing() table load not ordered wrt to stores + - JDK-8317631: Refactor ChoiceFormat tests to use JUnit + - JDK-8317677: Specialize Vtablestubs::entry_for() for VtableBlob + - JDK-8317809: Insertion of free code blobs into code cache can be very slow during class unloading + - JDK-8317965: TestLoadLibraryDeadlock.java fails with "Unable to load native library.: expected true, was false" + - JDK-8318109: Writing JFR records while a CHT has taken its lock asserts in rank checking + - JDK-8318322: Update IANA Language Subtag Registry to Version 2023-10-16 + - JDK-8318455: Fix the compiler/sharedstubs/SharedTrampolineTest.java and SharedStubToInterpTest.java + - JDK-8318580: "javax/swing/MultiMonitor/MultimonVImage.java failing with Error. Can't find library: /open/test/jdk/java/awt/regtesthelpers" after JDK-8316053 + - JDK-8318585: Rename CodeCache::UnloadingScope to UnlinkingScope + - JDK-8318599: HttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809 + - JDK-8318720: G1: Memory leak in G1CodeRootSet after JDK-8315503 + - JDK-8318727: Enable parallelism in vmTestbase/vm/gc/concurrent tests + - JDK-8318757: VM_ThreadDump asserts in interleaved ObjectMonitor::deflate_monitor calls + - JDK-8318854: [macos14] Running any AWT app prints Secure coding warning + - JDK-8318962: Update ProcessTools javadoc with suggestions in 8315097 + - JDK-8318986: Improve GenericWaitBarrier performance + - JDK-8319048: Monitor deflation unlink phase prolongs time to safepoint + - JDK-8319153: Fix: Class is a raw type in ProcessTools + - JDK-8319265: TestLoadLibraryDeadlock.java fails on windows-x64 "Unable to load b.jar" + - JDK-8319338: tools/jpackage/share/RuntimeImageTest.java fails with -XX:+UseZGC + - JDK-8319376: ParallelGC: Forwarded objects found during heap inspection + - JDK-8319437: NMT should show library names in call stacks + - JDK-8319567: Update java/lang/invoke tests to support vm flags + - JDK-8319568: Update java/lang/reflect/exeCallerAccessTest/CallerAccessTest.java to accept vm flags + - JDK-8319571: Update jni/nullCaller/NullCallerTest.java to accept flags or mark as flagless + - JDK-8319574: Exec/process tests should be marked as flagless + - JDK-8319578: Few java/lang/instrument ignore test.java.opts and accept test.vm.opts only + - JDK-8319647: Few java/lang/System/LoggerFinder/modules tests ignore vm flags + - JDK-8319648: java/lang/SecurityManager tests ignore vm flags + - JDK-8319650: Improve heap dump performance with class metadata caching + - JDK-8319651: Several network tests ignore vm flags when start java process + - JDK-8319672: Several classloader tests ignore VM flags + - JDK-8319676: A couple of jdk/modules/incubator/ tests ignore VM flags + - JDK-8319677: Test jdk/internal/misc/VM/RuntimeArguments.java should be marked as flagless + - JDK-8319713: Parallel: Remove PSAdaptiveSizePolicy::should_full_GC + - JDK-8319757: java/nio/channels/DatagramChannel/InterruptibleOrNot.java failed: wrong exception thrown + - JDK-8319876: Reduce memory consumption of VM_ThreadDump::doit + - JDK-8319896: Remove monitor deflation from final audit + - JDK-8319955: Improve dependencies removal during class unloading + - JDK-8320005: Allow loading of shared objects with .a extension on AIX + - JDK-8320061: [nmt] Multiple issues with peak accounting + - JDK-8320113: [macos14] : ShapeNotSetSometimes.java fails intermittently on macOS 14 + - JDK-8320129: "top" command during jtreg failure handler does not display CPU usage on OSX + - JDK-8320275: assert(_chunk->bitmap().at(index)) failed: Bit not set at index + - JDK-8320331: G1 Full GC Heap verification relies on metadata not reset before verification + - JDK-8320342: Use PassFailJFrame for TruncatedPopupMenuTest.java + - JDK-8320343: Generate GIF images for AbstractButton/5049549/bug5049549.java + - JDK-8320349: Simplify FileChooserSymLinkTest.java by using single-window testUI + - JDK-8320365: IPPPrintService.getAttributes() causes blanket re-initialisation + - JDK-8320370: NMT: Change MallocMemorySnapshot to simplify code. + - JDK-8320515: assert(monitor->object_peek() != nullptr) failed: Owned monitors should not have a dead object + - JDK-8320525: G1: G1UpdateRemSetTrackingBeforeRebuild::distribute_marked_bytes accesses partially unloaded klass + - JDK-8320570: NegativeArraySizeException decoding >1G UTF8 bytes with non-ascii characters + - JDK-8320681: [macos] Test tools/jpackage/macosx/MacAppStoreJlinkOptionsTest.java timed out on macOS + - JDK-8320692: Null icon returned for .exe without custom icon + - JDK-8320707: Virtual thread test updates + - JDK-8320712: Rewrite BadFactoryTest in pure Java + - JDK-8320714: java/util/Locale/LocaleProvidersRun.java and java/util/ResourceBundle/modules/visibility/VisibilityTest.java timeout after passing + - JDK-8320715: Improve the tests of test/hotspot/jtreg/compiler/intrinsics/float16 + - JDK-8320924: Improve heap dump performance by optimizing archived object checks + - JDK-8321075: RISC-V: UseSystemMemoryBarrier lacking proper OS support + - JDK-8321107: Add more test cases for JDK-8319372 + - JDK-8321163: [test] OutputAnalyzer.getExitValue() unnecessarily logs even when process has already completed + - JDK-8321182: SourceExample.SOURCE_14 comment should refer to 'switch expressions' instead of 'text blocks' + - JDK-8321270: Virtual Thread.yield consumes parking permit + - JDK-8321276: runtime/cds/appcds/dynamicArchive/DynamicSharedSymbols.java failed with "'17 2: jdk/test/lib/apps ' missing from stdout/stderr" + - JDK-8321489: Update LCMS to 2.16 + - JDK-8321713: Harmonize executeTestJvm with create[Limited]TestJavaProcessBuilder + - JDK-8321718: ProcessTools.executeProcess calls waitFor before logging + - JDK-8321812: Update GC tests to use execute[Limited]TestJava + - JDK-8321815: Shenandoah: gc state should be synchronized to java threads only once per safepoint + - JDK-8321925: sun/security/mscapi/KeytoolChangeAlias.java fails with "Alias <246810> does not exist" + - JDK-8322239: [macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane + - JDK-8322477: order of subclasses in the permits clause can differ between compilations + - JDK-8322503: Shenandoah: Clarify gc state usage + - JDK-8322818: Thread::getStackTrace can fail with InternalError if virtual thread is timed-parked when pinned + - JDK-8322846: Running with -Djdk.tracePinnedThreads set can hang + - JDK-8322858: compiler/c2/aarch64/TestFarJump.java fails on AArch64 due to unexpected PrintAssembly output + - JDK-8322920: Some ProcessTools.execute* functions are declared to throw Throwable + - JDK-8322962: Upcall stub might go undetected when freezing frames + - JDK-8323002: test/jdk/java/lang/Thread/virtual/stress/GetStackTraceALotWhenPinned.java times out on macosx-x64 + - JDK-8323170: j2dbench is using outdated javac source/target to be able to build by itself + - JDK-8323210: Update the usage of cmsFLAGS_COPY_ALPHA + - JDK-8323276: StressDirListings.java fails on AIX + - JDK-8323296: java/lang/Thread/virtual/stress/GetStackTraceALotWhenPinned.java#id1 timed out + - JDK-8323519: Add applications/ctw/modules to Hotspot tiered testing + - JDK-8323595: is_aligned(p, alignof(OopT))) assertion fails in Jetty without compressed OOPs + - JDK-8323635: Test gc/g1/TestHumongousAllocConcurrentStart.java fails with -XX:TieredStopAtLevel=3 + - JDK-8323685: PrintSystemDictionaryAtExit has mutex rank assert + - JDK-8323994: gtest runner repeats test name for every single gtest assertion + - JDK-8324121: SIGFPE in PhaseIdealLoop::extract_long_range_checks + - JDK-8324123: aarch64: fix prfm literal encoding in assembler + - JDK-8324236: compiler/ciReplay/TestInliningProtectionDomain.java failed with RuntimeException: should only dump inline information for ... expected true, was false + - JDK-8324238: [macOS] java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails with the shape has not been applied msg + - JDK-8324243: Compilation failures in java.desktop module with gcc 14 + - JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1 + - JDK-8324646: Avoid Class.forName in SecureRandom constructor + - JDK-8324648: Avoid NoSuchMethodError when instantiating NativePRNG + - JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16 + - JDK-8324733: [macos14] Problem list tests which fail due to macOS bug described in JDK-8322653 + - JDK-8324817: Parallel GC does not pre-touch all heap pages when AlwaysPreTouch enabled and large page disabled + - JDK-8324824: AArch64: Detect Ampere-1B core and update default options for Ampere CPUs + - JDK-8324834: Use _LARGE_FILES on AIX + - JDK-8324933: ConcurrentHashTable::statistics_calculate synchronization is expensive + - JDK-8324998: Add test cases for String.regionMatches comparing Turkic dotted/dotless I with uppercase latin I + - JDK-8325024: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java incorrect comment information + - JDK-8325028: (ch) Pipe channels should lazily set socket to non-blocking mode on first use by virtual thread + - JDK-8325095: C2: bailout message broken: ResourceArea allocated string used after free + - JDK-8325137: com/sun/management/ThreadMXBean/ThreadCpuTimeArray.java can fail in Xcomp with out of expected range + - JDK-8325203: System.exit(0) kills the launched 3rd party application + - JDK-8325213: Flags introduced by configure script are not passed to ADLC build + - JDK-8325255: jdk.internal.util.ReferencedKeySet::add using wrong test + - JDK-8325326: [PPC64] Don't relocate in case of allocation failure + - JDK-8325372: Shenandoah: SIGSEGV crash in unnecessary_acquire due to LoadStore split through phi + - JDK-8325432: enhance assert message "relocation addr must be in this section" + - JDK-8325437: Safepoint polling in monitor deflation can cause massive logs + - JDK-8325567: jspawnhelper without args fails with segfault + - JDK-8325579: Inconsistent behavior in com.sun.jndi.ldap.Connection::createSocket + - JDK-8325613: CTW: Stale method cleanup requires GC after Sweeper removal + - JDK-8325621: Improve jspawnhelper version checks + - JDK-8325743: test/jdk/java/nio/channels/unixdomain/SocketOptions.java enhance user name output in error case + - JDK-8325862: set -XX:+ErrorFileToStderr when executing java in containers for some container related jtreg tests + - JDK-8325908: Finish removal of IntlTest and CollatorTest + - JDK-8325972: Add -x to bash for building with LOG=debug + - JDK-8326006: Allow TEST_VM_FLAGLESS to set flagless mode + - JDK-8326101: [PPC64] Need to bailout cleanly if creation of stubs fails when code cache is out of space + - JDK-8326140: src/jdk.accessibility/windows/native/libjavaaccessbridge/AccessBridgeJavaEntryPoints.cpp ReleaseStringChars might be missing in early returns + - JDK-8326201: [S390] Need to bailout cleanly if creation of stubs fails when code cache is out of space + - JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1 + - JDK-8326446: The User and System of jdk.CPULoad on Apple M1 are inaccurate + - JDK-8326496: [test] checkHsErrFileContent support printing hserr in error case + - JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit + - JDK-8326529: JFR: Test for CompilerCompile events fails due to time out + - JDK-8326591: New test JmodExcludedFiles.java fails on Windows when --with-external-symbols-in-bundles=public is used + - JDK-8326638: Crash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop + - JDK-8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message + - JDK-8326661: sun/java2d/cmm/ColorConvertOp/ColConvTest.java assumes profiles were generated by LCMS + - JDK-8326685: Linux builds not reproducible if two builds configured in different build folders + - JDK-8326718: Test java/util/Formatter/Padding.java should timeout on large inputs before fix in JDK-8299677 + - JDK-8326773: Bump update version for OpenJDK: jdk-21.0.4 + - JDK-8326824: Test: remove redundant test in compiler/vectorapi/reshape/utils/TestCastMethods.java + - JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in internal JDK binaries + - JDK-8326936: RISC-V: Shenandoah GC crashes due to incorrect atomic memory operations + - JDK-8326948: Force English locale for timeout formatting + - JDK-8326960: GHA: RISC-V sysroot cannot be debootstrapped due to ongoing Debian t64 transition + - JDK-8326974: ODR violation in macroAssembler_aarch64.cpp + - JDK-8327036: [macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0 + - JDK-8327059: os::Linux::print_proc_sys_info add swappiness information + - JDK-8327096: (fc) java/nio/channels/FileChannel/Size.java fails on partition incapable of creating large files + - JDK-8327136: javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java fails on libgraal + - JDK-8327180: Failed: java/io/ObjectStreamClass/ObjectStreamClassCaching.java#G1 + - JDK-8327261: Parsing test for Double/Float succeeds w/o testing all bad cases + - JDK-8327468: Do not restart close if errno is EINTR [macOS/linux] + - JDK-8327474: Review use of java.io.tmpdir in jdk tests + - JDK-8327486: java/util/Properties/PropertiesStoreTest.java fails "Text 'xxx' could not be parsed at index 20" after 8174269 + - JDK-8327631: Update IANA Language Subtag Registry to Version 2024-03-07 + - JDK-8327799: JFR view: the "Park Until" field of jdk.ThreadPark is invalid if the parking method is not absolute + - JDK-8327971: Multiple ASAN errors reported for metaspace + - JDK-8327988: When running ASAN, disable dangerous NMT test + - JDK-8327989: java/net/httpclient/ManyRequest.java should not use "localhost" in URIs + - JDK-8327998: Enable java/lang/ProcessBuilder/JspawnhelperProtocol.java on Mac + - JDK-8328037: Test java/util/Formatter/Padding.java has unnecessary high heap requirement after JDK-8326718 + - JDK-8328066: WhiteBoxResizeTest failure on linux-x86: Could not reserve enough space for 2097152KB object heap + - JDK-8328165: improve assert(idx < _maxlrg) failed: oob + - JDK-8328166: Epsilon: 'EpsilonHeap::allocate_work' misuses the parameter 'size' as size in bytes + - JDK-8328168: Epsilon: Premature OOM when allocating object larger than uncommitted heap size + - JDK-8328194: Add a test to check default rendering engine + - JDK-8328524: [x86] StringRepeat.java failure on linux-x86: Could not reserve enough space for 2097152KB object heap + - JDK-8328540: test javax/swing/JSplitPane/4885629/bug4885629.java fails on windows hidpi + - JDK-8328555: hidpi problems for test java/awt/Dialog/DialogAnotherThread/JaWSTest.java + - JDK-8328589: unify os::breakpoint among posix platforms + - JDK-8328592: hprof tests fail with -XX:-CompactStrings + - JDK-8328604: remove on_aix() function + - JDK-8328638: Fallback option for POST-only OCSP requests + - JDK-8328702: C2: Crash during parsing because sub type check is not folded + - JDK-8328703: Illegal accesses in Java_jdk_internal_org_jline_terminal_impl_jna_linux_CLibraryImpl_ioctl0 + - JDK-8328705: GHA: Cross-compilation jobs do not require build JDK + - JDK-8328709: AIX os::get_summary_cpu_info support Power 10 + - JDK-8328744: Parallel: Parallel GC throws OOM before heap is fully expanded + - JDK-8328776: [AIX] remove checked_vmgetinfo, use vmgetinfo directly + - JDK-8328812: Update and move siphash license + - JDK-8328822: C2: "negative trip count?" assert failure in profile predicate code + - JDK-8328825: Google CAInterop test failures + - JDK-8328938: C2 SuperWord: disable vectorization for large stride and scale + - JDK-8328948: GHA: Restoring sysroot from cache skips the build after JDK-8326960 + - JDK-8328957: Update PKCS11Test.java to not use hardcoded path + - JDK-8328988: [macos14] Problem list LightweightEventTest.java which fails due to macOS bug described in JDK-8322653 + - JDK-8328997: Remove unnecessary template parameter lists in GrowableArray + - JDK-8329013: StackOverflowError when starting Apache Tomcat with signed jar + - JDK-8329109: Threads::print_on() tries to print CPU time for terminated GC threads + - JDK-8329163: C2: possible overflow in PhaseIdealLoop::extract_long_range_checks() + - JDK-8329213: Better validation for com.sun.security.ocsp.useget option + - JDK-8329223: Parallel: Parallel GC resizes heap even if -Xms = -Xmx + - JDK-8329545: [s390x] Fix garbage value being passed in Argument Register + - JDK-8329570: G1: Excessive is_obj_dead_cond calls in verification + - JDK-8329605: hs errfile generic events - move memory protections and nmethod flushes to separate sections + - JDK-8329663: hs_err file event log entry for thread adding/removing should print current thread + - JDK-8329823: RISC-V: Need to sync CPU features with related JVM flags + - JDK-8329840: Fix ZPhysicalMemorySegment::_end type + - JDK-8329850: [AIX] Allow loading of different members of same shared library archive + - JDK-8329862: libjli GetApplicationHome cleanups and enhance jli tracing + - JDK-8329961: Buffer overflow in os::Linux::kernel_version + - JDK-8330011: [s390x] update block-comments to make code consistent + - JDK-8330094: RISC-V: Save and restore FRM in the call stub + - JDK-8330156: RISC-V: Range check auipc + signed 12 imm instruction + - JDK-8330242: RISC-V: Simplify and remove CORRECT_COMPILER_ATOMIC_SUPPORT in atomic_linux_riscv.hpp + - JDK-8330275: Crash in XMark::follow_array + - JDK-8330464: hserr generic events - add entry for the before_exit calls + - JDK-8330523: Reduce runtime and improve efficiency of KeepAliveTest + - JDK-8330524: Linux ppc64le compile warning with clang in os_linux_ppc.cpp + - JDK-8330615: avoid signed integer overflows in zip_util.c readCen / hashN + - JDK-8330815: Use pattern matching for instanceof in KeepAliveCache + - JDK-8331031: unify os::dont_yield and os::naked_yield across Posix platforms + - JDK-8331113: createJMHBundle.sh support configurable maven repo mirror + - JDK-8331167: UBSan enabled build fails in adlc on macOS + - JDK-8331298: avoid alignment checks in UBSAN enabled build + - JDK-8331331: :tier1 target explanation in doc/testing.md is incorrect + - JDK-8331352: error: template-id not allowed for constructor/destructor in C++20 + - JDK-8331466: Problemlist serviceability/dcmd/gc/RunFinalizationTest.java on generic-all + - JDK-8331639: [21u]: Bump GHA bootstrap JDK to 21.0.3 + - JDK-8331942: On Linux aarch64, CDS archives should be using 64K alignment by default + - JDK-8332253: Linux arm32 build fails after 8292591 + - JDK-8334441: Mark tests in jdk_security_infra group as manual + - JDK-8335960: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.4 + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8281658: Add a security category to the java -XshowSettings option +====================================================================== + +The `-XshowSettings` launcher option now has a 'security' category, allowing +the following arguments to be passed: + +* -XshowSettings:security or -XshowSettings:security:all: show all security settings and continue +* -XshowSettings:security:properties - show security properties and continue +* -XshowSettings:security:providers - show static security provider settings and continue +* -XshowSettings:security:tls - show TLS related security settings and continue + +The output will include third-party security providers if they are +included in the application class path or module path, and configured +in the java.security file. + +JDK-8316138: Add GlobalSign 2 TLS root certificates +=================================================== +The following root certificates have been added to the cacerts +truststore: + +Name: GlobalSign +Alias Name: globalsignr46 +Distinguished Name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE + +Name: GlobalSign +Alias Name: globalsigne46 +Distinguished Name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE + +security-libs/javax.security: + +JDK-8328638: Fallback Option For POST-only OCSP Requests +======================================================== +JDK-8179503, introduced in OpenJDK 17, added support for using the +HTTP GET method for OCSP requests. This was turned on unconditionally +for small requests. + +RFC 5019 and RFC 6960 explicitly allow and recommend the use of HTTP +GET requests. However, some OCSP responders have been observed to not +work well with such requests. + +With this release, the JDK system property +`com.sun.security.ocsp.useget` is introduced. The default setting is +'true' which retains the current behaviour of using GET requests for +small requests. If the property is instead set to 'false', only HTTP +POST requests will be used, regardless of size. + +This option is non-standard and may be removed again if problematic +OCSP responders are no longer an issue. + +infrastructure/build: + +JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in internal JDK binaries +================================================================================== +Native executables and libraries in the JDK use embedded runtime +search paths to locate required internal JDK native libraries. On +Linux systems, there are two ways of specifying these search paths; +DT_RPATH and DT_RUNPATH. + +The main difference between the two options is that paths specified by +DT_RPATH are searched before those in the LD_LIBRARY_PATH environment +variable, whereas DT_RUNPATH paths are considered afterwards. This +means the use of DT_RUNPATH can allow JDK internal libraries to be +overridden by libraries of the same name found on the LD_LIBRARY_PATH. + +Builds of earlier OpenJDK releases left the choice of which type of +runtime search path to use down to the default of the linker. With +this release, the option `--disable-new-dtags` is explicitly passed to +the linker to avoid setting DT_RUNPATH. + +tools/jpackage: + +JDK-8295111: dpkg appears to have problems resolving symbolically linked native libraries +========================================================================================= +The jpackage tool uses `dpkg -S` to lookup which package provides a +particular file on Debian and Ubuntu systems. However, on newer Debian +and Ubuntu systems, `dpkg -S` does not resolve symlinks. In this +OpenJDK release, jpackage now resolves symlinks before passing the +real path of the file to dpkg. + +hotspot/gc: + +JDK-8314573: G1: Heap resizing at Remark does not take existing eden regions into account +========================================================================================= +To comply with the settings of `-XX:MinHeapFreeRatio` and +`-XX:MaxHeapFreeRatio`, the G1 garbage collector adjusts the Java heap +size during the Remark phase, keeping the number of free regions +within these bounds. + +In earlier OpenJDK releases, Eden regions were considered to be +occupied or full for this calculation. This made the heap size +dependent on the Eden occupancy at the time the Remark phase was +run. However, after the next garbage collection, these Eden regions +would be empty. + +With this OpenJDK release, Eden regions are now considered empty or +free during the Remark phase calculation. The overall effect is that +G1 now expands the Java heap less aggressively and more +determinstically, as the number of free regions does not vary as much. +It also aligns Java heap sizing with the full GC heap sizing. +However, this may potentially lead to more garbage collections. + +JDK-8315503: G1: Code root scan causes long GC pauses due to imbalanced iteration +================================================================================= +The Code Root Scan phase of garbage collection finds references to +Java objects within compiled code. To speed up this process, a cache +is maintained within each region of the compiled code that contains +references into the Java heap. + +On the assumption that the set of references was small, previous +releases used a single thread per region to iterate through these +references. This introduced a scalability bottleneck, where +performance could be reduced if a particular region contained a large +number of references. + +In this release, multiple threads are used, removing this bottleneck. + +New in release OpenJDK 21.0.3 (2024-04-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2103 + +* CVEs + - CVE-2024-21012 + - CVE-2024-21011 + - CVE-2024-21068 +* Security fixes + - JDK-8315708: Enhance HTTP/2 client usage + - JDK-8318340: Improve RSA key implementations + - JDK-8319851: Improve exception logging + - JDK-8322122: Enhance generation of addresses +* Other changes + - JDK-6928542: Chinese characters in RTF are not decoded + - JDK-8009550: PlatformPCSC should load versioned so + - JDK-8077371: Binary files in JAXP test should be removed + - JDK-8169475: WheelModifier.java fails by timeout + - JDK-8209595: MonitorVmStartTerminate.java timed out + - JDK-8210410: Refactor java.util.Currency:i18n shell tests to plain java tests + - JDK-8261837: SIGSEGV in ciVirtualCallTypeData::translate_from + - JDK-8263256: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails due to dynamic reconfigurations of network interface during test + - JDK-8264899: C1: -XX:AbortVMOnException does not work if all methods in the call stack are compiled with C1 and there are no exception handlers + - JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java fails in Windows 11 + - JDK-8295343: sun/security/pkcs11 tests fail on Linux RHEL 8.6 and newer + - JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts + - JDK-8301310: The SendRawSysexMessage test may cause a JVM crash + - JDK-8304020: Speed up test/jdk/java/util/zip/ZipFile/TestTooManyEntries.java and clarify its purpose + - JDK-8304292: Memory leak related to ClassLoader::update_class_path_entry_list + - JDK-8305962: update jcstress to 0.16 + - JDK-8305971: NPE in JavacProcessingEnvironment for missing enum constructor body + - JDK-8306922: IR verification fails because IR dump is chopped up + - JDK-8307408: Some jdk/sun/tools/jhsdb tests don't pass test JVM args to the debuggee JVM + - JDK-8309109: AArch64: [TESTBUG] compiler/intrinsics/sha/cli/TestUseSHA3IntrinsicsOptionOnSupportedCPU.java fails on Neoverse N2 and V1 + - JDK-8309203: C2: remove copy-by-value of GrowableArray for InterfaceSet + - JDK-8309302: java/net/Socket/Timeouts.java fails with AssertionError on test temporal post condition + - JDK-8309697: [TESTBUG] Remove "@requires vm.flagless" from jtreg vectorization tests + - JDK-8310031: Parallel: Implement better work distribution for large object arrays in old gen + - JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/bug6889007.java fails + - JDK-8310308: IR Framework: check for type and size of vector nodes + - JDK-8310629: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java fails with RuntimeException Server not ready + - JDK-8310631: test/jdk/sun/nio/cs/TestCharsetMapping.java is spuriously passing + - JDK-8310807: java/nio/channels/DatagramChannel/Connect.java timed out + - JDK-8310844: [AArch64] C1 compilation fails because monitor offset in OSR buffer is too large for immediate + - JDK-8310919: runtime/ErrorHandling/TestAbortVmOnException.java times out due to core dumps taking a long time on OSX + - JDK-8310923: Refactor Currency tests to use JUnit + - JDK-8311081: KeytoolReaderP12Test.java fail on localized Windows platform + - JDK-8311279: TestStressIGVNAndCCP.java failed with different IGVN traces for the same seed + - JDK-8311581: Remove obsolete code and comments in TestLVT.java + - JDK-8311588: C2: RepeatCompilation compiler directive does not choose stress seed randomly + - JDK-8311663: Additional refactoring of Locale tests to JUnit + - JDK-8311893: Interactive component with ARIA role 'tabpanel' does not have a programmatically associated name + - JDK-8311986: Disable runtime/os/TestTracePageSizes.java for ShenandoahGC + - JDK-8311992: Test java/lang/Thread/virtual/JfrEvents::testVirtualThreadPinned failed + - JDK-8312136: Modify runtime/ErrorHandling/TestDwarf.java to split dwarf and decoder testing + - JDK-8312416: Tests in Locale should have more descriptive names + - JDK-8312428: PKCS11 tests fail with NSS 3.91 + - JDK-8312916: Remove remaining usages of -Xdebug from test/hotspot/jtreg + - JDK-8313082: Enable CreateCoredumpOnCrash for testing in makefiles + - JDK-8313229: DHEKeySizing.java should be modified to use TLS versions TLSv1, TLSv1.1, TLSv1.2 + - JDK-8313507: Remove pkcs11/Cipher/TestKATForGCM.java from ProblemList + - JDK-8313621: test/jdk/jdk/internal/math/FloatingDecimal/TestFloatingDecimal should use RandomFactory + - JDK-8313638: Add test for dump of resolved references + - JDK-8313670: Simplify shared lib name handling code in some tests + - JDK-8313720: C2 SuperWord: wrong result with -XX:+UseVectorCmov -XX:+UseCMoveUnconditionally + - JDK-8313816: Accessing jmethodID might lead to spurious crashes + - JDK-8313854: Some tests in serviceability area fail on localized Windows platform + - JDK-8314164: java/net/HttpURLConnection/HttpURLConnectionExpectContinueTest.java fails intermittently in timeout + - JDK-8314220: Configurable InlineCacheBuffer size + - JDK-8314283: Support for NSS tests on aarch64 platforms + - JDK-8314320: Mark runtime/CommandLine/ tests as flagless + - JDK-8314333: Update com/sun/jdi/ProcessAttachTest.java to use ProcessTools.createTestJvm(..) + - JDK-8314513: [IR Framework] Some internal IR Framework tests are failing after JDK-8310308 on PPC and Cascade Lake + - JDK-8314578: Non-verifiable code is emitted when two guards declare pattern variables in colon-switch + - JDK-8314610: hotspot can't compile with the latest of gtest because of + - JDK-8314612: TestUnorderedReduction.java fails with -XX:MaxVectorSize=32 and -XX:+AlignVector + - JDK-8314629: Generational ZGC: Clearing All SoftReferences log line lacks GCId + - JDK-8314829: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java ignores vm flags + - JDK-8314830: runtime/ErrorHandling/ tests ignore external VM flags + - JDK-8314831: NMT tests ignore vm flags + - JDK-8314835: gtest wrappers should be marked as flagless + - JDK-8314837: 5 compiled/codecache tests ignore VM flags + - JDK-8314838: 3 compiler tests ignore vm flags + - JDK-8314990: Generational ZGC: Strong OopStorage stats reported as weak roots + - JDK-8315034: File.mkdirs() occasionally fails to create folders on Windows shared folder + - JDK-8315042: NPE in PKCS7.parseOldSignedData + - JDK-8315097: Rename createJavaProcessBuilder + - JDK-8315241: (fs) Move toRealPath tests in java/nio/file/Path/Misc.java to separate JUnit 5 test + - JDK-8315406: [REDO] serviceability/jdwp/AllModulesCommandTest.java ignores VM flags + - JDK-8315594: Open source few headless Swing misc tests + - JDK-8315600: Open source few more headless Swing misc tests + - JDK-8315602: Open source swing security manager test + - JDK-8315611: Open source swing text/html and tree test + - JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should run with -Xbatch + - JDK-8315721: CloseRace.java#id0 fails transiently on libgraal + - JDK-8315726: Open source several AWT applet tests + - JDK-8315731: Open source several Swing Text related tests + - JDK-8315761: Open source few swing JList and JMenuBar tests + - JDK-8315891: java/foreign/TestLinker.java failed with "error occurred while instantiating class TestLinker: null" + - JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/bug4654927.java: component must be showing on the screen to determine its location + - JDK-8315988: Parallel: Make TestAggressiveHeap use createTestJvm + - JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use createTestJvm + - JDK-8316028: Update FreeType to 2.13.2 + - JDK-8316106: Open source few swing JInternalFrame and JMenuBar tests + - JDK-8316132: CDSProtectionDomain::get_shared_protection_domain should check for exception + - JDK-8316229: Enhance class initialization logging + - JDK-8316309: AArch64: VMError::print_native_stack() crashes on Java native method frame + - JDK-8316319: Generational ZGC: The SoftMaxHeapSize might be wrong when CDS decreases the MaxHeapSize + - JDK-8316392: compiler/interpreter/TestVerifyStackAfterDeopt.java failed with SIGBUS in PcDescContainer::find_pc_desc_internal + - JDK-8316410: GC: Make TestCompressedClassFlags use createTestJvm + - JDK-8316445: Mark com/sun/management/HotSpotDiagnosticMXBean/CheckOrigin.java as vm.flagless + - JDK-8316446: 4 sun/management/jdp tests ignore VM flags + - JDK-8316447: 8 sun/management/jmxremote tests ignore VM flags + - JDK-8316462: sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.java ignores VM flags + - JDK-8316464: 3 sun/tools tests ignore VM flags + - JDK-8316562: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java times out after JDK-8314829 + - JDK-8316594: C2 SuperWord: wrong result with hand unrolled loops + - JDK-8316661: CompilerThread leaks CodeBlob memory when dynamically stopping compiler thread in non-product + - JDK-8316693: Simplify at-requires checkDockerSupport() + - JDK-8316947: Write a test to check textArea triggers MouseEntered/MouseExited events properly + - JDK-8316961: Fallback implementations for 64-bit Atomic::{add,xchg} on 32-bit platforms + - JDK-8316973: GC: Make TestDisableDefaultGC use createTestJvm + - JDK-8317042: G1: Make TestG1ConcMarkStepDurationMillis use createTestJvm + - JDK-8317144: Exclude sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java on Linux ppc64le + - JDK-8317188: G1: Make TestG1ConcRefinementThreads use createTestJvm + - JDK-8317218: G1: Make TestG1HeapRegionSize use createTestJvm + - JDK-8317228: GC: Make TestXXXHeapSizeFlags use createTestJvm + - JDK-8317300: javac erroneously allows "final" in front of a record pattern + - JDK-8317307: test/jdk/com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails with ConnectException: Connection timed out: no further information + - JDK-8317316: G1: Make TestG1PercentageOptions use createTestJvm + - JDK-8317317: G1: Make TestG1RemSetFlags use createTestJvm + - JDK-8317343: GC: Make TestHeapFreeRatio use createTestJvm + - JDK-8317347: Parallel: Make TestInitialTenuringThreshold use createTestJvm + - JDK-8317358: G1: Make TestMaxNewSize use createTestJvm + - JDK-8317522: Test logic for BODY_CF in AbstractThrowingSubscribers.java is wrong + - JDK-8317535: Shenandoah: Remove unused code + - JDK-8317771: [macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma + - JDK-8317804: com/sun/jdi/JdwpAllowTest.java fails on Alpine 3.17 / 3.18 + - JDK-8318039: GHA: Bump macOS and Xcode versions + - JDK-8318082: ConcurrentModificationException from IndexWriter + - JDK-8318154: Improve stability of WheelModifier.java test + - JDK-8318157: RISC-V: implement ensureMaterializedForStackWalk intrinsic + - JDK-8318158: RISC-V: implement roundD/roundF intrinsics + - JDK-8318410: jdk/java/lang/instrument/BootClassPath/BootClassPathTest.sh fails on Japanese Windows + - JDK-8318468: compiler/tiered/LevelTransitionTest.java fails with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1 + - JDK-8318490: Increase timeout for JDK tests that are close to the limit when run with libgraal + - JDK-8318590: JButton ignores margin when painting HTML text + - JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java + - JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni tests + - JDK-8318608: Enable parallelism in vmTestbase/nsk/stress/threads tests + - JDK-8318613: ChoiceFormat patterns are not well tested + - JDK-8318689: jtreg is confused when folder name is the same as the test name + - JDK-8318696: Do not use LFS64 symbols on Linux + - JDK-8318737: Fallback linker passes bad JNI handle + - JDK-8318809: java/util/concurrent/ConcurrentLinkedQueue/WhiteBox.java shows intermittent failures on linux ppc64le and aarch64 + - JDK-8318964: Fix build failures caused by 8315097 + - JDK-8318971: Better Error Handling for Jar Tool When Processing Non-existent Files + - JDK-8318983: Fix comment typo in PKCS12Passwd.java + - JDK-8319103: Popups that request focus are not shown on Linux with Wayland + - JDK-8319124: Update XML Security for Java to 3.0.3 + - JDK-8319128: sun/security/pkcs11 tests fail on OL 7.9 aarch64 + - JDK-8319136: Skip pkcs11 tests on linux-aarch64 + - JDK-8319137: release _object in ObjectMonitor dtor to avoid races + - JDK-8319213: Compatibility.java reads both stdout and stderr of JdkUtils + - JDK-8319314: NMT detail report slow or hangs for large number of mappings + - JDK-8319372: C2 compilation fails with "Bad immediate dominator info" + - JDK-8319382: com/sun/jdi/JdwpAllowTest.java shows failures on AIX if prefixLen of mask is larger than 32 in IPv6 case + - JDK-8319456: jdk/jfr/event/gc/collection/TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker Initiated GC' not in the valid causes + - JDK-8319548: Unexpected internal name for Filler array klass causes error in VisualVM + - JDK-8319569: Several java/util tests should be updated to accept VM flags + - JDK-8319633: runtime/posixSig/TestPosixSig.java intermittent timeouts on UNIX + - JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh + - JDK-8319777: Zero: Support 8-byte cmpxchg + - JDK-8319879: Stress mode to randomize incremental inlining decision + - JDK-8319883: Zero: Use atomic built-ins for 64-bit accesses + - JDK-8319897: Move StackWatermark handling out of LockStack::contains + - JDK-8319938: TestFileChooserSingleDirectorySelection.java fails with "getSelectedFiles returned empty array" + - JDK-8320052: Zero: Use __atomic built-ins for atomic RMW operations + - JDK-8320145: Compiler should accept final variable in Record Pattern + - JDK-8320168: handle setsocktopt return values + - JDK-8320206: Some intrinsics/stubs missing vzeroupper on x86_64 + - JDK-8320208: Update Public Suffix List to b5bf572 + - JDK-8320300: Adjust hs_err output in malloc/mmap error cases + - JDK-8320303: Allow PassFailJFrame to accept single window creator + - JDK-8320309: AIX: pthreads created by foreign test library don't work as expected + - JDK-8320383: refresh libraries cache on AIX in VMError::report + - JDK-8320582: Zero: Misplaced CX8 enablement flag + - JDK-8320798: Console read line with zero out should zero out underlying buffer + - JDK-8320807: [PPC64][ZGC] C1 generates wrong code for atomics + - JDK-8320830: [AIX] Dont mix os::dll_load() with direct dlclose() calls + - JDK-8320877: Shenandoah: Remove ShenandoahUnloadClassesFrequency support + - JDK-8320888: Shenandoah: Enable ShenandoahVerifyOptoBarriers in debug builds + - JDK-8320890: [AIX] Find a better way to mimic dl handle equality + - JDK-8320898: exclude compiler/vectorapi/reshape/TestVectorReinterpret.java on ppc64(le) platforms + - JDK-8320907: Shenandoah: Remove ShenandoahSelfFixing flag + - JDK-8320921: GHA: Parallelize hotspot_compiler test jobs + - JDK-8320937: support latest VS2022 MSC_VER in abstract_vm_version.cpp + - JDK-8320943: Files/probeContentType/Basic.java fails on latest Windows 11 - content type mismatch + - JDK-8321120: Shenandoah: Remove ShenandoahElasticTLAB flag + - JDK-8321122: Shenandoah: Remove ShenandoahLoopOptsAfterExpansion flag + - JDK-8321131: Console read line with zero out should zero out underlying buffer in JLine + - JDK-8321151: JDK-8294427 breaks Windows L&F on all older Windows versions + - JDK-8321164: javac with annotation processor throws AssertionError: Filling jrt:/... during JarFileObject[/...] + - JDK-8321215: Incorrect x86 instruction encoding for VSIB addressing mode + - JDK-8321269: Require platforms to define DEFAULT_CACHE_LINE_SIZE + - JDK-8321374: Add a configure option to explicitly set CompanyName property in VersionInfo resource for Windows exe/dll + - JDK-8321408: Add Certainly roots R1 and E1 + - JDK-8321409: Console read line with zero out should zero out underlying buffer in JLine (redux) + - JDK-8321410: Shenandoah: Remove ShenandoahSuspendibleWorkers flag + - JDK-8321480: ISO 4217 Amendment 176 Update + - JDK-8321542: C2: Missing ChaCha20 stub for x86_32 leads to crashes + - JDK-8321582: yield .class not parsed correctly. + - JDK-8321599: Data loss in AVX3 Base64 decoding + - JDK-8321619: Generational ZGC: ZColorStoreGoodOopClosure is only valid for young objects + - JDK-8321894: Bump update version for OpenJDK: 21.0.3 + - JDK-8321972: test runtime/Unsafe/InternalErrorTest.java timeout on linux-riscv64 platform + - JDK-8321974: Crash in ciKlass::is_subtype_of because TypeAryPtr::_klass is not initialized + - JDK-8322040: Missing array bounds check in ClassReader.parameter + - JDK-8322098: os::Linux::print_system_memory_info enhance the THP output with /sys/kernel/mm/transparent_hugepage/hpage_pmd_size + - JDK-8322142: JFR: Periodic tasks aren't orphaned between recordings + - JDK-8322159: ThisEscapeAnalyzer crashes for erroneous code + - JDK-8322255: Generational ZGC: ZPageSizeMedium should be set before MaxTenuringThreshold + - JDK-8322279: Generational ZGC: Use ZFragmentationLimit and ZYoungCompactionLimit as percentage instead of multiples + - JDK-8322282: Incorrect LoaderConstraintTable::add_entry after JDK-8298468 + - JDK-8322321: Add man page doc for -XX:+VerifySharedSpaces + - JDK-8322417: Console read line with zero out should zero out when throwing exception + - JDK-8322418: Problem list gc/TestAllocHumongousFragment.java subtests for 8298781 + - JDK-8322512: StringBuffer.repeat does not work correctly after toString() was called + - JDK-8322583: RISC-V: Enable fast class initialization checks + - JDK-8322725: (tz) Update Timezone Data to 2023d + - JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray + - JDK-8322772: Clean up code after JDK-8322417 + - JDK-8322783: prioritize /etc/os-release over /etc/SuSE-release in hs_err/info output + - JDK-8322790: RISC-V: Tune costs for shuffles with no conversion + - JDK-8322957: Generational ZGC: Relocation selection must join the STS + - JDK-8323008: filter out harmful -std* flags added by autoconf from CXX + - JDK-8323021: Shenandoah: Encountered reference count always attributed to first worker thread + - JDK-8323065: Unneccesary CodeBlob lookup in CompiledIC::internal_set_ic_destination + - JDK-8323086: Shenandoah: Heap could be corrupted by oom during evacuation + - JDK-8323101: C2: assert(n->in(0) == nullptr) failed: divisions with zero check should already have bailed out earlier in split-if + - JDK-8323154: C2: assert(cmp != nullptr && cmp->Opcode() == Op_Cmp(bt)) failed: no exit test + - JDK-8323243: JNI invocation of an abstract instance method corrupts the stack + - JDK-8323331: fix typo hpage_pdm_size + - JDK-8323428: Shenandoah: Unused memory in regions compacted during a full GC should be mangled + - JDK-8323515: Create test alias "all" for all test roots + - JDK-8323637: Capture hotspot replay files in GHA + - JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed + - JDK-8323659: LinkedTransferQueue add and put methods call overridable offer + - JDK-8323664: java/awt/font/JNICheck/FreeTypeScalerJNICheck.java still fails with JNI warning on some Windows configurations + - JDK-8323667: Library debug files contain non-reproducible full gcc include paths + - JDK-8323671: DevKit build gcc libraries contain full paths to source location + - JDK-8323717: Introduce test keyword for tests that need external dependencies + - JDK-8323964: runtime/Thread/ThreadCountLimit.java fails intermittently on AIX + - JDK-8324050: Issue store-store barrier after re-materializing objects during deoptimization + - JDK-8324280: RISC-V: Incorrect implementation in VM_Version::parse_satp_mode + - JDK-8324347: Enable "maybe-uninitialized" warning for FreeType 2.13.1 + - JDK-8324514: ClassLoaderData::print_on should print address of class loader + - JDK-8324598: use mem_unit when working with sysinfo memory and swap related information + - JDK-8324637: [aix] Implement support for reporting swap space in jdk.management + - JDK-8324647: Invalid test group of lib-test after JDK-8323515 + - JDK-8324659: GHA: Generic jtreg errors are not reported + - JDK-8324753: [AIX] adjust os_posix after JDK-8318696 + - JDK-8324858: [vectorapi] Bounds checking issues when accessing memory segments + - JDK-8324874: AArch64: crypto pmull based CRC32/CRC32C intrinsics clobber V8-V15 registers + - JDK-8324937: GHA: Avoid multiple test suites per job + - JDK-8325074: ZGC fails assert(index == 0 || is_power_of_2(index)) failed: Incorrect load shift: 11 + - JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java is failing + - JDK-8325150: (tz) Update Timezone Data to 2024a + - JDK-8325194: GHA: Add macOS M1 testing + - JDK-8325254: CKA_TOKEN private and secret keys are not necessarily sensitive + - JDK-8325444: GHA: JDK-8325194 causes a regression + - JDK-8325470: [AIX] use fclose after fopen in read_psinfo + - JDK-8325496: Make TrimNativeHeapInterval a product switch + - JDK-8325672: C2: allocate PhaseIdealLoop::_loop_or_ctrl from C->comp_arena() + - JDK-8325876: crashes in docker container tests on Linuxppc64le Power8 machines + - JDK-8326000: Remove obsolete comments for class sun.security.ssl.SunJSSE + - JDK-8327391: Add SipHash attribution file + - JDK-8329838: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.3 + +Notes on individual issues: +=========================== + +tools/javac: + +JDK-8317300: Align `javac` with the Java Language Specification by Rejecting `final` in Record Patterns +======================================================================================================= +Java 21 enhanced the language with pattern matching for switch +statements. However, the javac compiler released with OpenJDK 21 +allowed the 'final' keyword to be used in front of a record pattern +(e.g. `case final R(...) ->`), which is a violation of the Java +Language specification. + +With this release of OpenJDK 21, programs using `final` within a +switch statement will now fail to compile. The erroneous keyword will +need to be removed to allow the program to be compiled. + +security-libs/javax.xml.crypto: + +JDK-8319124: Update XML Security for Java to 3.0.3 +================================================== +The XML signature implementation in OpenJDK 21 has been updated to +Apache Santuario 3.0.3. This update introduces four new SHA-3 based +RSA-MGF1 SignatureMethod algorithms. + +However, the API of javax.xml.crypto.dsig.SignatureMethod can not be +changed in update releases to provide constants for these new +algorithms. The equivalent string literals should be used as below: + +* SHA3_224_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-224-rsa-MGF1" +* SHA3_256_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-256-rsa-MGF1" +* SHA3_384_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-384-rsa-MGF1" +* SHA3_512_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-512-rsa-MGF1" + +hotspot/runtime: + +JDK-8325496: Make TrimNativeHeapInterval a product switch +========================================================= +The option '-XX:TrimNativeHeapInterval=ms', where 'ms' is the interval +in milliseconds, is now an official product switch. It allows the +virtual machine to trim the native heap at the specified interval on +supported platforms (currently only Linux with glibc). A value of +zero (the default) disables trimming. + +client-libs/java.awt: + +JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops +======================================================================= +The java.awt.SystemTray API is used to interact with the system's +desktop taskbar to provide notifications and may include an icon +representing an application. The GNOME desktop's support for taskbar +icons has not worked properly for several years, due to a platform +bug. This bug, in turn, affects the JDK's SystemTray support on GNOME +desktops. + +Therefore, in accordance with the SystemTray API specification, +java.awt.SystemTray.isSupported() will now return false on systems +that exhibit this bug, which is assumed to be those running a version +of GNOME Shell below 45. + +The impact of this change is likely to be minimal, as users of the +SystemTray API should already be able to handle isSupported() +returning false and the system tray on such platforms has already been +unsupported for a number of years for all applications. + +security-libs/java.security: + +JDK-8321408: Added Certainly R1 and E1 Root Certificates +======================================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Certainly +Alias Name: certainlyrootr1 +Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US + +Name: Certainly +Alias Name: certainlyroote1 +Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US + +hotspot/gc: + +JDK-8310031: Parallel: Precise Parallel Scanning of Large Object Arrays for Young Collection Roots +================================================================================================== +During the collection of young generation objects, the ParallelGC +collector partitions the old generation into 64kB stripes to scan for +references to the young generation. The stripes are assigned to worker +threads to do the scanning in parallel. + +However, previous releases of OpenJDK 21 did not constrain these +worker threads to their own stripe. Parallelism was limited as a +single thread could end up scanning a large object with thousands of +references across multiple stripes, if it happened to start in its +allocated stripe. This also resulted in bad scaling, due to the +subsequent memory sharing associated with multiple threads working on +the same stripe. + +In this release, workers are limited to their stripe and only process +interesting parts of large object arrays. Pauses for the ParallelGC +collector are now on par with the G1 collector when large object +arrays are present, reducing pause times by four to five times in some +cases. + +JDK-8325074: ZGC fails assert(index == 0 || is_power_of_2(index)) failed: Incorrect load shift: 11 +================================================================================================== +Running the virtual machine with `-XX:+UseZGC` and a non-default value +of `-XX:ObjectAlignmentInBytes` had the potential to crash or perform +incorrect execution. This was due to `ZBarrierSet::clone_obj_array` +not taking into account padding words at the end of an ObjArray. This +has now been rectified in this release. + +New in release OpenJDK 21.0.2 (2024-01-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2102 + +* CVEs + - CVE-2024-20918 + - CVE-2024-20919 + - CVE-2024-20921 + - CVE-2024-20945 + - CVE-2024-20952 +* Security fixes + - JDK-8308204: Enhanced certificate processing + - JDK-8314295: Enhance verification of verifier + - JDK-8314307: Improve loop handling + - JDK-8314468: Improve Compiler loops + - JDK-8316976: Improve signature handling + - JDK-8317547: Enhance TLS connection support +* Other changes + - JDK-8038244: (fs) Check return value of malloc in Java_sun_nio_fs_AixNativeDispatcher_getmntctl() + - JDK-8161536: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with ProviderException + - JDK-8219652: [aix] Tests failing with JNI attach problems. + - JDK-8225377: type annotations are not visible to javac plugins across compilation boundaries + - JDK-8232839: JDI AfterThreadDeathTest.java failed due to "FAILED: Did not get expected IllegalThreadStateException on a StepRequest.enable()" + - JDK-8267502: JDK-8246677 caused 16x performance regression in SynchronousQueue + - JDK-8267509: Improve IllegalAccessException message to include the cause of the exception + - JDK-8268916: Tests for AffirmTrust roots + - JDK-8286757: adlc tries to build with /pathmap but without /experimental:deterministic + - JDK-8294156: Allow PassFailJFrame.Builder to create test UI + - JDK-8294158: HTML formatting for PassFailJFrame instructions + - JDK-8294427: Check boxes and radio buttons have rendering issues on Windows in High DPI env + - JDK-8294535: Add screen capture functionality to PassFailJFrame + - JDK-8295068: SSLEngine throws NPE parsing CertificateRequests + - JDK-8295555: Primitive wrapper caches could be `@Stable` + - JDK-8299614: Shenandoah: STW mark should keep nmethod/oops referenced from stack chunk alive + - JDK-8300663: java/util/concurrent/SynchronousQueue/Fairness.java failed with "Error: fair=true i=0 j=1" + - JDK-8301247: JPackage app-image exe launches multiple exe's in JDK 17+ + - JDK-8301341: LinkedTransferQueue does not respect timeout for poll() + - JDK-8301457: Code in SendPortZero.java is uncommented even after JDK-8236852 was fixed + - JDK-8301489: C1: ShortLoopOptimizer might lift instructions before their inputs + - JDK-8301846: Invalid TargetDataLine after screen lock when using JFileChooser or COM library + - JDK-8303737: C2: Load can bypass subtype check that enforces it's from the right object type + - JDK-8306561: Possible out of bounds access in print_pointer_information + - JDK-8308103: Massive (up to ~30x) increase in C2 compilation time since JDK 17 + - JDK-8308452: Extend internal Architecture enum with byte order and address size + - JDK-8308479: [s390x] Implement alternative fast-locking scheme + - JDK-8308592: Framework for CA interoperability testing + - JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows + - JDK-8309209: C2 failed "assert(_stack_guard_state == stack_guard_reserved_disabled) failed: inconsistent state" + - JDK-8309305: sun/security/ssl/SSLSocketImpl/BlockedAsyncClose.java fails with jtreg test timeout + - JDK-8309545: Thread.interrupted from virtual thread needlessly resets interrupt status + - JDK-8309663: test fails "assert(check_alignment(result)) failed: address not aligned: 0x00000008baadbabe" + - JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when using second test directory + - JDK-8309974: some JVMCI tests fail when VM options include -XX:+EnableJVMCI + - JDK-8310239: Add missing cross modifying fence in nmethod entry barriers + - JDK-8310512: Cleanup indentation in jfc files + - JDK-8310596: Utilize existing method frame::interpreter_frame_monitor_size_in_bytes() + - JDK-8310982: jdk/internal/util/ArchTest.java fails after JDK-8308452 failed with Method isARM() + - JDK-8311261: [AIX] TestAlwaysPreTouchStacks.java fails due to java.lang.RuntimeException: Did not find expected NMT output + - JDK-8311514: Incorrect regex in TestMetaSpaceLog.java + - JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java + - JDK-8311591: Add SystemModulesPlugin test case that splits module descriptors with new local variables defined by DedupSetBuilder + - JDK-8311630: [s390] Implementation of Foreign Function & Memory API (Preview) + - JDK-8311631: When multiple users run tools/jpackage/share/LicenseTest.java, Permission denied for writing /var/tmp/*.files + - JDK-8311680: Update the release version after forking Oct CPU23_10 + - JDK-8311681: Update the Jan CPU24_01 release date in master branch after forking Oct CPU23_10 + - JDK-8311813: C1: Uninitialized PhiResolver::_loop field + - JDK-8311938: Add default cups include location for configure on AIX + - JDK-8312078: [PPC] JcmdScale.java Failing on AIX + - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955 + - JDK-8312166: (dc) DatagramChannel's socket adaptor does not release carrier thread when blocking in receive + - JDK-8312174: missing JVMTI events from vthreads parked during JVMTI attach + - JDK-8312191: ColorConvertOp.filter for the default destination is too slow + - JDK-8312433: HttpClient request fails due to connection being considered idle and closed + - JDK-8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom" + - JDK-8312440: assert(cast != nullptr) failed: must have added a cast to pin the node + - JDK-8312466: /bin/nm usage in AIX makes needs -X64 flag + - JDK-8312467: relax the builddir check in make/autoconf/basic.m4 + - JDK-8312592: New parentheses warnings after HarfBuzz 7.2.0 update + - JDK-8312612: handle WideCharToMultiByte return values + - JDK-8313164: src/java.desktop/windows/native/libawt/windows/awt_Robot.cpp GetRGBPixels adjust releasing of resources + - JDK-8313167: Update to use jtreg 7.3 + - JDK-8313206: PKCS11 tests silently skip execution + - JDK-8313244: NM flags handling in configure process + - JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground release resources in early returns + - JDK-8313322: RISC-V: implement MD5 intrinsic + - JDK-8313368: (fc) FileChannel.size returns 0 on block special files + - JDK-8313575: Refactor PKCS11Test tests + - JDK-8313616: support loading library members on AIX in os::dll_load + - JDK-8313643: Update HarfBuzz to 8.2.2 + - JDK-8313656: assert(!JvmtiExport::can_support_virtual_threads()) with -XX:-DoJVMTIVirtualThreadTransitions + - JDK-8313756: [BACKOUT] 8308682: Enhance AES performance + - JDK-8313760: [REDO] Enhance AES performance + - JDK-8313779: RISC-V: use andn / orn in the MD5 instrinsic + - JDK-8313781: Add regression tests for large page logging and user-facing error messages + - JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used + - JDK-8313792: Verify 4th party information in src/jdk.internal.le/share/legal/jline.md + - JDK-8313873: java/nio/channels/DatagramChannel/SendReceiveMaxSize.java fails on AIX due to small default RCVBUF size and different IPv6 Header interpretation + - JDK-8314045: ArithmeticException in GaloisCounterMode + - JDK-8314094: java/lang/ProcessHandle/InfoTest.java fails on Windows when run as user with Administrator privileges + - JDK-8314120: Add tests for FileDescriptor.sync + - JDK-8314121: test tools/jpackage/share/RuntimePackageTest.java#id0 fails on RHEL8 + - JDK-8314191: C2 compilation fails with "bad AD file" + - JDK-8314226: Series of colon-style fallthrough switch cases with guards compiled incorrectly + - JDK-8314242: Update applications/scimark/Scimark.java to accept VM flags + - JDK-8314246: javax/swing/JToolBar/4529206/bug4529206.java fails intermittently on Linux + - JDK-8314263: Signed jars triggering Logger finder recursion and StackOverflowError + - JDK-8314330: java/foreign tests should respect vm flags when start new processes + - JDK-8314476: TestJstatdPortAndServer.java failed with "java.rmi.NoSuchObjectException: no such object in table" + - JDK-8314495: Update to use jtreg 7.3.1 + - JDK-8314551: More generic way to handshake GC threads with monitor deflation + - JDK-8314580: PhaseIdealLoop::transform_long_range_checks fails with assert "was tested before" + - JDK-8314632: Intra-case dominance check fails in the presence of a guard + - JDK-8314759: VirtualThread.parkNanos timeout adjustment when pinned should be replaced + - JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0 write result errno in missing case + - JDK-8314935: Shenandoah: Unable to throw OOME on back-to-back Full GCs + - JDK-8315026: ProcessHandle implementation listing processes on AIX should use getprocs64 + - JDK-8315062: [GHA] get-bootjdk action should return the abolute path + - JDK-8315082: [REDO] Generational ZGC: Tests crash with assert(index == 0 || is_power_of_2(index)) + - JDK-8315088: C2: assert(wq.size() - before == EMPTY_LOOP_SIZE) failed: expect the EMPTY_LOOP_SIZE nodes of this body if empty + - JDK-8315195: RISC-V: Update hwprobe query for new extensions + - JDK-8315206: RISC-V: hwprobe query is_set return wrong value + - JDK-8315213: java/lang/ProcessHandle/TreeTest.java test enhance output of children + - JDK-8315214: Do not run sun/tools/jhsdb tests concurrently + - JDK-8315362: NMT: summary diff reports threads count incorrectly + - JDK-8315377: C2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes? + - JDK-8315383: jlink SystemModulesPlugin incorrectly parses the options + - JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some cases + - JDK-8315437: Enable parallelism in vmTestbase/nsk/monitoring/stress/classload tests + - JDK-8315442: Enable parallelism in vmTestbase/nsk/monitoring/stress/thread tests + - JDK-8315452: Erroneous AST missing modifiers for partial input + - JDK-8315499: build using devkit on Linux ppc64le RHEL puts path to devkit into libsplashscreen + - JDK-8315545: C1: x86 cmove can use short branches + - JDK-8315549: CITime misreports code/total nmethod sizes + - JDK-8315554: C1: Replace "cmp reg, 0" with "test reg, reg" on x86 + - JDK-8315578: PPC builds are broken after JDK-8304913 + - JDK-8315579: SPARC64 builds are broken after JDK-8304913 + - JDK-8315606: Open source few swing text/html tests + - JDK-8315612: RISC-V: intrinsic for unsignedMultiplyHigh + - JDK-8315644: increase timeout of sun/security/tools/jarsigner/Warning.java + - JDK-8315651: Stop hiding AIX specific multicast socket errors via NetworkConfiguration (aix) + - JDK-8315683: Parallelize java/util/concurrent/tck/JSR166TestCase.java + - JDK-8315684: Parallelize sun/security/util/math/TestIntegerModuloP.java + - JDK-8315688: Update jdk21u fix version to 21.0.2 + - JDK-8315692: Parallelize gc/stress/TestStressRSetCoarsening.java test + - JDK-8315696: SignedLoggerFinderTest.java test failed + - JDK-8315702: jcmd Thread.dump_to_file slow with millions of virtual threads + - JDK-8315706: com/sun/tools/attach/warnings/DynamicLoadWarningTest.java real fix for failure on AIX + - JDK-8315735: VerifyError when switch statement used with synchronized block + - JDK-8315751: RandomTestBsi1999 fails often with timeouts on Linux ppc64le + - JDK-8315766: Parallelize gc/stress/TestStressIHOPMultiThread.java test + - JDK-8315770: serviceability/sa/TestJmapCoreMetaspace.java should run with -XX:-VerifyDependencies + - JDK-8315774: Enable parallelism in vmTestbase/gc/g1/unloading tests + - JDK-8315863: [GHA] Update checkout action to use v4 + - JDK-8315869: UseHeavyMonitors not used + - JDK-8315920: C2: "control input must dominate current control" assert failure + - JDK-8315931: RISC-V: xxxMaxVectorTestsSmokeTest fails when using RVV + - JDK-8315936: Parallelize gc/stress/TestStressG1Humongous.java test + - JDK-8315937: Enable parallelism in vmTestbase/nsk/stress/numeric tests + - JDK-8315942: Sort platform enums and definitions after JDK-8304913 follow-ups + - JDK-8315960: test/jdk/java/io/File/TempDirDoesNotExist.java leaves test files behind + - JDK-8315971: ProblemList containers/docker/TestMemoryAwareness.java on linux-all + - JDK-8316003: Update FileChooserSymLinkTest.java to HTML instructions + - JDK-8316017: Refactor timeout handler in PassFailJFrame + - JDK-8316025: Use testUI() method of PassFailJFrame.Builder in FileChooserSymLinkTest.java + - JDK-8316030: Update Libpng to 1.6.40 + - JDK-8316031: SSLFlowDelegate should not log from synchronized block + - JDK-8316060: test/hotspot/jtreg/runtime/reflect/ReflectOutOfMemoryError.java may fail if heap is huge + - JDK-8316087: Test SignedLoggerFinderTest.java is still failing + - JDK-8316113: Infinite permission checking loop in java/net/spi/InetAddressResolverProvider/RuntimePermissionTest + - JDK-8316123: ProblemList serviceability/dcmd/gc/RunFinalizationTest.java on AIX + - JDK-8316130: Incorrect control in LibraryCallKit::inline_native_notify_jvmti_funcs + - JDK-8316142: Enable parallelism in vmTestbase/nsk/monitoring/stress/lowmem tests + - JDK-8316156: ByteArrayInputStream.transferTo causes MaxDirectMemorySize overflow + - JDK-8316178: Better diagnostic header for CodeBlobs + - JDK-8316179: Use consistent naming for lightweight locking in MacroAssembler + - JDK-8316181: Move the fast locking implementation out of the .ad files + - JDK-8316199: Remove sun/tools/jstatd/TestJstatd* tests from problemlist for Windows. + - JDK-8316206: Test StretchedFontTest.java fails for Baekmuk font + - JDK-8316304: (fs) Add support for BasicFileAttributes.creationTime() for Linux + - JDK-8316337: (bf) Concurrency issue in DirectByteBuffer.Deallocator + - JDK-8316341: sun/security/pkcs11/PKCS11Test.java needs adjustment on Linux ppc64le Ubuntu 22 + - JDK-8316387: Exclude more failing multicast tests on AIX after JDK-8315651 + - JDK-8316396: Endless loop in C2 compilation triggered by AddNode::IdealIL + - JDK-8316399: Exclude java/net/MulticastSocket/Promiscuous.java on AIX + - JDK-8316400: Exclude jdk/jfr/event/runtime/TestResidentSetSizeEvent.java on AIX + - JDK-8316401: sun/tools/jhsdb/JStackStressTest.java failed with "InternalError: We should have found a thread that owns the anonymous lock" + - JDK-8316411: compiler/compilercontrol/TestConflictInlineCommands.java fails intermittent with force inline by CompileCommand missing + - JDK-8316414: C2: large byte array clone triggers "failed: malformed control flow" assertion failure on linux-x86 + - JDK-8316415: Parallelize sun/security/rsa/SignedObjectChain.java subtests + - JDK-8316418: containers/docker/TestMemoryWithCgroupV1.java get OOM killed with Parallel GC + - JDK-8316436: ContinuationWrapper uses unhandled nullptr oop + - JDK-8316461: Fix: make test outputs TEST SUCCESS after unsuccessful exit + - JDK-8316468: os::write incorrectly handles partial write + - JDK-8316514: Better diagnostic header for VtableStub + - JDK-8316540: StoreReproducibilityTest fails on some locales + - JDK-8316566: RISC-V: Zero extended narrow oop passed to Atomic::cmpxchg + - JDK-8316581: Improve performance of Symbol::print_value_on() + - JDK-8316585: [REDO] runtime/InvocationTests spend a lot of time on dependency verification + - JDK-8316645: RISC-V: Remove dependency on libatomic by adding cmpxchg 1b + - JDK-8316648: jrt-fs.jar classes not reproducible between standard and bootcycle builds + - JDK-8316659: assert(LockingMode != LM_LIGHTWEIGHT || flag == CCR0) failed: bad condition register + - JDK-8316671: sun/security/ssl/SSLSocketImpl/SSLSocketCloseHang.java test fails intermittent with Read timed out + - JDK-8316679: C2 SuperWord: wrong result, load should not be moved before store if not comparable + - JDK-8316710: Exclude java/awt/font/Rotate/RotatedTextTest.java + - JDK-8316719: C2 compilation still fails with "bad AD file" + - JDK-8316735: Print LockStack in hs_err files + - JDK-8316741: BasicStroke.createStrokedShape miter-limits failing on small shapes + - JDK-8316743: RISC-V: Change UseVectorizedMismatchIntrinsic option result to warning + - JDK-8316746: Top of lock-stack does not match the unlocked object + - JDK-8316778: test hprof lib: invalid array element type from JavaValueArray.elementSize + - JDK-8316859: RISC-V: Disable detection of V through HWCAP + - JDK-8316879: RegionMatches1Tests fails if CompactStrings are disabled after JDK-8302163 + - JDK-8316880: AArch64: "stop: Header is not fast-locked" with -XX:-UseLSE since JDK-8315880 + - JDK-8316894: make test TEST="jtreg:test/jdk/..." fails on AIX + - JDK-8316906: Clarify TLABWasteTargetPercent flag + - JDK-8316929: Shenandoah: Shenandoah degenerated GC and full GC need to cleanup old OopMapCache entries + - JDK-8316933: RISC-V: compiler/vectorapi/VectorCastShape128Test.java fails when using RVV + - JDK-8316935: [s390x] Use consistent naming for lightweight locking in MacroAssembler + - JDK-8316958: Add test for unstructured locking + - JDK-8316967: Correct the scope of vmtimer in UnregisteredClasses::load_class + - JDK-8317039: Enable specifying the JDK used to run jtreg + - JDK-8317136: [AIX] Problem List runtime/jni/terminatedThread/TestTerminatedThread.java + - JDK-8317257: RISC-V: llvm build broken + - JDK-8317262: LockStack::contains(oop) fails "assert(t->is_Java_thread()) failed: incorrect cast to JavaThread" + - JDK-8317294: Classloading throws exceptions over already pending exceptions + - JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js + - JDK-8317331: Solaris build failed with "declaration can not follow a statement (E_DECLARATION_IN_CODE)" + - JDK-8317335: Build on windows fails after 8316645 + - JDK-8317336: Assertion error thrown during 'this' escape analysis + - JDK-8317340: Windows builds are not reproducible if MS VS compiler install path differs + - JDK-8317373: Add Telia Root CA v2 + - JDK-8317374: Add Let's Encrypt ISRG Root X2 + - JDK-8317439: Updating RE Configs for BUILD REQUEST 21.0.2+1 + - JDK-8317507: C2 compilation fails with "Exceeded _node_regs array" + - JDK-8317510: Change Windows debug symbol files naming to avoid losing info when an executable and a library share the same name + - JDK-8317581: [s390x] Multiple test failure with LockingMode=2 + - JDK-8317601: Windows build on WSL broken after JDK-8317340 + - JDK-8317603: Improve exception messages thrown by sun.nio.ch.Net native methods (win) + - JDK-8317692: jcmd GC.heap_dump performance regression after JDK-8292818 + - JDK-8317705: ProblemList sun/tools/jstat/jstatLineCountsX.sh on linux-ppc64le and aix due to JDK-8248691 + - JDK-8317706: Exclude java/awt/Graphics2D/DrawString/RotTransText.java on linux + - JDK-8317711: Exclude gtest/GTestWrapper.java on AIX + - JDK-8317736: Stream::handleReset locks twice + - JDK-8317751: ProblemList ConsumeForModalDialogTest.java, MenuItemActivatedTest.java & MouseModifiersUnitTest_Standard.java for windows + - JDK-8317772: NMT: Make peak values available in release builds + - JDK-8317790: Fix Bug entry for exclusion of runtime/jni/terminatedThread/TestTerminatedThread.java on AIX + - JDK-8317803: Exclude java/net/Socket/asyncClose/Race.java on AIX + - JDK-8317807: JAVA_FLAGS removed from jtreg running in JDK-8317039 + - JDK-8317818: Combinatorial explosion during 'this' escape analysis + - JDK-8317834: java/lang/Thread/IsAlive.java timed out + - JDK-8317839: Exclude java/nio/channels/Channels/SocketChannelStreams.java on AIX + - JDK-8317920: JDWP-agent sends broken exception event with onthrow option + - JDK-8317959: Check return values of malloc in native java.base coding + - JDK-8317964: java/awt/Mouse/MouseModifiersUnitTest/MouseModifiersUnitTest_Standard.java fails on macosx-all after JDK-8317751 + - JDK-8317967: Enhance test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java to handle default cases + - JDK-8317987: C2 recompilations cause high memory footprint + - JDK-8318078: ADLC: pass ASSERT and PRODUCT flags + - JDK-8318089: Class space not marked as such with NMT when CDS is off + - JDK-8318137: Change milestone to fcs for all releases + - JDK-8318144: Match on enum constants with body compiles but fails with MatchException + - JDK-8318183: C2: VM may crash after hitting node limit + - JDK-8318240: [AIX] Cleaners.java test failure + - JDK-8318415: Adjust describing comment of os_getChildren after 8315026 + - JDK-8318474: Fix memory reporter for thread_count + - JDK-8318525: Atomic gtest should run as TEST_VM to access VM capabilities + - JDK-8318528: Rename TestUnstructuredLocking test + - JDK-8318540: make test cannot run .jasm tests directly + - JDK-8318562: Computational test more than 2x slower when AVX instructions are used + - JDK-8318587: refresh libraries cache on AIX in print_vm_info + - JDK-8318591: avoid leaks in loadlib_aix.cpp reload_table() + - JDK-8318669: Target OS detection in 'test-prebuilt' makefile target is incorrect when running on MSYS2 + - JDK-8318705: [macos] ProblemList java/rmi/registry/multipleRegistries/MultipleRegistries.java + - JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with "transport error 202: bind failed: Address already in use" + - JDK-8318759: Add four DigiCert root certificates + - JDK-8318889: C2: add bailout after assert Bad graph detected in build_loop_late + - JDK-8318895: Deoptimization results in incorrect lightweight locking stack + - JDK-8318951: Additional negative value check in JPEG decoding + - JDK-8318953: RISC-V: Small refactoring for MacroAssembler::test_bit + - JDK-8318955: Add ReleaseIntArrayElements in Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to early return + - JDK-8318957: enhance agentlib:jdwp help output by info about allow option + - JDK-8318961: increase javacserver connection timeout values and max retry attempts + - JDK-8318981: compiler/compilercontrol/TestConflictInlineCommands.java fails intermittent with 'disallowed by CompileCommand' missing from stdout/stderr + - JDK-8319104: GtestWrapper crashes with SIGILL in AsyncLogTest::test_asynclog_raw on AIX opt + - JDK-8319120: Unbound ScopedValue.get() throws the wrong exception + - JDK-8319184: RISC-V: improve MD5 intrinsic + - JDK-8319187: Add three eMudhra emSign roots + - JDK-8319195: Move most tier 1 vector API regression tests to tier 3 + - JDK-8319268: Build failure with GCC8.3.1 after 8313643 + - JDK-8319339: Internal error on spurious markup in a hybrid snippet + - JDK-8319436: Proxy.newProxyInstance throws NPE if loader is null and interface not visible from class loader + - JDK-8319525: RISC-V: Rename *_riscv64.ad files to *_riscv.ad under riscv/gc + - JDK-8319532: jshell - Non-sealed declarations sometimes break a snippet evaluation + - JDK-8319542: Fix boundaries of region to be tested with os::is_readable_range + - JDK-8319700: [AArch64] C2 compilation fails with "Field too big for insn" + - JDK-8319828: runtime/NMT/VirtualAllocCommitMerge.java may fail if mixing interpreted and compiled native invocations + - JDK-8319922: libCreationTimeHelper.so fails to link in JDK 21 + - JDK-8319958: test/jdk/java/io/File/libGetXSpace.c does not compile on Windows 32-bit + - JDK-8319961: JvmtiEnvBase doesn't zero _ext_event_callbacks + - JDK-8320001: javac crashes while adding type annotations to the return type of a constructor + - JDK-8320053: GHA: Cross-compile gtest code + - JDK-8320209: VectorMaskGen clobbers rflags on x86_64 + - JDK-8320280: RISC-V: Avoid passing t0 as temp register to MacroAssembler::lightweight_lock/unlock + - JDK-8320363: ppc64 TypeEntries::type_unknown logic looks wrong, missed optimization opportunity + - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + - JDK-8320601: ProblemList java/lang/invoke/lambda/LambdaFileEncodingSerialization.java on linux-all + - JDK-8321067: Unlock experimental options in EATests.java + - JDK-8322883: [BACKOUT] 8225377: type annotations are not visible to javac plugins across compilation boundaries + - JDK-8322985: [BACKOUT] 8318562: Computational test more than 2x slower when AVX instructions are used + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows +====================================================================== +On Windows 10 version 1709 and above, TCP_KEEPIDLE and +TCP_KEEPINTERVAL are now supported in the +java.net.ExtendedSocketOptions class. Similarly, on Windows 10 +version 1703 and above, TCP_KEEPCOUNT is now supported. + +hotspot/compiler: + +JDK-8315082: [REDO] Generational ZGC: Tests crash with assert(index == 0 || is_power_of_2(index)) +================================================================================================= +In the initial release of JDK 21, running the JVM with -XX:+UseZGC and +a non-default value of -XX:ObjectAlignmentInBytes could lead to JVM +crashes or incorrect execution. This issue should now be resolved and +it should be possible to use these options again. + +hotspot/runtime: + +JDK-8317772: NMT: Make peak values available in release builds +============================================================== +The peak value is the highest value for committed memory in a given +Native Memory Tracking (NMT) category over the lifetime of the JVM +process. NMT reports will now show the peak value for all categories. + +If the committed memory for a category is at its peak, NMT will +print "at peak". Otherwise, it prints the peak value. + +For example, "Compiler (arena=196KB #4) (peak=6126KB #16)" shows that +compiler arena memory peaked above 6 MB, but now hovers around 200KB. + +JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used +=========================================================================== +On Linux, the JVM will now print the following message to standard +output if Transparent Huge Pages (THPs) are requested, but are not +supported on the operating system: + +"UseTransparentHugePages disabled; transparent huge pages are not +supported by the operating system." + +security-libs/java.security: + +JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt +================================================================= +The following root certificate has been added to the cacerts +truststore: + +Name: Let's Encrypt +Alias Name: letsencryptisrgx2 +Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US + +JDK-8318759: Added Four Root Certificates from DigiCert, Inc. +============================================================= +The following root certificates have been added to the cacerts +truststore: + +Name: DigiCert, Inc. +Alias Name: digicertcseccrootg5 +Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicertcsrsarootg5 +Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlseccrootg5 +Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlsrsarootg5 +Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited +============================================================================ +The following root certificates have been added to the cacerts +truststore: + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag1 +Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsigneccrootcag3 +Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag2 +Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +JDK-8317373: Added Telia Root CA v2 Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Telia Root CA v2 +Alias Name: teliarootcav2 +Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ``` + +New in release OpenJDK 21.0.1 (2023-10-17): +=========================================== + +* CVEs + - CVE-2023-22081 + - CVE-2023-22025 +* Security fixes + - JDK-8286503, JDK-8312367: Enhance security classes + - JDK-8296581: Better system proxy support + - JDK-8297856: Improve handling of Bidi characters + - JDK-8309966: Enhanced TLS connections + - JDK-8312248: Enhanced archival support redux + - JDK-8314649: Enhanced archival support redux + - JDK-8317121: vector_masked_load instruction is moved too early after JDK-8286941 +* Other changes + - JDK-8240567: MethodTooLargeException thrown while creating a jlink image + - JDK-8284772: GHA: Use GCC Major Version Dependencies Only + - JDK-8293114: JVM should trim the native heap + - JDK-8299658: C1 compilation crashes in LinearScan::resolve_exception_edge + - JDK-8302017: Allocate BadPaddingException only if it will be thrown + - JDK-8303815: Improve Metaspace test speed + - JDK-8304954: SegmentedCodeCache fails when using large pages + - JDK-8307766: Linux: Provide the option to override the timer slack + - JDK-8308042: [macos] Developer ID Application Certificate not picked up by jpackage if it contains UNICODE characters + - JDK-8308047: java/util/concurrent/ScheduledThreadPoolExecutor/BasicCancelTest.java timed out and also had jcmd pipe errors + - JDK-8308184: Launching java with large number of jars in classpath with java.protocol.handler.pkgs system property set can lead to StackOverflowError + - JDK-8308474: DSA does not reset SecureRandom when initSign is called again + - JDK-8308609: java/lang/ScopedValue/StressStackOverflow.java fails with "-XX:-VMContinuations" + - JDK-8309032: jpackage does not work for module projects unless --module-path is specified + - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails + - JDK-8309214: sun/security/pkcs11/KeyStore/CertChainRemoval.java fails after 8301154 + - JDK-8309475: Test java/foreign/TestByteBuffer.java fails: a problem with msync (aix) + - JDK-8309502: RISC-V: String.indexOf intrinsic may produce misaligned memory loads + - JDK-8309591: Socket.setOption(TCP_QUICKACK) uses wrong level + - JDK-8309746: Reconfigure check should include make/conf/version-numbers.conf + - JDK-8309889: [s390] Missing return statement after calling jump_to_native_invoker method in generate_method_handle_dispatch. + - JDK-8310106: sun.security.ssl.SSLHandshake.getHandshakeProducer() incorrectly checks handshakeConsumers + - JDK-8310171: Bump version numbers for 21.0.1 + - JDK-8310211: serviceability/jvmti/thread/GetStackTrace/getstacktr03/getstacktr03.java failing + - JDK-8310233: Fix THP detection on Linux + - JDK-8310268: RISC-V: misaligned memory access in String.Compare intrinsic + - JDK-8310321: make JDKOPT_CHECK_CODESIGN_PARAMS more verbose + - JDK-8310586: ProblemList java/lang/ScopedValue/StressStackOverflow.java#default with virtual threads on linux-all + - JDK-8310687: JDK-8303215 is incomplete + - JDK-8310873: Re-enable locked_create_entry symbol check in runtime/NMT/CheckForProperDetailStackTrace.java for RISC-V + - JDK-8311026: Some G1 specific tests do not set -XX:+UseG1GC + - JDK-8311033: [macos] PrinterJob does not take into account Sides attribute + - JDK-8311160: [macOS, Accessibility] VoiceOver: No announcements on JRadioButtonMenuItem and JCheckBoxMenuItem + - JDK-8311249: Remove unused MemAllocator::obj_memory_range + - JDK-8311285: report some fontconfig related environment variables in hs_err file + - JDK-8311511: Improve description of NativeLibrary JFR event + - JDK-8311592: ECKeySizeParameterSpec causes too many exceptions on third party providers + - JDK-8311682: Change milestone to fcs for all releases + - JDK-8311862: RISC-V: small improvements to shift immediate instructions + - JDK-8311917: MAP_FAILED definition seems to be obsolete in src/java.desktop/unix/native/common/awt/fontpath.c + - JDK-8311921: Inform about MaxExpectedDataSegmentSize in case of pthread_create failures on AIX + - JDK-8311923: TestIRMatching.java fails on RISC-V + - JDK-8311926: java/lang/ScopedValue/StressStackOverflow.java takes 9mins in tier1 + - JDK-8311955: c++filt is now ibm-llvm-cxxfilt when using xlc17 / clang on AIX + - JDK-8311981: Test gc/stringdedup/TestStringDeduplicationAgeThreshold.java#ZGenerational timed out + - JDK-8312127: FileDescriptor.sync should temporarily increase parallelism + - JDK-8312180: (bf) MappedMemoryUtils passes incorrect arguments to msync (aix) + - JDK-8312182: THPs cause huge RSS due to thread start timing issue + - JDK-8312394: [linux] SIGSEGV if kernel was built without hugepage support + - JDK-8312395: Improve assertions in growableArray + - JDK-8312401: SymbolTable::do_add_if_needed hangs when called in InstanceKlass::add_initialization_error path with requesting length exceeds max_symbol_length + - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar + - JDK-8312525: New test runtime/os/TestTrimNative.java#trimNative is failing: did not see the expected RSS reduction + - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException + - JDK-8312555: Ideographic characters aren't stretched by AffineTransform.scale(2, 1) + - JDK-8312573: Failure during CompileOnly parsing leads to ShouldNotReachHere + - JDK-8312585: Rename DisableTHPStackMitigation flag to THPStackMitigation + - JDK-8312591: GCC 6 build failure after JDK-8280982 + - JDK-8312619: Strange error message when switching over long + - JDK-8312620: WSL Linux build crashes after JDK-8310233 + - JDK-8312625: Test serviceability/dcmd/vm/TrimLibcHeapTest.java failed: RSS use increased + - JDK-8312909: C1 should not inline through interface calls with non-subtype receiver + - JDK-8312976: MatchResult produces StringIndexOutOfBoundsException for groups outside match + - JDK-8312984: javac may crash on a record pattern with too few components + - JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074 + - JDK-8313248: C2: setScopedValueCache intrinsic exposes nullptr pre-values to store barriers + - JDK-8313262: C2: Sinking node may cause required cast to be dropped + - JDK-8313307: java/util/Formatter/Padding.java fails on some Locales + - JDK-8313312: Add missing classpath exception copyright header + - JDK-8313323: javac -g on a java file which uses unnamed variable leads to ClassFormatError when launching that class + - JDK-8313402: C1: Incorrect LoadIndexed value numbering + - JDK-8313428: GHA: Bump GCC versions for July 2023 updates + - JDK-8313576: GCC 7 reports compiler warning in bundled freetype 2.13.0 + - JDK-8313602: increase timeout for jdk/classfile/CorpusTest.java + - JDK-8313626: C2 crash due to unexpected exception control flow + - JDK-8313657: com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors + - JDK-8313676: Amend TestLoadIndexedMismatch test to target intrinsic directly + - JDK-8313678: SymbolTable can leak Symbols during cleanup + - JDK-8313691: use close after failing os::fdopen in vmError and ciEnv + - JDK-8313701: GHA: RISC-V should use the official repository for bootstrap + - JDK-8313707: GHA: Bootstrap sysroots with --variant=minbase + - JDK-8313752: InstanceKlassFlags::print_on doesn't print the flag names + - JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) + - JDK-8313796: AsyncGetCallTrace crash on unreadable interpreter method pointer + - JDK-8313874: JNI NewWeakGlobalRef throws exception for null arg + - JDK-8313901: [TESTBUG] test/hotspot/jtreg/compiler/codecache/CodeCacheFullCountTest.java fails with java.lang.VirtualMachineError + - JDK-8313904: [macos] All signing tests which verifies unsigned app images are failing + - JDK-8314020: Print instruction blocks in byte units + - JDK-8314024: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info + - JDK-8314063: The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection + - JDK-8314117: RISC-V: Incorrect VMReg encoding in RISCV64Frame.java + - JDK-8314118: Update JMH devkit to 1.37 + - JDK-8314139: TEST_BUG: runtime/os/THPsInThreadStackPreventionTest.java could fail on machine with large number of cores + - JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to extra concurrent mark with -Xcomp + - JDK-8314216: Case enumConstant, pattern compilation fails + - JDK-8314262: GHA: Cut down cross-compilation sysroots deeper + - JDK-8314423: Multiple patterns without unnamed variables + - JDK-8314426: runtime/os/TestTrimNative.java is failing on slow machines + - JDK-8314501: Shenandoah: sun/tools/jhsdb/heapconfig/JMapHeapConfigTest.java fails + - JDK-8314517: some tests fail in case ipv6 is disabled on the machine + - JDK-8314618: RISC-V: -XX:MaxVectorSize does not work as expected + - JDK-8314656: GHA: No need for Debian ports keyring installation after JDK-8313701 + - JDK-8314679: SA fails to properly attach to JVM after having just detached from a different JVM + - JDK-8314730: GHA: Drop libfreetype6-dev transitional package in favor of libfreetype-dev + - JDK-8314850: SharedRuntime::handle_wrong_method() gets called too often when resolving Continuation.enter + - JDK-8314960: Add Certigna Root CA - 2 + - JDK-8315020: The macro definition for LoongArch64 zero build is not accurate. + - JDK-8315051: jdk/jfr/jvm/TestGetEventWriter.java fails with non-JVMCI GCs + - JDK-8315534: Incorrect warnings about implicit annotation processing + +Notes on individual issues: +=========================== + +core-libs/java.util.jar: + +JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) +===================================================================== +Additional validity checks in the handling of Zip64 files, +JDK-8302483, introduced in 21.0.0, caused the use of some valid zip +files to now fail with the error, `Invalid CEN header (invalid zip64 +extra data field size)` + +This release, 21.0.1, allows for zero length headers and additional +padding produced by some Zip64 creation tools. + +The following third party tools have also released patches to better +adhere to the ZIP File Format Specification: + +* Apache Commons Compress fix for Empty CEN Zip64 Extra Headers fixed in Commons Compress release 1.11 +* Apache Ant fix for Empty CEN Zip64 Extra Headers fixed in Ant 1.10.14 +* BND issue with writing invalid Extra Headers fixed in BND 5.3 + +The maven-bundle-plugin 5.1.5 includes the BND 5.3 patch. + +If these improved validation checks cause issues for deployed zip or +jar files, check how the file was created and whether patches are +available from the generating software to resolve the issue. With +both JDK releases, the checks can be disabled by setting the new +system property, `jdk.util.zip.disableZip64ExtraFieldValidation` to +`true`. + +hotspot/runtime: + +JDK-8311981: JVM May Hang When Using Generational ZGC if a VM Handshake Stalls on Memory +======================================================================================== +The JVM can hang under an uncommon condition that involves the JVM +running out of heap memory, the GC just starting a relocation phase to +reclaim memory, and a JVM thread-local Handshake asking to relocate an +object. This potential deadlock should now be avoided in this +release. + +core-libs/java.util.regex: + +JDK-8312976: `java.util.regex.MatchResult` Might Throw `StringIndexOutOfBoundsException` on Regex Patterns Containing Lookaheads and Lookbehinds +================================================================================================================================================ +JDK-8132995 introduced an unintended regression when using instances +returned by `java.util.regex.Matcher.toMatchResult()`. + +This regression happens with a `java.util.regex.Pattern`s containing +lookaheads and lookbehinds that, in turn, contain groups. If these are +located outside the match, a `StringIndexOutOfBoundsException` is +thrown when accessing these groups. See JDK-8312976 for an example. + +The issue is resolved in this release by calculating a minimum start +location as part of the match result and using this in constructing +String objects, rather than the location of the first match. + +JDK-8314960: Added Certigna Root CA Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Certigna (Dhimyotis) +Alias Name: certignarootca +Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR + +JDK-8312489: Increase Default Value of the System Property `jdk.jar.maxSignatureFileSize` +========================================================================================= +A maximum signature file size property, jdk.jar.maxSignatureFileSize, +was introduced in the 21.0.0 release of OpenJDK by JDK-8300596 to +control the maximum size of signature files in a signed JAR. The +default value of 8MB proved to be too small for some JAR files. This +release, 21.0.1, increases it to 16MB. + +New in release OpenJDK 21.0.0 (2023-09-XX): +=========================================== +Major changes are listed below. Some changes may have been backported +to earlier releases following their first appearance in OpenJDK 18 +through to 21. + +NEW FEATURES +============ + +Language Features +================= + +Pattern Matching for switch +=========================== +https://openjdk.org/jeps/406 +https://openjdk.org/jeps/420 +https://openjdk.org/jeps/427 +https://openjdk.org/jeps/433 +https://openjdk.org/jeps/441 + +Enhance the Java programming language with pattern matching for +`switch` expressions and statements, along with extensions to the +language of patterns. Extending pattern matching to `switch` allows an +expression to be tested against a number of patterns, each with a +specific action, so that complex data-oriented queries can be +expressed concisely and safely. + +This was a preview feature (http://openjdk.java.net/jeps/12) +introduced in OpenJDK 17 (JEP 406), which saw a second preview in +OpenJDK 18 (JEP 420), a third in OpenJDK 19 (JEP 427) and a fourth +(JEP 427) in OpenJDK 20. It became final with OpenJDK 21 (JEP 441). + +Record Patterns +=============== +https://openjdk.org/jeps/405 +https://openjdk.org/jeps/432 +https://openjdk.org/jeps/440 + +Enhance the Java programming language with record patterns to +deconstruct record values. Record patterns and type patterns can be +nested to enable a powerful, declarative, and composable form of data +navigation and processing. + +This was a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 19 (JEP 405) with a second preview (JEP 432) in OpenJDK 20. +It became final with OpenJDK 21 (JEP 440). + +String Templates +================ +https://openjdk.org/jeps/430 + +Enhance the Java programming language with string templates. String +templates complement Java's existing string literals and text blocks +by coupling literal text with embedded expressions and template +processors to produce specialized results. + +This is a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 21 (JEP 430). + +Unnamed Patterns and Variables +============================== +https://openjdk.org/jeps/443 + +Enhance the Java language with unnamed patterns, which match a record +component without stating the component's name or type, and unnamed +variables, which can be initialized but not used. Both are denoted by +an underscore character, _. + +This is a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 21 (JEP 443). + +Unnamed Classes and Instance Main Methods (Preview) +=================================================== +https://openjdk.org/jeps/445 + +Evolve the Java language so that students can write their first +programs without needing to understand language features designed for +large programs. Far from using a separate dialect of Java, students +can write streamlined declarations for single-class programs and then +seamlessly expand their programs to use more advanced features as +their skills grow. + +This is a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 21 (JEP 445). + +Library Features +================ + +UTF-8 by Default +================ +https://openjdk.org/jeps/400 + +Specify UTF-8 as the default charset of the standard Java APIs. With +this change, APIs that depend upon the default charset will behave +consistently across all implementations, operating systems, locales, +and configurations. + +Reimplement Core Reflection with Method Handles +=============================================== +https://openjdk.org/jeps/416 + +Reimplement java.lang.reflect.Method, Constructor, and Field on top of +java.lang.invoke method handles. Making method handles the underlying +mechanism for reflection will reduce the maintenance and development +cost of both the java.lang.reflect and java.lang.invoke APIs. + +Vector API +========== +https://openjdk.org/jeps/338 +https://openjdk.org/jeps/414 +https://openjdk.org/jeps/417 +https://openjdk.org/jeps/426 +https://openjdk.org/jeps/438 +https://openjdk.org/jeps/448 + +Introduce an API to express vector computations that reliably compile +at runtime to optimal vector hardware instructions on supported CPU +architectures and thus achieve superior performance to equivalent +scalar computations. + +This is an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 16 (JEP 338). A second round of incubation took +place in OpenJDK 17 (JEP 414), OpenJDK 18 (JEP 417) saw a third, +OpenJDK 19 a fourth (JEP 426), OpenJDK 20 (JEP 438) a fifth and +OpenJDK 21 a sixth (JEP 448). + +Internet-Address Resolution SPI +=============================== +https://openjdk.org/jeps/418 + +Define a service-provider interface (SPI) for host name and address +resolution, so that java.net.InetAddress can make use of resolvers +other than the platform's built-in resolver. + +Foreign Function & Memory API +============================= +https://openjdk.org/jeps/412 +https://openjdk.org/jeps/419 +https://openjdk.org/jeps/424 +https://openjdk.org/jeps/434 +https://openjdk.org/jeps/442 + +Introduce an API by which Java programs can interoperate with code and +data outside of the Java runtime. By efficiently invoking foreign +functions (i.e., code outside the JVM), and by safely accessing +foreign memory (i.e., memory not managed by the JVM), the API enables +Java programs to call native libraries and process native data without +the brittleness and danger of JNI. + +This API is now a preview feature (http://openjdk.java.net/jeps/12). +It was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 17 (JEP 412), and is an +evolution of the Foreign Memory Access API (OpenJDK 14 through 16) and +Foreign Linker API (OpenJDK 16) (see release notes for +java-17-openjdk). OpenJDK 18 saw a second round of incubation (JEP +419) before its inclusion as a preview in OpenJDK 19 (JEP 424) and a +second in OpenJDK 20 (JEP 434). It reaches a third preview in OpenJDK +21 (JEP 442). + +Virtual Threads +=============== +https://openjdk.org/jeps/425 +https://openjdk.org/jeps/436 +https://openjdk.org/jeps/444 + +Introduce virtual threads to the Java Platform. Virtual threads are +lightweight threads that dramatically reduce the effort of writing, +maintaining, and observing high-throughput concurrent applications. + +This was a preview feature (http://openjdk.java.net/jeps/12) +introduced in OpenJDK 19 (JEP 425) and reaching its second preview in +OpenJDK 20 (JEP 436). It became final with OpenJDK 21 (JEP 444). + +Structured Concurrency +====================== +https://openjdk.org/jeps/428 +https://openjdk.org/jeps/437 +https://openjdk.org/jeps/453 + +Simplify multithreaded programming by introducing an API for +structured concurrency. Structured concurrency treats multiple tasks +running in different threads as a single unit of work, thereby +streamlining error handling and cancellation, improving reliability, +and enhancing observability. + +This API is now a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 21 (JEP 453). It was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 19 (JEP 428) and had a +second round of incubation in OpenJDK 20 (JEP 437). + +Scoped Values +============= +https://openjdk.org/jeps/429 + +Introduce scoped values, which enable the sharing of immutable data +within and across threads. They are preferred to thread-local +variables, especially when using large numbers of virtual threads. + +This API is now a preview feature (http://openjdk.java.net/jeps/12) +in OpenJDK 21 (JEP 429). It was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 20 (JEP 429). + +Sequenced Collections +===================== +https://openjdk.org/jeps/431 + +Introduce new interfaces to represent collections with a defined +encounter order. Each such collection has a well-defined first +element, second element, and so forth, up to the last element. It also +provides uniform APIs for accessing its first and last elements, and +for processing its elements in reverse order. + +Key Encapsulation Mechanism API +=============================== +https://openjdk.org/jeps/452 + +Introduce an API for key encapsulation mechanisms (KEMs), an +encryption technique for securing symmetric keys using public key +cryptography. + +Virtual Machine Enhancements +============================ + +Generational ZGC +================ +https://openjdk.org/jeps/439 + +Improve application performance by extending the Z Garbage Collector +(ZGC) to maintain separate generations for young and old objects. This +will allow ZGC to collect young objects — which tend to die young — +more frequently. + +Tools +===== + +Simple Web Server +================= +https://openjdk.org/jeps/408 + +Provide a command-line tool, `jwebserver`, to start a minimal web +server that serves static files only. No CGI or servlet-like +functionality is available. This tool will be useful for prototyping, +ad-hoc coding, and testing purposes, particularly in educational +contexts. + +Code Snippets in Java API Documentation +======================================= +https://openjdk.org/jeps/413 + +Introduce an @snippet tag for JavaDoc's Standard Doclet, to simplify +the inclusion of example source code in API documentation. + +Ports +===== + +Linux/RISC-V Port +================= +https://openjdk.org/jeps/422 + +RISC-V is a free and open-source RISC instruction set architecture +(ISA) designed originally at the University of California, Berkeley, +and now developed collaboratively under the sponsorship of RISC-V +International. It is already supported by a wide range of language +toolchains. With the increasing availability of RISC-V hardware, a +port of the JDK would be valuable. + +DEPRECATIONS +============ + +Deprecate Finalization for Removal +================================== +https://openjdk.org/jeps/421 + +Deprecate finalization for removal in a future release. Finalization +remains enabled by default for now, but can be disabled to facilitate +early testing. In a future release it will be disabled by default, and +in a later release it will be removed. Maintainers of libraries and +applications that rely upon finalization should consider migrating to +other resource management techniques such as the try-with-resources +statement and cleaners. + +Deprecate the Windows 32-bit x86 Port for Removal +================================================= +https://openjdk.org/jeps/449 + +Deprecate the Windows 32-bit x86 port, with the intent to remove it in +a future release. + +Prepare to Disallow the Dynamic Loading of Agents +================================================= +https://openjdk.org/jeps/451 + +Issue warnings when agents are loaded dynamically into a running +JVM. These warnings aim to prepare users for a future release which +disallows the dynamic loading of agents by default in order to improve +integrity by default. Serviceability tools that load agents at startup +will not cause warnings to be issued in any release. diff --git a/README.md b/README.md new file mode 100644 index 0000000..aad5941 --- /dev/null +++ b/README.md @@ -0,0 +1,46 @@ +OpenJDK 21 is the latest Long-Term Support (LTS) release of the Java platform. + +For a list of major changes from OpenJDK 17 (java-17-openjdk), see the upstream +release page for OpenJDK 21 and the preceding interim releases: + +* 18: https://openjdk.java.net/projects/jdk/18/ +* 19: https://openjdk.java.net/projects/jdk/19/ +* 20: https://openjdk.java.net/projects/jdk/20/ +* 21: https://openjdk.java.net/projects/jdk/21/ + +# Rebuilding the OpenJDK package + +The OpenJDK packages are now created from a single build which is then +packaged for different major versions of Red Hat Enterprise Linux +(RHEL). This allows the OpenJDK team to focus their efforts on the +development and testing of this single build, rather than having +multiple builds which only differ by the platform they were built on. + +This does make rebuilding the package slightly more complicated than a +normal package. Modifications should be made to the +`java-21-openjdk-portable.specfile` file, which can be found with this +README file in the source RPM or installed in the documentation tree +by the `java-21-openjdk-headless` RPM. + +Once the modified `java-21-openjdk-portable` RPMs are built, they +should be installed and will produce a number of tarballs in the +`/usr/lib/jvm` directory. The `java-21-openjdk` RPMs can then be +built, which will use these tarballs to create the usual RPMs found in +RHEL. The `java-21-openjdk-portable` RPMs can be uninstalled once the +desired final RPMs are produced. + +Note that the `java-21-openjdk.spec` file has a hard requirement on +the exact version of java-21-openjdk-portable to use, so this will +need to be modified if the version or rpmrelease values are changed in +`java-21-openjdk-portable.specfile`. + +To reduce the number of RPMs involved, the `fastdebug` and `slowdebug` +builds may be disabled using `--without fastdebug` and `--without +slowdebug`. + +By default, the portable build on RHEL also uses a "devkit" (a +toolchain and system libraries) to build. This aids reproducibility +by removing build differences caused by differing system toolchains +and libraries. This dependency can be dropped by defining 'centos' to +a non-zero value (e.g. --define='centos 1') or a devkit can be built +using the `openjdk-devkit.specfile` and associated patches. diff --git a/TestCryptoLevel.java b/TestCryptoLevel.java new file mode 100644 index 0000000..b32b7ae --- /dev/null +++ b/TestCryptoLevel.java @@ -0,0 +1,72 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +} diff --git a/TestECDSA.java b/TestECDSA.java new file mode 100644 index 0000000..6eb9cb2 --- /dev/null +++ b/TestECDSA.java @@ -0,0 +1,49 @@ +/* TestECDSA -- Ensure ECDSA signatures are working. + Copyright (C) 2016 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * @test + */ +public class TestECDSA { + + public static void main(String[] args) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + KeyPair key = keyGen.generateKeyPair(); + + byte[] data = "This is a string to sign".getBytes("UTF-8"); + + Signature dsa = Signature.getInstance("NONEwithECDSA"); + dsa.initSign(key.getPrivate()); + dsa.update(data); + byte[] sig = dsa.sign(); + System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); + + Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); + dsaCheck.initVerify(key.getPublic()); + dsaCheck.update(data); + boolean success = dsaCheck.verify(sig); + if (!success) { + throw new RuntimeException("Test failed. Signature verification error"); + } + System.out.println("Test passed."); + } +} diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java new file mode 100644 index 0000000..2967a32 --- /dev/null +++ b/TestSecurityProperties.java @@ -0,0 +1,84 @@ +/* TestSecurityProperties -- Ensure system security properties can be used to + enable the crypto policies. + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config"; + + private static final String MSG_PREFIX = "DEBUG: "; + + public static void main(String[] args) { + if (args.length == 0) { + System.err.println("TestSecurityProperties "); + System.err.println("Invoke with 'true' if system security properties should be enabled."); + System.err.println("Invoke with 'false' if system security properties should be disabled."); + System.exit(1); + } + boolean enabled = Boolean.valueOf(args[0]); + System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled); + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + if (enabled) { + loadPolicy(jdkProps); + } + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println(MSG_PREFIX + "Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(propsFile)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + + private static void loadPolicy(Properties props) { + try (FileInputStream fin = new FileInputStream(POLICY_FILE)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + +} diff --git a/TestTranslations.java b/TestTranslations.java new file mode 100644 index 0000000..f6a4fe2 --- /dev/null +++ b/TestTranslations.java @@ -0,0 +1,160 @@ +/* TestTranslations -- Ensure translations are available for new timezones + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.text.DateFormatSymbols; + +import java.time.ZoneId; +import java.time.format.TextStyle; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.Locale; +import java.util.Objects; +import java.util.TimeZone; + +public class TestTranslations { + + private static Map KYIV, CIUDAD_JUAREZ; + + static { + Map map = new HashMap(); + map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET", + "Eastern European Summer Time", "GMT+03:00", "EEST", + "Eastern European Time", "GMT+02:00", "EET"}); + map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET", + "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST", + "heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"}); + map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ", + "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", + "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); + KYIV = Collections.unmodifiableMap(map); + + map = new HashMap(); + map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST", + "Mountain Daylight Time", "MDT", "MDT", + "Mountain Time", "MT", "MT"}); + map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST", + "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT", + "heure des Rocheuses", "UTC\u221207:00", "MT"}); + map.put(Locale.GERMANY, new String[] { "Rocky-Mountain-Normalzeit", "GMT-07:00", "MST", + "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT", + "Rocky-Mountain-Zeit", "GMT-07:00", "MT"}); + CIUDAD_JUAREZ = Collections.unmodifiableMap(map); + } + + + public static void main(String[] args) { + if (args.length < 1) { + System.err.println("Test must be started with the name of the locale provider."); + System.exit(1); + } + + System.out.println("Checking sanity of full zone string set..."); + boolean invalid = Arrays.stream(Locale.getAvailableLocales()) + .peek(l -> System.out.println("Locale: " + l)) + .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings()) + .flatMap(zs -> Arrays.stream(zs)) + .flatMap(names -> Arrays.stream(names)) + .filter(name -> Objects.isNull(name) || name.isEmpty()) + .findAny() + .isPresent(); + if (invalid) { + System.err.println("Zone string for a locale returned null or empty string"); + System.exit(2); + } + + String localeProvider = args[0]; + testZone(localeProvider, KYIV, + new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }); + testZone(localeProvider, CIUDAD_JUAREZ, + new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" }); + } + + private static void testZone(String localeProvider, Map exp, String[] ids) { + for (Locale l : exp.keySet()) { + String[] expected = exp.get(l); + System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected)); + for (String id : ids) { + String expectedShortStd = null; + String expectedShortDST = null; + String expectedShortGen = null; + + System.out.printf("Checking locale %s for %s...\n", l, id); + + if ("JRE".equals(localeProvider)) { + expectedShortStd = expected[2]; + expectedShortDST = expected[5]; + expectedShortGen = expected[8]; + } else if ("CLDR".equals(localeProvider)) { + expectedShortStd = expected[1]; + expectedShortDST = expected[4]; + expectedShortGen = expected[7]; + } else { + System.err.printf("Invalid locale provider %s\n", localeProvider); + System.exit(3); + } + System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n", + localeProvider, expectedShortStd, expectedShortDST, expectedShortGen); + + String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l); + String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l); + String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l); + String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l); + String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l); + String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l); + + if (!expected[0].equals(longStd)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longStd, expected[0]); + System.exit(4); + } + + if (!expectedShortStd.equals(shortStd)) { + System.err.printf("Short standard display name for %s in %s was %s, expected %s\n", + id, l, shortStd, expectedShortStd); + System.exit(5); + } + + if (!expected[3].equals(longDST)) { + System.err.printf("Long DST display name for %s in %s was %s, expected %s\n", + id, l, longDST, expected[3]); + System.exit(6); + } + + if (!expectedShortDST.equals(shortDST)) { + System.err.printf("Short DST display name for %s in %s was %s, expected %s\n", + id, l, shortDST, expectedShortDST); + System.exit(7); + } + + if (!expected[6].equals(longGen)) { + System.err.printf("Long generic display name for %s in %s was %s, expected %s\n", + id, l, longGen, expected[6]); + System.exit(8); + } + + if (!expectedShortGen.equals(shortGen)) { + System.err.printf("Short generic display name for %s in %s was %s, expected %s\n", + id, l, shortGen, expectedShortGen); + System.exit(9); + } + } + } + } +} diff --git a/alt-java.c b/alt-java.c new file mode 100644 index 0000000..644d002 --- /dev/null +++ b/alt-java.c @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2023 Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Red Hat designates this + * particular file as subject to the "Classpath" exception as provided + * by Red Hat in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* Per task speculation control */ +#ifndef PR_GET_SPECULATION_CTRL +# define PR_GET_SPECULATION_CTRL 52 +#endif +#ifndef PR_SET_SPECULATION_CTRL +# define PR_SET_SPECULATION_CTRL 53 +#endif +/* Speculation control variants */ +#ifndef PR_SPEC_STORE_BYPASS +# define PR_SPEC_STORE_BYPASS 0 +#endif +/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ + +#ifndef PR_SPEC_NOT_AFFECTED +# define PR_SPEC_NOT_AFFECTED 0 +#endif +#ifndef PR_SPEC_PRCTL +# define PR_SPEC_PRCTL (1UL << 0) +#endif +#ifndef PR_SPEC_ENABLE +# define PR_SPEC_ENABLE (1UL << 1) +#endif +#ifndef PR_SPEC_DISABLE +# define PR_SPEC_DISABLE (1UL << 2) +#endif +#ifndef PR_SPEC_FORCE_DISABLE +# define PR_SPEC_FORCE_DISABLE (1UL << 3) +#endif +#ifndef PR_SPEC_DISABLE_NOEXEC +# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) +#endif + +static void set_speculation() { +#if defined(__linux__) && defined(__x86_64__) + // PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it + // if ( prctl(PR_SET_SPECULATION_CTRL, + // PR_SPEC_STORE_BYPASS, + // PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { + // return; + // } + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); +#else +#warning alt-java requested but SSB mitigation not available on this platform. +#endif +} + +int main(int argc, char **argv) { + set_speculation(); + + char our_name[PATH_MAX], java_name[PATH_MAX]; + ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1); + if (len < 0) { + perror("I can't find myself"); + exit(2); + } + + our_name[len] = '\0'; // readlink(2) doesn't append a null byte + char *path = dirname(our_name); + strncpy(java_name, path, PATH_MAX - 1); + + size_t remaining_bytes = PATH_MAX - strlen(path) - 1; + strncat(java_name, "/java", remaining_bytes); + + execv(java_name, argv); + fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno)); + + exit(1); +} + diff --git a/fips-21u-9203d50836c.patch b/fips-21u-9203d50836c.patch new file mode 100644 index 0000000..9966391 --- /dev/null +++ b/fips-21u-9203d50836c.patch @@ -0,0 +1,4234 @@ +diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4 +index 5f4b22bb27f..1ca9f5b8ffe 100644 +--- a/make/autoconf/build-aux/pkg.m4 ++++ b/make/autoconf/build-aux/pkg.m4 +@@ -179,3 +179,19 @@ else + ifelse([$3], , :, [$3]) + fi[]dnl + ])# PKG_CHECK_MODULES ++ ++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, ++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) ++dnl ------------------------------------------- ++dnl Since: 0.28 ++dnl ++dnl Retrieves the value of the pkg-config variable for the given module. ++AC_DEFUN([PKG_CHECK_VAR], ++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl ++AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl ++ ++_PKG_CONFIG([$1], [variable="][$3]["], [$2]) ++AS_VAR_COPY([$1], [pkg_cv_][$1]) ++ ++AS_VAR_IF([$1], [""], [$5], [$4])dnl ++])dnl PKG_CHECK_VAR +diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..f48fc7f7e80 +--- /dev/null ++++ b/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,87 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ AC_MSG_CHECKING([for NSS library directory]) ++ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) ++ ++ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++ AC_SUBST(NSS_LIBDIR) ++]) +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index 51d4f724c33..feb0bcf3e75 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -35,6 +35,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -128,6 +129,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_X11 + + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + BASIC_JDKLIB_LIBS_TARGET="" +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index f6def153c82..4d7abc33427 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++NSS_LIBDIR:=@NSS_LIBDIR@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk +index 9e5cfe2d0fc..434ade8e182 100644 +--- a/make/modules/java.base/Gendata.gmk ++++ b/make/modules/java.base/Gendata.gmk +@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST + TARGETS += $(GENDATA_JAVA_SECURITY) + + ################################################################################ ++ ++GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in ++GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg ++ ++$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) ++ $(call LogInfo, Generating nss.fips.cfg) ++ $(call MakeTargetDir) ++ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ ++ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ ++ ) ++ ++TARGETS += $(GENDATA_NSS_FIPS_CFG) ++ ++################################################################################ +diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk +index 1e0f66726d0..59fe923f2c5 100644 +--- a/make/modules/java.base/Lib.gmk ++++ b/make/modules/java.base/Lib.gmk +@@ -163,6 +163,29 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) ++ ++TARGETS += $(BUILD_LIBSYSTEMCONF) ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +index 10093137151..b023c63ae58 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +@@ -31,6 +31,7 @@ import java.security.SecureRandom; + import java.security.PrivilegedAction; + import java.util.HashMap; + import java.util.List; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.util.SecurityProviderConstants.*; + +@@ -82,6 +83,10 @@ import static sun.security.util.SecurityProviderConstants.*; + + public final class SunJCE extends Provider { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + @java.io.Serial + private static final long serialVersionUID = 6812507587804302833L; + +@@ -147,298 +152,299 @@ public final class SunJCE extends Provider { + void putEntries() { + // reuse attribute map and reset before each reuse + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" +- + "|OAEPWITHMD5ANDMGF1PADDING" +- + "|OAEPWITHSHA1ANDMGF1PADDING" +- + "|OAEPWITHSHA-1ANDMGF1PADDING" +- + "|OAEPWITHSHA-224ANDMGF1PADDING" +- + "|OAEPWITHSHA-256ANDMGF1PADDING" +- + "|OAEPWITHSHA-384ANDMGF1PADDING" +- + "|OAEPWITHSHA-512ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Cipher", "RSA", +- "com.sun.crypto.provider.RSACipher", null, attrs); +- +- // common block cipher modes, pads +- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + +- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + +- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; +- final String BLOCK_MODES128 = BLOCK_MODES + +- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + +- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; +- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DES", +- "com.sun.crypto.provider.DESCipher", null, attrs); +- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", +- attrs); +- ps("Cipher", "Blowfish", +- "com.sun.crypto.provider.BlowfishCipher", null, attrs); +- +- ps("Cipher", "RC2", +- "com.sun.crypto.provider.RC2Cipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES128); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES", +- "com.sun.crypto.provider.AESCipher$General", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", +- attrs); +- ps("Cipher", "AES/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_128/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_128/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_128/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_128/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_192/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_192/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_192/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_192/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_256/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_256/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_256/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_256/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "GCM"); +- attrs.put("SupportedKeyFormats", "RAW"); +- +- ps("Cipher", "AES/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, +- attrs); +- psA("Cipher", "AES_128/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES128", +- attrs); +- psA("Cipher", "AES_192/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES192", +- attrs); +- psA("Cipher", "AES_256/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES256", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "CBC"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DESedeWrap", +- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "ARCFOUR", +- "com.sun.crypto.provider.ARCFOURCipher", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "ChaCha20", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", +- null, attrs); +- psA("Cipher", "ChaCha20-Poly1305", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", +- attrs); +- +- // PBES1 +- psA("Cipher", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", +- null); +- ps("Cipher", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); +- psA("Cipher", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", +- null); +- psA("Cipher", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", +- null); +- +- psA("Cipher", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", +- null); +- +- // PBES2 +- ps("Cipher", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); +- +- +- ps("Cipher", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); +- +- /* +- * Key(pair) Generator engines +- */ +- ps("KeyGenerator", "DES", +- "com.sun.crypto.provider.DESKeyGenerator"); +- psA("KeyGenerator", "DESede", +- "com.sun.crypto.provider.DESedeKeyGenerator", +- null); +- ps("KeyGenerator", "Blowfish", +- "com.sun.crypto.provider.BlowfishKeyGenerator"); +- psA("KeyGenerator", "AES", +- "com.sun.crypto.provider.AESKeyGenerator", +- null); +- ps("KeyGenerator", "RC2", +- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); +- psA("KeyGenerator", "ARCFOUR", +- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", +- null); +- ps("KeyGenerator", "ChaCha20", +- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); +- ps("KeyGenerator", "HmacMD5", +- "com.sun.crypto.provider.HmacMD5KeyGenerator"); +- +- psA("KeyGenerator", "HmacSHA1", +- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); +- psA("KeyGenerator", "HmacSHA224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", +- null); +- psA("KeyGenerator", "HmacSHA256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", +- null); +- psA("KeyGenerator", "HmacSHA384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", +- null); +- psA("KeyGenerator", "HmacSHA512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", +- null); +- psA("KeyGenerator", "HmacSHA512/224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", +- null); +- psA("KeyGenerator", "HmacSHA512/256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", +- null); +- +- psA("KeyGenerator", "HmacSHA3-224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", +- null); +- psA("KeyGenerator", "HmacSHA3-256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", +- null); +- psA("KeyGenerator", "HmacSHA3-384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", +- null); +- psA("KeyGenerator", "HmacSHA3-512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", +- null); +- +- psA("KeyPairGenerator", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyPairGenerator", +- null); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" ++ + "|OAEPWITHMD5ANDMGF1PADDING" ++ + "|OAEPWITHSHA1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-256ANDMGF1PADDING" ++ + "|OAEPWITHSHA-384ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Cipher", "RSA", ++ "com.sun.crypto.provider.RSACipher", null, attrs); ++ ++ // common block cipher modes, pads ++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + ++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + ++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; ++ final String BLOCK_MODES128 = BLOCK_MODES + ++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + ++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; ++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DES", ++ "com.sun.crypto.provider.DESCipher", null, attrs); ++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", ++ attrs); ++ ps("Cipher", "Blowfish", ++ "com.sun.crypto.provider.BlowfishCipher", null, attrs); ++ ++ ps("Cipher", "RC2", ++ "com.sun.crypto.provider.RC2Cipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES128); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES", ++ "com.sun.crypto.provider.AESCipher$General", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_128/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_128/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_128/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_192/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_192/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_192/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_256/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_256/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_256/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "GCM"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ++ ps("Cipher", "AES/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, ++ attrs); ++ psA("Cipher", "AES_128/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES128", ++ attrs); ++ psA("Cipher", "AES_192/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES192", ++ attrs); ++ psA("Cipher", "AES_256/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES256", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "CBC"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DESedeWrap", ++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "ARCFOUR", ++ "com.sun.crypto.provider.ARCFOURCipher", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "ChaCha20", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", ++ null, attrs); ++ psA("Cipher", "ChaCha20-Poly1305", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", ++ attrs); ++ ++ // PBES1 ++ psA("Cipher", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", ++ null); ++ ps("Cipher", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); ++ psA("Cipher", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("Cipher", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", ++ null); ++ ++ // PBES2 ++ ps("Cipher", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); ++ ++ /* ++ * Key(pair) Generator engines ++ */ ++ ps("KeyGenerator", "DES", ++ "com.sun.crypto.provider.DESKeyGenerator"); ++ psA("KeyGenerator", "DESede", ++ "com.sun.crypto.provider.DESedeKeyGenerator", ++ null); ++ ps("KeyGenerator", "Blowfish", ++ "com.sun.crypto.provider.BlowfishKeyGenerator"); ++ psA("KeyGenerator", "AES", ++ "com.sun.crypto.provider.AESKeyGenerator", ++ null); ++ ps("KeyGenerator", "RC2", ++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); ++ psA("KeyGenerator", "ARCFOUR", ++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", ++ null); ++ ps("KeyGenerator", "ChaCha20", ++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); ++ ps("KeyGenerator", "HmacMD5", ++ "com.sun.crypto.provider.HmacMD5KeyGenerator"); ++ ++ psA("KeyGenerator", "HmacSHA1", ++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); ++ psA("KeyGenerator", "HmacSHA224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", ++ null); ++ psA("KeyGenerator", "HmacSHA256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", ++ null); ++ psA("KeyGenerator", "HmacSHA384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", ++ null); ++ psA("KeyGenerator", "HmacSHA512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", ++ null); ++ psA("KeyGenerator", "HmacSHA512/224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", ++ null); ++ psA("KeyGenerator", "HmacSHA512/256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", ++ null); ++ ++ psA("KeyGenerator", "HmacSHA3-224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", ++ null); ++ psA("KeyGenerator", "HmacSHA3-256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", ++ null); ++ psA("KeyGenerator", "HmacSHA3-384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", ++ null); ++ psA("KeyGenerator", "HmacSHA3-512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", ++ null); ++ ++ psA("KeyPairGenerator", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyPairGenerator", ++ null); ++ } + + /* + * Algorithm parameter generation engines +@@ -447,15 +453,17 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + +- /* +- * Key Agreement engines +- */ +- attrs.clear(); +- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + +- "|javax.crypto.interfaces.DHPrivateKey"); +- psA("KeyAgreement", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyAgreement", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key Agreement engines ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + ++ "|javax.crypto.interfaces.DHPrivateKey"); ++ psA("KeyAgreement", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyAgreement", ++ attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -625,10 +633,10 @@ public final class SunJCE extends Provider { + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); +@@ -651,136 +659,137 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256"); + +- // PBKDF2 +- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +- null); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); +- +- /* +- * MAC +- */ +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); +- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", +- attrs); +- psA("Mac", "HmacSHA224", +- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); +- psA("Mac", "HmacSHA256", +- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); +- psA("Mac", "HmacSHA384", +- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); +- psA("Mac", "HmacSHA512", +- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); +- psA("Mac", "HmacSHA512/224", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); +- psA("Mac", "HmacSHA512/256", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); +- psA("Mac", "HmacSHA3-224", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); +- psA("Mac", "HmacSHA3-256", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); +- psA("Mac", "HmacSHA3-384", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); +- psA("Mac", "HmacSHA3-512", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); +- +- ps("Mac", "HmacPBESHA1", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", +- null, attrs); +- ps("Mac", "HmacPBESHA224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", +- null, attrs); +- ps("Mac", "HmacPBESHA256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", +- null, attrs); +- ps("Mac", "HmacPBESHA384", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", +- null, attrs); +- ps("Mac", "HmacPBESHA512", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", +- null, attrs); +- ps("Mac", "HmacPBESHA512/224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", +- null, attrs); +- ps("Mac", "HmacPBESHA512/256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", +- null, attrs); +- +- +- // PBMAC1 +- ps("Mac", "PBEWithHmacSHA1", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); +- ps("Mac", "PBEWithHmacSHA224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); +- ps("Mac", "PBEWithHmacSHA256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); +- ps("Mac", "PBEWithHmacSHA384", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); +- ps("Mac", "PBEWithHmacSHA512", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); +- +- ps("Mac", "SslMacMD5", +- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); +- ps("Mac", "SslMacSHA1", +- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); +- +- /* +- * KeyStore +- */ +- ps("KeyStore", "JCEKS", +- "com.sun.crypto.provider.JceKeyStore"); +- +- /* +- * KEMs +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + +- "|java.security.interfaces.XECKey"); +- ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); +- +- /* +- * SSL/TLS mechanisms +- * +- * These are strictly internal implementations and may +- * be changed at any time. These names were chosen +- * because PKCS11/SunPKCS11 does not yet have TLS1.2 +- * mechanisms, and it will cause calls to come here. +- */ +- ps("KeyGenerator", "SunTlsPrf", +- "com.sun.crypto.provider.TlsPrfGenerator$V10"); +- ps("KeyGenerator", "SunTls12Prf", +- "com.sun.crypto.provider.TlsPrfGenerator$V12"); +- +- ps("KeyGenerator", "SunTlsMasterSecret", +- "com.sun.crypto.provider.TlsMasterSecretGenerator", +- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), +- null); +- +- ps("KeyGenerator", "SunTlsKeyMaterial", +- "com.sun.crypto.provider.TlsKeyMaterialGenerator", +- List.of("SunTls12KeyMaterial"), null); +- +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { ++ // PBKDF2 ++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", ++ null); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); ++ ++ /* ++ * MAC ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); ++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", ++ attrs); ++ psA("Mac", "HmacSHA224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); ++ psA("Mac", "HmacSHA256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); ++ psA("Mac", "HmacSHA384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); ++ psA("Mac", "HmacSHA512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); ++ psA("Mac", "HmacSHA512/224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); ++ psA("Mac", "HmacSHA512/256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); ++ psA("Mac", "HmacSHA3-224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); ++ psA("Mac", "HmacSHA3-256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); ++ psA("Mac", "HmacSHA3-384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); ++ psA("Mac", "HmacSHA3-512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); ++ ++ ps("Mac", "HmacPBESHA1", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", ++ null, attrs); ++ ps("Mac", "HmacPBESHA224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", ++ null, attrs); ++ ps("Mac", "HmacPBESHA384", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", ++ null, attrs); ++ ++ // PBMAC1 ++ ps("Mac", "PBEWithHmacSHA1", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); ++ ps("Mac", "PBEWithHmacSHA224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); ++ ps("Mac", "PBEWithHmacSHA384", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); ++ ++ ps("Mac", "SslMacMD5", ++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); ++ ps("Mac", "SslMacSHA1", ++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); ++ ++ /* ++ * KeyStore ++ */ ++ ps("KeyStore", "JCEKS", ++ "com.sun.crypto.provider.JceKeyStore"); ++ ++ /* ++ * KEMs ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + ++ "|java.security.interfaces.XECKey"); ++ ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); ++ ++ /* ++ * SSL/TLS mechanisms ++ * ++ * These are strictly internal implementations and may ++ * be changed at any time. These names were chosen ++ * because PKCS11/SunPKCS11 does not yet have TLS1.2 ++ * mechanisms, and it will cause calls to come here. ++ */ ++ ps("KeyGenerator", "SunTlsPrf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V10"); ++ ps("KeyGenerator", "SunTls12Prf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V12"); ++ ++ ps("KeyGenerator", "SunTlsMasterSecret", ++ "com.sun.crypto.provider.TlsMasterSecretGenerator", ++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), ++ null); ++ ++ ps("KeyGenerator", "SunTlsKeyMaterial", ++ "com.sun.crypto.provider.TlsKeyMaterialGenerator", ++ List.of("SunTls12KeyMaterial"), null); ++ ++ ps("KeyGenerator", "SunTlsRsaPremasterSecret", ++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", ++ List.of("SunTls12RsaPremasterSecret"), null); ++ } + } + + // Return the instance of this class or create one if needed. +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index 671529f71a1..af632936921 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -34,6 +34,7 @@ import java.net.URL; + import jdk.internal.access.JavaSecurityPropertiesAccess; + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -58,6 +59,11 @@ import sun.security.jca.*; + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -75,6 +81,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -96,6 +115,7 @@ public final class Security { + private static void initialize() { + props = new Properties(); + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -116,6 +136,61 @@ public final class Security { + } + loadProps(null, extraPropFile, overrideAll); + } ++ ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ if (systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } ++ + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { +@@ -126,7 +201,7 @@ public final class Security { + + } + +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..9d26a54f5d4 +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,232 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..3f3caac64dc +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index 919d758a6e3..b1e5fbaf84a 100644 +--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -43,6 +43,7 @@ import java.io.PrintStream; + import java.io.PrintWriter; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -90,6 +91,7 @@ public class SharedSecrets { + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; + private static JavaTemplateAccess javaTemplateAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -537,4 +539,15 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index 06b141dcf22..e8cbf7f15d7 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -158,6 +158,7 @@ module java.base { + java.naming, + java.rmi, + jdk.charsets, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.jfr, +diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java +index f036a411f1d..1e9de933bd9 100644 +--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.LinkedHashSet; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetBooleanAction; + +@@ -91,6 +92,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -102,89 +107,92 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); +- } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); + +- attrs.remove("KeySize"); ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ } + + attrs.clear(); + attrs.put("ImplementedIn", "Software"); +@@ -196,9 +204,11 @@ public final class SunEntries { + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only + +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ if (!systemFipsEnabled) { ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + + /* + * Algorithm Parameter Generator engines +@@ -213,44 +223,46 @@ public final class SunEntries { + addWithAlias(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", attrs); + +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- addWithAlias(p, "KeyFactory", "HSS/LMS", +- "sun.security.provider.HSS$KeyFactoryImpl", attrs); +- +- /* +- * Digest engines +- */ +- addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", +- attrs); +- addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", +- attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); ++ addWithAlias(p, "KeyFactory", "HSS/LMS", ++ "sun.security.provider.HSS$KeyFactoryImpl", attrs); + +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); ++ /* ++ * Digest engines ++ */ ++ addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", ++ attrs); ++ addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", ++ attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); ++ } + + /* + * Certificates +diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +index 539ef1e8ee8..435f57e3ff2 100644 +--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -63,42 +68,49 @@ public final class SunRsaSignEntries { + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); +- add(p, "KeyPairGenerator", "RSA", +- "sun.security.rsa.RSAKeyPairGenerator$Legacy", +- getAliases("PKCS1"), null); +- addA(p, "Signature", "MD2withRSA", +- "sun.security.rsa.RSASignature$MD2withRSA", attrs); +- addA(p, "Signature", "MD5withRSA", +- "sun.security.rsa.RSASignature$MD5withRSA", attrs); +- addA(p, "Signature", "SHA1withRSA", +- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); +- addA(p, "Signature", "SHA224withRSA", +- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); +- addA(p, "Signature", "SHA256withRSA", +- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); +- addA(p, "Signature", "SHA384withRSA", +- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); +- addA(p, "Signature", "SHA512withRSA", +- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); +- addA(p, "Signature", "SHA512/224withRSA", +- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); +- addA(p, "Signature", "SHA512/256withRSA", +- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); +- addA(p, "Signature", "SHA3-224withRSA", +- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); +- addA(p, "Signature", "SHA3-256withRSA", +- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); +- addA(p, "Signature", "SHA3-384withRSA", +- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); +- addA(p, "Signature", "SHA3-512withRSA", +- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ ++ if (!systemFipsEnabled) { ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); ++ ++ if (!systemFipsEnabled) { ++ addA(p, "KeyPairGenerator", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); ++ addA(p, "Signature", "RSASSA-PSS", ++ "sun.security.rsa.RSAPSSSignature", attrs); ++ } ++ + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index f8b01a4ea1e..b325bf7e9fc 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -85,6 +85,17 @@ security.provider.tbd=Apple + #endif + security.provider.tbd=SunPKCS11 + ++# ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=SunJSSE ++fips.provider.5=SunJCE ++fips.provider.6=SunRsaSign ++fips.provider.7=XMLDSig ++ + # + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. +@@ -295,6 +306,47 @@ policy.ignoreIdentityScope=false + # + keystore.type=pkcs12 + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=pkcs12 ++ ++# ++# Location of the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# The syntax for this property is identical to the 'nssSecmodDirectory' ++# attribute available in the SunPKCS11 NSS configuration file. Use the ++# 'sql:' prefix to refer to an SQLite DB. ++# ++# If the system property fips.nssdb.path is also specified, it supersedes ++# the security property value defined here. ++# ++# Note: the default value for this property points to an NSS DB that might be ++# readable by multiple operating system users and unsuitable to store keys. ++# ++fips.nssdb.path=sql:/etc/pki/nssdb ++ ++# ++# PIN for the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# Values must take any of the following forms: ++# 1) pin: ++# Value: clear text PIN value. ++# 2) env: ++# Value: environment variable containing the PIN value. ++# 3) file: ++# Value: path to a file containing the PIN value in its first ++# line. ++# ++# If the system property fips.nssdb.pin is also specified, it supersedes ++# the security property value defined here. ++# ++# When used as a system property, UTF-8 encoded values are valid. When ++# used as a security property (such as in this file), encode non-Basic ++# Latin Unicode characters with \uXXXX. ++# ++fips.nssdb.pin=pin: ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -332,6 +384,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in +new file mode 100644 +index 00000000000..55bbba98b7a +--- /dev/null ++++ b/src/java.base/share/conf/security/nss.fips.cfg.in +@@ -0,0 +1,8 @@ ++name = NSS-FIPS ++nssLibraryDirectory = @NSS_LIBDIR@ ++nssSecmodDirectory = ${fips.nssdb.path} ++nssDbMode = readWrite ++nssModule = fips ++ ++attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++ +diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy +index 86d45147709..22fd8675503 100644 +--- a/src/java.base/share/lib/security/default.policy ++++ b/src/java.base/share/lib/security/default.policy +@@ -130,6 +130,7 @@ grant codeBase "jrt:/jdk.charsets" { + grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +@@ -150,6 +151,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; ++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; ++ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; +diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..ddf9befe5bc +--- /dev/null ++++ b/src/java.base/share/native/libsystemconf/systemconf.c +@@ -0,0 +1,236 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef LINUX ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} ++ ++#else // !LINUX ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; ++} ++ ++#endif +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..48d6d656a28 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,457 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.security.interfaces.RSAPrivateCrtKey; ++import java.security.interfaces.RSAPrivateKey; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.SecretKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAPrivateCrtKeyImpl; ++import sun.security.rsa.RSAUtil; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static volatile P11Key importerKey = null; ++ private static SecretKeySpec exporterKey = null; ++ private static volatile P11Key exporterKeyP11 = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ // Do not take the exporterKeyLock with the importerKeyLock held. ++ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); ++ private static volatile CK_MECHANISM importerKeyMechanism = null; ++ private static volatile CK_MECHANISM exporterKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ private static Cipher exporterCipher = null; ++ ++ private static volatile Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ importerKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, ++ long keyClass, long keyType, Map sensitiveAttrs) ++ throws PKCS11Exception { ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be exported in" + ++ " system FIPS mode."); ++ } ++ if (exporterKeyP11 == null) { ++ try { ++ exporterKeyLock.lock(); ++ if (exporterKeyP11 == null) { ++ if (exporterKeyMechanism == null) { ++ // Exporter Key creation has not been tried yet. Try it. ++ createExporterKey(token); ++ } ++ if (exporterKeyP11 == null || exporterCipher == null) { ++ if (debug != null) { ++ debug.println("Exporter Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ if (debug != null) { ++ debug.println("Exporter Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ } ++ long exporterKeyID = exporterKeyP11.getKeyID(); ++ try { ++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, ++ exporterKeyMechanism, exporterKeyID, hObject); ++ byte[] plainExportedKey = null; ++ exporterKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ if (keyClass == CKO_PRIVATE_KEY) { ++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); ++ } else if (keyClass == CKO_SECRET_KEY) { ++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ exporterKeyP11.releaseKeyID(); ++ } ++ } ++ ++ private static void exportPrivateKey( ++ Map sensitiveAttrs, long keyType, ++ byte[] plainExportedKey) throws Throwable { ++ if (keyType == CKK_RSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, ++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); ++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); ++ CK_ATTRIBUTE attr; ++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { ++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); ++ } ++ if (rsaPKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { ++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); ++ } ++ } else { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT); ++ } ++ } else if (keyType == CKK_DSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ new sun.security.provider.DSAPrivateKey(plainExportedKey) ++ .getX().toByteArray(); ++ } else if (keyType == CKK_EC) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) ++ .getS().toByteArray(); ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " unsupported CKO_PRIVATE_KEY key type: " + keyType); ++ } ++ } ++ ++ private static void checkAttrs(Map sensitiveAttrs, ++ String keyName, long... validAttrs) ++ throws PKCS11Exception { ++ int sensitiveAttrsCount = sensitiveAttrs.size(); ++ if (sensitiveAttrsCount <= validAttrs.length) { ++ int validAttrsCount = 0; ++ for (long validAttr : validAttrs) { ++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; ++ } ++ if (validAttrsCount == sensitiveAttrsCount) return; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " invalid attribute types for a " + keyName + " key object"); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec( ++ (byte[])importerKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Importer Key"); ++ } ++ } ++ } ++ ++ private static void createExporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Exporter Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ byte[] exporterKeyRaw = new byte[32]; ++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); ++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); ++ try { ++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); ++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); ++ if (exporterKeyP11 != null) { ++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, ++ new IvParameterSpec( ++ (byte[])exporterKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ exporterKey = null; ++ exporterKeyP11 = null; ++ exporterCipher = null; ++ // exporterKeyMechanism value is kept initialized to indicate that ++ // Exporter Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Exporter Key"); ++ } ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +new file mode 100644 +index 00000000000..f8d505ca815 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +@@ -0,0 +1,149 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.io.BufferedReader; ++import java.io.ByteArrayInputStream; ++import java.io.InputStream; ++import java.io.InputStreamReader; ++import java.io.IOException; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.nio.file.Paths; ++import java.nio.file.StandardOpenOption; ++import java.security.ProviderException; ++ ++import javax.security.auth.callback.Callback; ++import javax.security.auth.callback.CallbackHandler; ++import javax.security.auth.callback.PasswordCallback; ++import javax.security.auth.callback.UnsupportedCallbackException; ++ ++import sun.security.util.Debug; ++import sun.security.util.SecurityProperties; ++ ++final class FIPSTokenLoginHandler implements CallbackHandler { ++ ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ ++ private static final Debug debug = Debug.getInstance("sunpkcs11"); ++ ++ public void handle(Callback[] callbacks) ++ throws IOException, UnsupportedCallbackException { ++ if (!(callbacks[0] instanceof PasswordCallback)) { ++ throw new UnsupportedCallbackException(callbacks[0]); ++ } ++ PasswordCallback pc = (PasswordCallback)callbacks[0]; ++ pc.setPassword(getFipsNssdbPin()); ++ } ++ ++ private static char[] getFipsNssdbPin() throws ProviderException { ++ if (debug != null) { ++ debug.println("FIPS: Reading NSS DB PIN for token..."); ++ } ++ String pinProp = SecurityProperties ++ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); ++ if (pinProp != null && !pinProp.isEmpty()) { ++ String[] pinPropParts = pinProp.split(":", 2); ++ if (pinPropParts.length < 2) { ++ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + ++ " property value."); ++ } ++ String prefix = pinPropParts[0].toLowerCase(); ++ String value = pinPropParts[1]; ++ String pin = null; ++ if (prefix.equals("env")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' environment variable."); ++ } ++ pin = System.getenv(value); ++ } else if (prefix.equals("file")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' file."); ++ } ++ pin = getPinFromFile(Paths.get(value)); ++ } else if (prefix.equals("pin")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the " + ++ FIPS_NSSDB_PIN_PROP + " property."); ++ } ++ pin = value; ++ } else { ++ throw new ProviderException("Unsupported prefix for " + ++ FIPS_NSSDB_PIN_PROP + "."); ++ } ++ if (pin != null && !pin.isEmpty()) { ++ if (debug != null) { ++ debug.println("FIPS: non-empty PIN."); ++ } ++ /* ++ * C_Login in libj2pkcs11 receives the PIN in a char[] and ++ * discards the upper byte of each char, before passing ++ * the value to the NSS Software Token. However, the ++ * NSS Software Token accepts any UTF-8 PIN value. Thus, ++ * expand the PIN here to account for later truncation. ++ */ ++ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ return pinChar; ++ } ++ } ++ if (debug != null) { ++ debug.println("FIPS: empty PIN."); ++ } ++ return null; ++ } ++ ++ /* ++ * This method extracts the token PIN from the first line of a password ++ * file in the same way as NSS modutil. See for example the -newpwfile ++ * argument used to change the password for an NSS DB. ++ */ ++ private static String getPinFromFile(Path f) throws ProviderException { ++ try (InputStream is = ++ Files.newInputStream(f, StandardOpenOption.READ)) { ++ /* ++ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, ++ * reads up to 4096 bytes. In addition, the NSS Software Token ++ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN ++ * in nss/lib/softoken/pkcs11i.h). ++ */ ++ BufferedReader in = ++ new BufferedReader(new InputStreamReader( ++ new ByteArrayInputStream(is.readNBytes(4096)), ++ StandardCharsets.UTF_8)); ++ return in.readLine(); ++ } catch (IOException ioe) { ++ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + ++ " from the '" + f + "' file.", ioe); ++ } ++ } ++} +\ No newline at end of file +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +index 01fc06ae283..e3ca000d309 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +@@ -37,6 +37,8 @@ import javax.crypto.*; + import javax.crypto.interfaces.*; + import javax.crypto.spec.*; + ++import jdk.internal.access.SharedSecrets; ++ + import sun.security.rsa.RSAUtil.KeyType; + import sun.security.rsa.RSAPublicKeyImpl; + import sun.security.rsa.RSAPrivateCrtKeyImpl; +@@ -72,6 +74,9 @@ abstract class P11Key implements Key, Length { + @Serial + private static final long serialVersionUID = -2575874101938349339L; + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + private static final String PUBLIC = "public"; + private static final String PRIVATE = "private"; + private static final String SECRET = "secret"; +@@ -414,9 +419,10 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); + +- boolean keySensitive = +- (attrs[0].getBoolean() && P11Util.isNSS(session.token)) || +- attrs[1].getBoolean() || !attrs[2].getBoolean(); ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ boolean keySensitive = (!exportable && ++ ((attrs[0].getBoolean() && P11Util.isNSS(session.token)) || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); + + return switch (algorithm) { + case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm, +@@ -468,7 +474,8 @@ abstract class P11Key implements Key, Length { + + public String getFormat() { + token.ensureValid(); +- if (sensitive || !extractable || (isNSS && tokenObject)) { ++ if (!plainKeySupportEnabled && ++ (sensitive || !extractable || (isNSS && tokenObject))) { + return null; + } else { + return "RAW"; +@@ -1638,4 +1645,3 @@ final class SessionKeyRef extends PhantomReference { + this.clear(); + } + } +- +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 0a62021633f..0723b69c2bc 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + import java.util.stream.Collectors; + import java.security.*; +@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; ++import sun.security.util.SecurityProperties; + import static sun.security.util.SecurityProviderConstants.getAliases; + + import sun.security.pkcs11.Secmod.*; +@@ -65,6 +70,39 @@ public final class SunPKCS11 extends AuthProvider { + @Serial + private static final long serialVersionUID = -1354835039035306505L; + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ private static final MethodHandle fipsExportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ MethodHandle fipsExportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ fipsExportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "exportKey", ++ MethodType.methodType(void.class, SunPKCS11.class, ++ long.class, long.class, ++ long.class, long.class, Map.class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer-exporter" + ++ " initialization failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ fipsExportKey = fipsExportKeyTmp; ++ } ++ ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ + static final Debug debug = Debug.getInstance("sunpkcs11"); + // the PKCS11 object through which we make the native calls + @SuppressWarnings("serial") // Type of field is not Serializable; +@@ -123,6 +161,29 @@ public final class SunPKCS11 extends AuthProvider { + return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { + @Override + public SunPKCS11 run() throws Exception { ++ if (systemFipsEnabled) { ++ /* ++ * The nssSecmodDirectory attribute in the SunPKCS11 ++ * NSS configuration file takes the value of the ++ * fips.nssdb.path System property after expansion. ++ * Security properties expansion is unsupported. ++ */ ++ String nssdbPath = ++ SecurityProperties.privilegedGetOverridable( ++ FIPS_NSSDB_PATH_PROP); ++ if (System.getSecurityManager() != null) { ++ AccessController.doPrivileged( ++ (PrivilegedAction) () -> { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, ++ nssdbPath); ++ return null; ++ }); ++ } else { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, nssdbPath); ++ } ++ } + return new SunPKCS11(new Config(newConfigName)); + } + }); +@@ -325,9 +386,19 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ MethodHandle fipsKeyExporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ fipsKeyExporter = MethodHandles.insertArguments( ++ fipsExportKey, 0, this); ++ } + try { +- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, +- config.getOmitInitialize()); ++ tmpPKCS11 = PKCS11.getInstance( ++ library, functionList, initArgs, ++ config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -342,8 +413,9 @@ public final class SunPKCS11 extends AuthProvider { + } else { + initArgs.flags = 0; + } +- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, +- config.getOmitInitialize()); ++ tmpPKCS11 = PKCS11.getInstance(library, ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } + p11 = tmpPKCS11; + +@@ -1388,11 +1460,52 @@ public final class SunPKCS11 extends AuthProvider { + } + + @Override ++ @SuppressWarnings("removal") + public Object newInstance(Object param) + throws NoSuchAlgorithmException { + if (!token.isValid()) { + throw new NoSuchAlgorithmException("Token has been removed"); + } ++ if (systemFipsEnabled && !token.fipsLoggedIn && ++ !getType().equals("KeyStore")) { ++ /* ++ * The NSS Software Token in FIPS 140-2 mode requires a ++ * user login for most operations. See sftk_fipsCheck ++ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore ++ * service, let the caller perform the login with ++ * KeyStore::load. Keytool, for example, does this to pass a ++ * PIN from either the -srcstorepass or -deststorepass ++ * argument. In case of a non-KeyStore service, perform the ++ * login now with the PIN available in the fips.nssdb.pin ++ * property. ++ */ ++ try { ++ if (System.getSecurityManager() != null) { ++ try { ++ AccessController.doPrivileged( ++ (PrivilegedExceptionAction) () -> { ++ token.ensureLoggedIn(null); ++ return null; ++ }); ++ } catch (PrivilegedActionException pae) { ++ Exception e = pae.getException(); ++ if (e instanceof LoginException le) { ++ throw le; ++ } else if (e instanceof PKCS11Exception p11e) { ++ throw p11e; ++ } else { ++ throw new RuntimeException(e); ++ } ++ } ++ } else { ++ token.ensureLoggedIn(null); ++ } ++ } catch (PKCS11Exception | LoginException e) { ++ throw new ProviderException("FIPS: error during the Token" + ++ " login required for the " + getType() + ++ " service.", e); ++ } ++ } + try { + return newInstance0(param); + } catch (PKCS11Exception e) { +@@ -1749,6 +1862,9 @@ public final class SunPKCS11 extends AuthProvider { + try { + session = token.getOpSession(); + p11.C_Logout(session.id()); ++ if (systemFipsEnabled) { ++ token.fipsLoggedIn = false; ++ } + if (debug != null) { + debug.println("logout succeeded"); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +index a6f5f0a8764..9a07c96ca4e 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +@@ -33,6 +33,7 @@ import java.lang.ref.*; + import java.security.*; + import javax.security.auth.login.LoginException; + ++import jdk.internal.access.SharedSecrets; + import sun.security.jca.JCAUtil; + + import sun.security.pkcs11.wrapper.*; +@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; + */ + final class Token implements Serializable { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + // need to be serializable to allow SecureRandom to be serialized + @Serial + private static final long serialVersionUID = 2541527649100571747L; +@@ -125,6 +129,10 @@ final class Token implements Serializable { + // flag indicating whether we are logged in + private volatile boolean loggedIn; + ++ // Flag indicating the login status for the NSS Software Token in FIPS mode. ++ // This Token is never asynchronously removed. Used from SunPKCS11. ++ volatile boolean fipsLoggedIn; ++ + // time we last checked login status + private long lastLoginCheck; + +@@ -242,7 +250,12 @@ final class Token implements Serializable { + // call provider.login() if not + void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { + if (!isLoggedIn(session)) { +- provider.login(null, null); ++ if (systemFipsEnabled) { ++ provider.login(null, new FIPSTokenLoginHandler()); ++ fipsLoggedIn = true; ++ } else { ++ provider.login(null, null); ++ } + } + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 0fd13fd6fa6..3c959c942a1 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.AccessController; +@@ -174,18 +177,43 @@ public class PKCS11 { + return version; + } + ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null, null); ++ } ++ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter, ++ MethodHandle fipsKeyExporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null && ++ fipsKeyExporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -2012,4 +2040,194 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(PKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ FIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.PKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ SynchronizedFIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public synchronized void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue, ++ MethodHandle fipsKeyExporter, long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ Map sensitiveAttrs = new HashMap<>(); ++ List nonSensitiveAttrs = new LinkedList<>(); ++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate, ++ sensitiveAttrs, nonSensitiveAttrs); ++ try { ++ if (sensitiveAttrs.size() > 0) { ++ long keyClass = -1L; ++ long keyType = -1L; ++ try { ++ // Secret and private keys have both class and type ++ // attributes, so we can query them at once. ++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{ ++ new CK_ATTRIBUTE(CKA_CLASS), ++ new CK_ATTRIBUTE(CKA_KEY_TYPE), ++ }; ++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs); ++ keyClass = queryAttrs[0].getLong(); ++ keyType = queryAttrs[1].getLong(); ++ } catch (PKCS11Exception e) { ++ // If the query fails, the object is neither a secret nor a ++ // private key. As this case won't be handled with the FIPS ++ // Key Exporter, we keep keyClass initialized to -1L. ++ } ++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) { ++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType, ++ sensitiveAttrs); ++ if (nonSensitiveAttrs.size() > 0) { ++ CK_ATTRIBUTE[] pNonSensitiveAttrs = ++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()]; ++ int i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ pNonSensitiveAttrs[i++] = nonSensAttr; ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, ++ pNonSensitiveAttrs); ++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we ++ // update the reference on the previous CK_ATTRIBUTEs ++ i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue; ++ } ++ } ++ return; ++ } ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate, ++ Map sensitiveAttrs, ++ List nonSensitiveAttrs) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ long type = attr.type; ++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c ++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT || ++ type == CKA_PRIME_1 || type == CKA_PRIME_2 || ++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 || ++ type == CKA_COEFFICIENT) { ++ sensitiveAttrs.put(type, attr); ++ } else { ++ nonSensitiveAttrs.add(attr); ++ } ++ } ++ } ++} + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +index 920422376f8..6aa308fa5f8 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +@@ -215,6 +215,14 @@ public class PKCS11Exception extends Exception { + return res; + } + ++ /** ++ * Constructor taking the error code from the RV enum and ++ * extra info for error message. ++ */ ++ public PKCS11Exception(RV errorEnum, String extraInfo) { ++ this(errorEnum.value, extraInfo); ++ } ++ + /** + * Constructor taking the error code (the CKR_* constants in PKCS#11) and + * extra info for error message. +diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +index 7f8c4dba002..e65b11fc3ee 100644 +--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +@@ -34,6 +34,7 @@ import java.security.ProviderException; + import java.util.HashMap; + import java.util.List; + ++import jdk.internal.access.SharedSecrets; + import sun.security.ec.ed.EdDSAKeyFactory; + import sun.security.ec.ed.EdDSAKeyPairGenerator; + import sun.security.ec.ed.EdDSASignature; +@@ -50,6 +51,10 @@ public final class SunEC extends Provider { + + private static final long serialVersionUID = -2279741672933606418L; + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private static class ProviderServiceA extends ProviderService { + ProviderServiceA(Provider p, String type, String algo, String cn, + HashMap attrs) { +@@ -240,83 +245,85 @@ public final class SunEC extends Provider { + putXDHEntries(); + putEdDSAEntries(); + +- /* +- * Signature engines +- */ +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", +- null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$RawinP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA1withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); +- +- putService(new ProviderService(this, "Signature", +- "SHA3-224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); +- +- /* +- * Key Pair Generator engine +- */ +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); +- +- /* +- * Key Agreement engine +- */ +- putService(new ProviderService(this, "KeyAgreement", +- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ if (!systemFipsEnabled) { ++ /* ++ * Signature engines ++ */ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", ++ null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$RawinP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA1withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); ++ ++ putService(new ProviderService(this, "Signature", ++ "SHA3-224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); ++ ++ /* ++ * Key Pair Generator engine ++ */ ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); ++ ++ /* ++ * Key Agreement engine ++ */ ++ putService(new ProviderService(this, "KeyAgreement", ++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ } + } + + private void putXDHEntries() { +@@ -333,23 +340,25 @@ public final class SunEC extends Provider { + "X448", "sun.security.ec.XDHKeyFactory.X448", + ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", +- ATTRS)); +- +- putService(new ProviderService(this, "KeyAgreement", +- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X448", "sun.security.ec.XDHKeyAgreement.X448", +- ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "KeyAgreement", ++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X448", "sun.security.ec.XDHKeyAgreement.X448", ++ ATTRS)); ++ } + } + + private void putEdDSAEntries() { +@@ -364,21 +373,23 @@ public final class SunEC extends Provider { + putService(new ProviderServiceA(this, "KeyFactory", + "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ } + + } + } +diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +new file mode 100644 +index 00000000000..ce01c655eb8 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +@@ -0,0 +1,349 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.lang.reflect.Method; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.security.KeyStore; ++import java.security.Provider; ++import java.security.Security; ++import java.util.Arrays; ++import java.util.function.Consumer; ++import java.util.List; ++import javax.crypto.Cipher; ++import javax.crypto.spec.SecretKeySpec; ++ ++import jdk.test.lib.process.Proc; ++import jdk.test.lib.util.FileUtils; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary ++ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used ++ * for a successful login into an NSS DB. Some additional unitary testing ++ * is then performed. This test depends on NSS modutil and must be run in ++ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available). ++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open ++ * @library /test/lib ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=600 NssdbPin ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class NssdbPin { ++ ++ // Public properties and names ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS"; ++ private static final String NSSDB_TOKEN_NAME = ++ "NSS FIPS 140-2 Certificate DB"; ++ ++ // Data to be tested ++ private static final String[] PINS_TO_TEST = ++ new String[] { ++ "", ++ "1234567890abcdef1234567890ABCDEF\uA4F7" ++ }; ++ private static enum PropType { SYSTEM, SECURITY } ++ private static enum LoginType { IMPLICIT, EXPLICIT } ++ ++ // Internal test fields ++ private static final boolean DEBUG = true; ++ private static class TestContext { ++ String pin; ++ PropType propType; ++ Path workspace; ++ String nssdbPath; ++ Path nssdbPinFile; ++ LoginType loginType; ++ TestContext(String pin, Path workspace) { ++ this.pin = pin; ++ this.workspace = workspace; ++ this.nssdbPath = "sql:" + workspace; ++ this.loginType = LoginType.IMPLICIT; ++ } ++ } ++ ++ public static void main(String[] args) throws Throwable { ++ if (args.length == 3) { ++ // Executed by a child process. ++ mainChild(args[0], args[1], LoginType.valueOf(args[2])); ++ } else if (args.length == 0) { ++ // Executed by the parent process. ++ mainLauncher(); ++ // Test defaults ++ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT); ++ System.out.println("TEST PASS - OK"); ++ } else { ++ throw new Exception("Unexpected number of arguments."); ++ } ++ } ++ ++ private static void mainChild(String expectedPath, String expectedPin, ++ LoginType loginType) throws Throwable { ++ if (DEBUG) { ++ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP, ++ FIPS_NSSDB_PIN_PROP)) { ++ System.out.println(prop + " (System): " + ++ System.getProperty(prop)); ++ System.out.println(prop + " (Security): " + ++ Security.getProperty(prop)); ++ } ++ } ++ ++ /* ++ * Functional cross-test against an NSS DB generated by modutil ++ * with the same PIN. Check that we can perform a crypto operation ++ * that requires a login. The login might be explicit or implicit. ++ */ ++ Provider p = Security.getProvider(FIPS_PROVIDER_NAME); ++ if (DEBUG) { ++ System.out.println(FIPS_PROVIDER_NAME + ": " + p); ++ } ++ if (p == null) { ++ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed."); ++ } ++ if (DEBUG) { ++ System.out.println("Login type: " + loginType); ++ } ++ if (loginType == LoginType.EXPLICIT) { ++ // Do the expansion to account for truncation, so C_Login in ++ // the NSS Software Token gets a UTF-8 encoded PIN. ++ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ KeyStore.getInstance("PKCS11", p).load(null, pinChar); ++ if (DEBUG) { ++ System.out.println("Explicit login succeeded."); ++ } ++ } ++ if (DEBUG) { ++ System.out.println("Trying a crypto operation..."); ++ } ++ final int blockSize = 16; ++ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p); ++ cipher.init(Cipher.ENCRYPT_MODE, ++ new SecretKeySpec(new byte[blockSize], "AES")); ++ if (cipher.doFinal(new byte[blockSize]).length != blockSize) { ++ throw new Exception("Could not perform a crypto operation."); ++ } ++ if (DEBUG) { ++ if (loginType == LoginType.IMPLICIT) { ++ System.out.println("Implicit login succeeded."); ++ } ++ System.out.println("Crypto operation after login succeeded."); ++ } ++ ++ if (loginType == LoginType.IMPLICIT) { ++ /* ++ * Additional unitary testing. Expected to succeed at this point. ++ */ ++ if (DEBUG) { ++ System.out.println("Trying unitary test..."); ++ } ++ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP); ++ if (DEBUG) { ++ System.out.println("Path value (as a System property): " + ++ sysPathProp); ++ } ++ if (!expectedPath.equals(sysPathProp)) { ++ throw new Exception("Path is different than expected: " + ++ sysPathProp + " (actual) vs " + expectedPath + ++ " (expected)."); ++ } ++ Class c = Class ++ .forName("sun.security.pkcs11.FIPSTokenLoginHandler"); ++ Method m = c.getDeclaredMethod("getFipsNssdbPin"); ++ m.setAccessible(true); ++ String pin = null; ++ char[] pinChar = (char[]) m.invoke(c); ++ if (pinChar != null) { ++ byte[] pinUtf8 = new byte[pinChar.length]; ++ for (int i = 0; i < pinUtf8.length; i++) { ++ pinUtf8[i] = (byte) pinChar[i]; ++ } ++ pin = new String(pinUtf8, StandardCharsets.UTF_8); ++ } ++ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) || ++ expectedPin.isEmpty() && pin != null) { ++ throw new Exception("PIN is different than expected: '" + pin + ++ "' (actual) vs '" + expectedPin + "' (expected)."); ++ } ++ if (DEBUG) { ++ System.out.println("PIN value: " + pin); ++ System.out.println("Unitary test succeeded."); ++ } ++ } ++ } ++ ++ private static void mainLauncher() throws Throwable { ++ for (String pin : PINS_TO_TEST) { ++ Path workspace = Files.createTempDirectory(null); ++ try { ++ TestContext ctx = new TestContext(pin, workspace); ++ createNSSDB(ctx); ++ { ++ ctx.loginType = LoginType.IMPLICIT; ++ for (PropType propType : PropType.values()) { ++ ctx.propType = propType; ++ pinLauncher(ctx); ++ envLauncher(ctx); ++ fileLauncher(ctx); ++ } ++ } ++ explicitLoginLauncher(ctx); ++ } finally { ++ FileUtils.deleteFileTreeWithRetry(workspace); ++ } ++ } ++ } ++ ++ private static void pinLauncher(TestContext ctx) throws Throwable { ++ launchTest(p -> {}, "pin:" + ctx.pin, ctx); ++ } ++ ++ private static void envLauncher(TestContext ctx) throws Throwable { ++ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR"; ++ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin), ++ "env:" + NSSDB_PIN_ENV_VAR, ctx); ++ } ++ ++ private static void fileLauncher(TestContext ctx) throws Throwable { ++ // The file containing the PIN (ctx.nssdbPinFile) was created by the ++ // generatePinFile method, called from createNSSDB. ++ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx); ++ } ++ ++ private static void explicitLoginLauncher(TestContext ctx) ++ throws Throwable { ++ ctx.loginType = LoginType.EXPLICIT; ++ ctx.propType = PropType.SYSTEM; ++ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx); ++ } ++ ++ private static void launchTest(Consumer procCb, String pinPropVal, ++ TestContext ctx) throws Throwable { ++ if (DEBUG) { ++ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP + ++ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP + ++ "=" + pinPropVal); ++ } ++ Proc p = Proc.create(NssdbPin.class.getName()) ++ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name()); ++ if (ctx.propType == PropType.SYSTEM) { ++ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ // Make sure that Security properties defaults are not used. ++ p.secprop(FIPS_NSSDB_PATH_PROP, ""); ++ p.secprop(FIPS_NSSDB_PIN_PROP, ""); ++ } else if (ctx.propType == PropType.SECURITY) { ++ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ pinPropVal = escapeForPropsFile(pinPropVal); ++ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ } else { ++ throw new Exception("Unsupported property type."); ++ } ++ if (DEBUG) { ++ p.inheritIO(); ++ p.prop("java.security.debug", "sunpkcs11"); ++ p.debug(NssdbPin.class.getName()); ++ ++ // Need the launched process to connect to a debugger? ++ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" + ++ // "transport=dt_socket,address=localhost:8000,suspend=y"); ++ } else { ++ p.nodump(); ++ } ++ procCb.accept(p); ++ p.start().waitFor(0); ++ } ++ ++ private static String escapeForPropsFile(String str) throws Throwable { ++ StringBuffer sb = new StringBuffer(); ++ for (int i = 0; i < str.length(); i++) { ++ int cp = str.codePointAt(i); ++ if (Character.UnicodeBlock.of(cp) ++ == Character.UnicodeBlock.BASIC_LATIN) { ++ sb.append(Character.toChars(cp)); ++ } else { ++ sb.append("\\u").append(String.format("%04X", cp)); ++ } ++ } ++ return sb.toString(); ++ } ++ ++ private static void createNSSDB(TestContext ctx) throws Throwable { ++ ProcessBuilder pb = getModutilPB(ctx, "-create"); ++ if (DEBUG) { ++ System.out.println("Creating an NSS DB in " + ctx.workspace + ++ "..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB creation failed."); ++ } ++ generatePinFile(ctx); ++ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME, ++ "-newpwfile", ctx.nssdbPinFile.toString()); ++ if (DEBUG) { ++ System.out.println("NSS DB created."); ++ System.out.println("Changing NSS DB PIN..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB PIN change failed."); ++ } ++ if (DEBUG) { ++ System.out.println("NSS DB PIN changed."); ++ } ++ } ++ ++ private static ProcessBuilder getModutilPB(TestContext ctx, String... args) ++ throws Throwable { ++ ProcessBuilder pb = new ProcessBuilder("modutil", "-force"); ++ List pbCommand = pb.command(); ++ if (args != null) { ++ pbCommand.addAll(Arrays.asList(args)); ++ } ++ pbCommand.add("-dbdir"); ++ pbCommand.add(ctx.nssdbPath); ++ if (DEBUG) { ++ pb.inheritIO(); ++ } else { ++ pb.redirectError(ProcessBuilder.Redirect.INHERIT); ++ } ++ return pb; ++ } ++ ++ private static void generatePinFile(TestContext ctx) throws Throwable { ++ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null); ++ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() + ++ "2nd line with garbage"); ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +new file mode 100644 +index 00000000000..87f1ad04505 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +@@ -0,0 +1,77 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.security.Provider; ++import java.security.Security; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=30 VerifyMissingAttributes ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class VerifyMissingAttributes { ++ ++ private static final String[] svcAlgImplementedIn = { ++ "AlgorithmParameterGenerator.DSA", ++ "AlgorithmParameters.DSA", ++ "CertificateFactory.X.509", ++ "KeyStore.JKS", ++ "KeyStore.CaseExactJKS", ++ "KeyStore.DKS", ++ "CertStore.Collection", ++ "CertStore.com.sun.security.IndexedCollection" ++ }; ++ ++ public static void main(String[] args) throws Throwable { ++ Provider sunProvider = Security.getProvider("SUN"); ++ for (String svcAlg : svcAlgImplementedIn) { ++ String filter = svcAlg + " ImplementedIn:Software"; ++ doQuery(sunProvider, filter); ++ } ++ if (Double.parseDouble( ++ System.getProperty("java.specification.version")) >= 17) { ++ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" + ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"; ++ doQuery(Security.getProvider("SunRsaSign"), filter); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private static void doQuery(Provider expectedProvider, String filter) ++ throws Exception { ++ if (expectedProvider == null) { ++ throw new Exception("Provider not found."); ++ } ++ Provider[] providers = Security.getProviders(filter); ++ if (providers == null || providers.length != 1 || ++ providers[0] != expectedProvider) { ++ throw new Exception("Failure retrieving the provider with this" + ++ " query: " + filter); ++ } ++ } ++} diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..8b4e87d --- /dev/null +++ b/gating.yaml @@ -0,0 +1,7 @@ +# recipients: java-qa +--- !Policy +product_versions: + - rhel-10 +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} diff --git a/java-21-openjdk-portable.specfile b/java-21-openjdk-portable.specfile new file mode 100644 index 0000000..1c11ea8 --- /dev/null +++ b/java-21-openjdk-portable.specfile @@ -0,0 +1,2616 @@ +# debug_package %%{nil} is portable-jdks specific +%define debug_package %{nil} + +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-21-openjdk.spec +# +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-21-openjdk.spec --without slowdebug --without fastdebug +# +# Only produce a release build on x86_64: +# $ fedpkg mockbuild --without slowdebug --without fastdebug +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs + +# This is RHEL 7 specific as it doesn't seem to have the +# __brp_strip_static_archive macro. +%if 0%{?rhel} == 7 +%define __os_install_post %{nil} +%endif + +# Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} +%define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif + +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global freetype_lib %{nil} +%else +%global system_libs 0 +%global link_type bundled +%global freetype_lib |libfreetype[.]so.* +%endif + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# Disable LTO as this causes build failures at the moment. +# See RHBZ#1861401 +%define _lto_cflags %{nil} + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +%global main_suffix_unquoted -main +%global staticlibs_suffix_unquoted -staticlibs +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" +%global normal_suffix "" +%global main_suffix "%{main_suffix_unquoted}" +%global staticlibs_suffix "%{staticlibs_suffix_unquoted}" + +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global normal_build %{normal_suffix} +%else +%global normal_build %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# TODO - fix those hardcoded lists via single list +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 +# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) +%global is_system_jdk 0 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs +%global multilib_arches %{power64} sparc64 x86_64 +# Set of architectures for which we build slowdebug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 riscv64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler +%global aot_arches x86_64 %{aarch64} +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} riscv64 +# Set of architectures which support class data sharing +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} riscv64 +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 riscv64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 +# Set of architectures for which java has short vector math library (libjsvml.so) +%global svml_arches x86_64 +# Set of architectures where we verify backtraces with gdb +# s390x fails on RHEL 7 so we exclude it there +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches} +%else +%global gdb_arches %{jit_arches} %{zero_arches} +%endif +# Architecture on which we run Java only tests +%global jdk_test_arch x86_64 +# Set of architectures for which we have a devkit +# Only used on RHEL +%if 0%{?centos} == 0 +%global devkit_arches %{aarch64} %{ppc64le} riscv64 s390x x86_64 +%endif + +# By default, we build a slowdebug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{debug_arches} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} +%global use_shenandoah_hotspot 1 +%else +%global use_shenandoah_hotspot 0 +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 +%endif + +%if %{include_debug_build} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable all builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if %{include_staticlibs} +%global staticlibs_loop %{staticlibs_suffix} +%else +%global staticlibs_loop %{nil} +%endif + +%ifarch %{bootstrap_arches} +%global bootstrap_build true +%else +%global bootstrap_build false +%endif + +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} +%endif + +# The static libraries are produced under the same configuration as the main +# build for portables, as we expect in-tree libraries to be used throughout. +# If system libraries are enabled, the static libraries will also use them +# which may cause issues. +%global bootstrap_targets images %{static_libs_target} legacy-jre-image +%global release_targets images docs-zip %{static_libs_target} legacy-jre-image +# No docs nor bootcycle for debug builds +%global debug_targets images %{static_libs_target} legacy-jre-image +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# DTS toolset to use to provide gcc & binutils +%if 0%{?rhel} == 7 +%global dtsversion 10 +%endif + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _target_cpu +%ifarch x86_64 +%global archinstall amd64 +%global stapinstall x86_64 +%endif +%ifarch ppc +%global archinstall ppc +%global stapinstall powerpc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%global stapinstall powerpc +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%global stapinstall powerpc +%endif +%ifarch %{ix86} +%global archinstall i686 +%global stapinstall i386 +%endif +%ifarch ia64 +%global archinstall ia64 +%global stapinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%global stapinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%global stapinstall s390 +%endif +%ifarch %{arm} +%global archinstall arm +%global stapinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%global stapinstall arm64 +%endif +%ifarch riscv64 +%global archinstall riscv64 +%global stapinstall %{_target_cpu} +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%global stapinstall %{_target_cpu} +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%global stapinstall %{_target_cpu} +%endif +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} +%endif + +%ifarch %{systemtap_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global featurever 21 +%global interimver 0 +%global updatever 8 +%global patchver 0 +# buildjdkver is usually same as %%{featurever}, +# but in time of bootstrap of next jdk, it is featurever-1, +# and this it is better to change it here, on single place +%global buildjdkver %{featurever} +# We don't add any LTS designator for STS packages (Fedora and EPEL). +# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. +%if 0%{?rhel} && !0%{?epel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else + %global lts_designator "" + %global lts_designator_zip "" +%endif +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +# This will only work where the bootstrap JDK is the same major version +# as the JDK being built +%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://access.redhat.com/support/cases/ +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif +%global oj_vendor_version (Red_Hat-%{version}-%{rpmrelease}) + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 6.0.0pre00-c848b93a8598 +# Define current Git revision for the FIPS support patches +%global fipsver 9203d50836c +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{vcstag} +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 9 +%global rpmrelease 1 +#%%global tagsuffix %%{nil} +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit +%if %is_system_jdk +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global build_type GA +%global ea_designator "" +%global ea_designator_zip %{nil} +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global build_type EA +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{featurever}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs +# output dir stub +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +%global altjavaoutputdir install/altjava.install +%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} +# portable only declarations +%global jreimage jre +%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jre;g") +%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jdk;g") +%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.static-libs;g") +%define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz} +%define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz} +%define staticlibsportablearchive() %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz} +%define jreportablename() %{expand:%{jreportablenameimpl -- %%{1}}} +%define jdkportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on +# top of the JDK archive +%define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.docs;g") +%define docportablearchive() %{docportablename}.tar.xz +%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g") +%define miscportablearchive() %{miscportablename}.tar.xz + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for slowdebug packages +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + +# VM variant being built +%ifarch %{zero_arches} +%global vm_variant zero +%else +%global vm_variant server +%endif + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} +%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global alt_java_name alt-java +%global devkit_name %{origin}-devkit + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + +# Portables have no repo (requires/provides), but these are awesome for orientation in spec +# Also scriptlets are happily missing and files are handled old fashion +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +} + +%define java_devel_rpo() %{expand: +} + +%define java_static_libs_rpo() %{expand: +} + +%define java_unstripped_rpo() %{expand: +} + +%define java_docs_rpo() %{expand: +} + +%define java_misc_rpo() %{expand: +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 + +# Define an optional suffix for the OS this package is built on +%if 0%{?rhel} == 7 +%global pkgos rhel7 +%endif + +# Define the architectures on which we build +# On RHEL, this should be the architectures with a devkit +%if 0%{?centos} == 0 +ExclusiveArch: %{devkit_arches} +%else +ExclusiveArch: %{aarch64} %{ppc64le} riscv64 s390x x86_64 +%endif + +Name: java-%{javaver}-%{origin}-portable%{?pkgos:-%{pkgos}} +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition +# Groups are only used up to RHEL 8 and on Fedora versions prior to F30 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + +# The source tarball, generated using generate_source_tarball.sh +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (6.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +# Disabled in portables +#Source9: jconsole.desktop.in + +# Release notes +Source10: NEWS + +# Source code for alt-java +Source11: alt-java.c + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# Ensure vendor settings are correct +Source16: CheckVendor.java + +# Ensure translations are available for new timezones +Source18: TestTranslations.java + +############################################ +# +# RPM/distribution specific patches +# +############################################ +# Crypto policy and FIPS support patches +# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u +# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes +# Fixes currently included: +# PR3183, RH1340845: Follow system wide crypto policy +# PR3695: Allow use of system crypto policy to be disabled by the user +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +# RH1929465: Improve system FIPS detection +# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers +# RH1996182: Login to the NSS software token in FIPS mode +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +# RH2021263: Resolve outstanding FIPS issues +# RH2052819: Fix FIPS reliance on crypto policies +# RH2052829: Detect NSS at Runtime for FIPS detection +# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +# RH2023467: Enable FIPS keys export +# RH2094027: SunEC runtime permission for FIPS +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +# RH2090378: Revert to disabling system security properties and FIPS mode support together +# RH2104724: Avoid import/export of DH private keys +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +# Build the systemconf library on all platforms +# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream] +# RH2020290: Support TLS 1.3 in FIPS mode +# Add nss.fips.cfg support to OpenJDK tree +# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +# Remove forgotten dead code from RH2020290 and RH2104724 +# OJ1357: Fix issue on FIPS with a SecurityManager in place +# RH2134669: Add missing attributes when registering services in FIPS mode. +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +# RH1940064: Enable XML Signature provider in FIPS mode +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +Patch1001: fips-%{featurever}u-%{fipsver}.patch + +############################################# +# +# OpenJDK patches in need of upstreaming +# +############################################# + +# Currently empty + +############################################# +# +# OpenJDK patches which missed last update +# +############################################# + +# Currently empty + +############################################# +# +# Portable build specific patches +# +############################################# + +# Currently empty + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: file +BuildRequires: fontconfig-devel +# RHEL 7 builds obtain a newer compiler from DTS +%if 0%{?rhel} == 7 +BuildRequires: devtoolset-%{dtsversion}-gcc +BuildRequires: devtoolset-%{dtsversion}-gcc-c++ +%else +%ifarch %{devkit_arches} +BuildRequires: %{devkit_name} >= 1.0-9 +%else +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 +BuildRequires: gcc-c++ +%endif +%endif +BuildRequires: gdb +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirement for setting up nss.fips.cfg +BuildRequires: nss-devel +# Requirement for system security property test +# N/A for portable as we don't enable support for them +#BuildRequires: crypto-policies +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +# to pack portable tarballs +BuildRequires: tar +BuildRequires: unzip +BuildRequires: javapackages-filesystem +BuildRequires: java-%{buildjdkver}-%{origin}%{?pkgos:-%{pkgos}}-devel +# Zero-assembler build requirement +%ifarch %{zero_arches} +BuildRequires: libffi-devel +%endif +# Full documentation build requirements +# pandoc is only available on RHEL/CentOS 8 +%if 0%{?rhel} == 8 +BuildRequires: graphviz +BuildRequires: pandoc +%endif +# cacerts build requirement in portable mode +BuildRequires: ca-certificates + +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif +BuildRequires: make + +%if %{system_libs} +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +BuildRequires: zlib-devel +%else +# Version in src/java.desktop/share/legal/freetype.md +Provides: bundled(freetype) = 2.13.3 +# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.2 +# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h +Provides: bundled(harfbuzz) = 10.4.0 +# Version in src/java.desktop/share/native/liblcms/lcms2.h +Provides: bundled(lcms2) = 2.17.0 +# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h +Provides: bundled(libpng) = 1.6.47 +# Version in src/java.base/share/native/libzip/zlib/zlib.h +Provides: bundled(zlib) = 1.3.1 +# We link statically against libstdc++ to increase portability +%ifnarch %{devkit_arches} +BuildRequires: libstdc++-static +%endif +%endif + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} %{featurever} runtime environment - portable edition. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} %{featurever} runtime environment - portable edition. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} %{featurever} runtime environment - portable edition. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} %{featurever} Development Environment portable edition +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} %{featurever} development tools - portable edition. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} %{featurever} development tools - portable edition. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Tools +%endif + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} %{featurever} runtime environment and development tools - portable edition +%{fastdebug_warning} +%endif + +%if %{include_staticlibs} + +%if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} %{featurever} libraries for static linking - portable edition. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_on} + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} %{featurever} libraries for static linking - portable edition +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_on} + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} %{featurever} libraries for static linking - portable edition +%{fastdebug_warning} +%endif + +# staticlibs +%endif + +%if %{include_normal_build} +%package unstripped +Summary: The %{origin_nice} %{featurever} runtime environment. + +%{java_unstripped_rpo %{nil}} + +%description unstripped +The %{origin_nice} %{featurever} runtime environment. + +%endif + +%package docs +Summary: %{origin_nice} %{featurever} API documentation + +%{java_docs_rpo %{nil}} + +%description docs +The %{origin_nice} %{featurever} API documentation. + +%package misc +Summary: %{origin_nice} %{featurever} miscellany + +%{java_misc_rpo %{nil}} + +%description misc +The %{origin_nice} %{featurever} miscellany. + +%prep + +echo "Preparing %{oj_vendor_version}" +echo "System is RHEL=%{?rhel}%{!?rhel:0}, CentOS=%{?centos}%{!?centos:0}, EPEL=%{?epel}%{!?epel:0}, Fedora=%{?fedora}%{!?fedora:0}" + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 13 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi + +%if %{with fresh_libjvm} && ! %{build_hotspot_first} +echo "WARNING: The build of a fresh libjvm has been disabled due to a JDK version mismatch" +echo "Build JDK version is %{buildjdkver}, feature JDK version is %{featurever}" +%endif + +export XZ_OPT="-T0" +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches + +%if %{system_libs} +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} +%endif + +# Patch the JDK +# This syntax is deprecated: +# %patchN [...] +# and should be replaced with: +# %patch -PN [...] +# For example: +# %patch1001 -p1 +# becomes: +# %patch -P1001 -p1 +# The replacement format suggested by recent (circa Fedora 38) RPM +# deprecation messages: +# %patch N [...] +# is not backward-compatible with prior (circa RHEL-8) versions of +# rpmbuild. +pushd %{top_level_dir_name} +# Add crypto policy and FIPS support +%patch -P1001 -p1 +popd # openjdk + + +# The OpenJDK version file includes the current +# upstream version information. For some reason, +# configure does not automatically use the +# default pre-version supplied there (despite +# what the file claims), so we pass it manually +# to configure +VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf +if [ -f ${VERSION_FILE} ] ; then + UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) +else + echo "Could not find OpenJDK version file."; + exit 16 +fi +if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then + echo "WARNING: Designator mismatch"; + echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" + echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; + exit 17 +fi + +# Extract systemtap tapsets +%if %{with_systemtap} +tar --strip-components=1 -x -I xz -f %{SOURCE8} +%if %{include_debug_build} +cp -r tapset tapset%{debug_suffix} +%endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif + +for suffix in %{build_loop} ; do + for file in "tapset"$suffix/*.in; do + sed -i -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file + done +done +# systemtap tapsets ends +%endif + +# Prepare desktop files +# Portables do not have desktop integration + +# Extract devkit +%ifarch %{devkit_arches} + devkittarball=%{_datadir}/%{devkit_name}/sdk-%{_target_cpu}-%{_target_os}-gnu*.tar.gz + echo "Extracting devkit ${devkittarball}"; + mkdir devkit; + tar -C devkit --strip-components=1 -xzf ${devkittarball} + DEVKIT_ROOT=$(pwd)/devkit + source ${DEVKIT_ROOT}/devkit.info + echo "Installed ${DEVKIT_NAME} devkit" +%else +%if 0%{?centos} > 0 + echo "No devkit for CentOS %{?centos}" +%else + echo "No devkit for %{_target_cpu} on RHEL %{?rhel}"; +%endif +%endif + +%build +# How many CPU's do we have? +export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) +export NUM_PROC=${NUM_PROC:-1} +%if 0%{?_smp_ncpus_max} +# Honor %%_smp_ncpus_max +[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} +%endif +export XZ_OPT="-T0" + +%ifarch s390x sparc64 alpha %{power64} %{aarch64} +export ARCH_DATA_MODEL=64 +%endif +%ifarch alpha +export CFLAGS="$CFLAGS -mieee" +%endif + +# We use ourcppflags because the OpenJDK build seems to +# pass EXTRA_CFLAGS to the HotSpot C++ compiler... +# Explicitly set the C++ standard as the default has changed on GCC >= 6 +EXTRA_CFLAGS="%ourcppflags" +EXTRA_CPP_FLAGS="%ourcppflags" + +%ifarch %{power64} ppc +# fix rpmlint warnings +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" +%endif +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif +%ifarch %{devkit_arches} +# Remove annobin plugin reference which isn't available in the devkit +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1||')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1||')" +# Force DWARF 4 for compatibility +EXTRA_CFLAGS="${EXTRA_CFLAGS} -gdwarf-4" +EXTRA_CPP_FLAGS="${EXTRA_CPP_FLAGS} -gdwarf-4" +%endif + +export EXTRA_CFLAGS EXTRA_CPP_FLAGS + +# Set modification times (mtimes) of files within JAR files generated +# by the OpenJDK build to a timestamp that is constant across RPM +# rebuilds. OpenJDK provides the --with-source-date configure option +# for this purpose. Potential arguments in the RPM build context are: +# +# A) --with-source-date="${SOURCE_DATE_EPOCH}" +# B) --with-source-date=version +# C) --with-source-date="${OPENJDK_UPSTREAM_TAG_EPOCH}" +# +# Consider Option A. Fedora 38 (rpm-4.18.2) and RHEL-8 (rpm-4.14.3) +# have different support for SOURCE_DATE_EPOCH. To keep +# SOURCE_DATE_EPOCH constant across RPM rebuilds, one could set the +# source_date_epoch_from_changelog macro to 1 on both Fedora 38 and +# RHEL-8. However, on RHEL-8, this results in the RPM build times +# being set to the timestamp of the most recent changelog. This is +# bad for tracing when RPMs were actually built. Fedora 38 supports a +# better behaviour via the introduction of the +# use_source_date_epoch_as_buildtime macro, set to 0 by default. +# There is no way to make this work on RHEL-8 as well though, so +# option A is suboptimal. +# +# Option B uses the value of the DEFAULT_VERSION_DATE field from +# make/conf/version-numbers.conf. DEFAULT_VERSION_DATE represents the +# aspirational eventual JDK general availability (GA) release date. +# When the RPM build occurs prior to GA, generated JAR files will have +# payload mtimes in the future relative to the RPM build time. +# Whereas for tarballs some tools will issue warnings about future +# mtimes, per OPENJDK-2583 apparently this is no problem for Java and +# JAR files. +# +# Option C uses the modification timestamp of files in the source +# tarball. The reproducibility logic in generate_source_tarball.sh +# sets them all to the commit time of the release-tagged OpenJDK +# commit, as archived in the tarball. This timestamp is deterministic +# across RPM rebuilds and is reliably in the past. Any file's mtime +# will do, so use version-numbers.conf's. +# +# Use option B for JAR files, based on the discussion in OPENJDK-2583. +# +# For portable tarballs, use option C (OPENJDK_UPSTREAM_TAG_EPOCH) for +# the modification times of all files in the portable tarballs. Doing +# so eliminates one source of variability across RPM rebuilds. +VERSION_FILE="$(pwd)"/"%{top_level_dir_name}"/make/conf/version-numbers.conf +OPENJDK_UPSTREAM_TAG_EPOCH="$(stat --format=%Y "${VERSION_FILE}")" + +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} + local debug_symbols=${6} + local devkit=${7} + + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} + + # This must be set using the global, so that the + # static libraries still use a dynamic stdc++lib + if [ "x%{link_type}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Using debug_symbols: ${debug_symbols}" + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + +%ifarch %{devkit_arches} + LIBPATH="${devkit}/lib:${devkit}/lib64" + echo "Setting library path to ${LIBPATH}" +%endif + + mkdir -p ${outputdir} + pushd ${outputdir} + + # Note: zlib and freetype use %{link_type} + # rather than ${link_opt} as the system versions + # are always used in a system_libs build, even + # for the static library build + LD_LIBRARY_PATH=${LIBPATH} \ + bash ${top_dir_abs_src_path}/configure \ +%ifarch %{zero_arches} + --with-jvm-variants=zero \ +%endif +%ifarch %{devkit_arches} + --with-devkit=${devkit} \ +%endif + --with-cacerts-file=$(readlink -f %{_sysconfdir}/pki/java/cacerts) \ + --with-version-build=%{buildver} \ + --with-version-pre="%{ea_designator}" \ + --with-version-opt="%{lts_designator}" \ + --with-vendor-version-string="%{oj_vendor_version}" \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="${debug_symbols}" \ + --disable-sysconf-nss \ + --enable-unlimited-crypto \ + --with-zlib=%{link_type} \ + --with-freetype=%{link_type} \ + --with-libjpeg=${link_opt} \ + --with-giflib=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ + --with-harfbuzz=${link_opt} \ + --with-stdc++lib=${libc_link_opt} \ + --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ + --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-ldflags="%{ourldflags}" \ + --with-num-cores="$NUM_PROC" \ + --with-source-date="version" \ + --disable-javac-server \ +%ifarch %{zgc_arches} + --with-jvm-features=zgc \ +%endif + --disable-warnings-as-errors + + cat spec.gmk + LD_LIBRARY_PATH=${LIBPATH} \ + make LOG=trace $maketargets || \ + ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name \"hs_err_pid*.log\" | xargs cat && false ) + + popd +} + +function stripjdk() { + local outputdir=${1} + local toolpath=${2} + local jdkimagepath=images/%{jdkimage} + local jreimagepath=images/%{jreimage} + local jmodimagepath=images/jmods + local modulefile=lib/modules + local supportdir=${outputdir}/support + local modulebuildpath=${outputdir}/jdk/modules + local jdkoutdir=${outputdir}/${jdkimagepath} + local jreoutdir=${outputdir}/${jreimagepath} + +%ifarch %{devkit_arches} + OBJCOPY=${toolpath}/objcopy + STRIP=${toolpath}/strip +%else + OBJCOPY=$(which objcopy) + STRIP=$(which strip) +%endif + + if [ "x$suffix" = "x" ] ; then + # Keep the unstripped version for consumption by RHEL RPMs + cp -a ${jdkoutdir}{,.unstripped} + + # Strip the files + for file in $(find ${jdkoutdir} ${jreoutdir} ${supportdir} ${modulebuildpath} -type f) ; do + if file ${file} | cut -d ':' -f 2 | grep -q 'ELF'; then + noextfile=${file/.so/}; + ${OBJCOPY} --only-keep-debug ${file} ${noextfile}.debuginfo; + ${OBJCOPY} --add-gnu-debuglink=${noextfile}.debuginfo ${file}; + ${STRIP} -g ${file}; + fi + done + + # Rebuild jmod files against the stripped binaries + if [ ! -d ${supportdir} ] ; then + echo "Support directory missing."; + exit 15 + fi + # Build the java.base jmod a third time to fix the hashes of dependent jmods + for cmd in $(find ${supportdir}/${jmodimagepath} -name '*.jmod_exec.cmdline') \ + ${supportdir}/${jmodimagepath}/*java.base*exec.cmdline ; do + pre=${cmd/_exec/_pre}; + post=${cmd/_exec/_post}; + jmod=$(echo ${cmd}|sed 's#.*_create_##'|sed 's#_exec.cmdline##') + echo "Rebuilding ${jmod} against stripped binaries..."; + if [ -e ${pre} ] ; then + echo -e "Executing ${pre}...\n$(cat ${pre})"; + cat ${pre} | sh -s ; + fi + echo "Executing ${cmd}...$(cat ${cmd})"; + cat ${cmd} | sh -s ; + if [ -e ${post} ] ; then + echo -e "Executing ${post}...\n$(cat ${post})"; + cat ${post} | sh -s ; + fi + done + + # Rebuild the image with the stripped modules + for image in ${jdkimagepath} ${jreimagepath} ; do + outdir=${outputdir}/${image}; + jlink=${supportdir}/${image}/_jlink*_exec.cmdline; + # Backup the existing image as it contains + # files not generated by jlink + mv ${outdir}{,.bak}; + # Regenerate the image using the command + # generated using the initial build + echo -e "Executing ${jlink}...\n$(cat ${jlink})"; + cat ${jlink} | sh -s; + # Move the new jmods and module file from the new + # image to the old one + if [ -e ${outdir}.bak/jmods ] ; then + rm -rf ${outdir}.bak/jmods; + mv ${outdir}/jmods ${outdir}.bak; + fi + rm -f ${outdir}.bak/${modulefile}; + mv ${outdir}/${modulefile} ${outdir}.bak/$(dirname ${modulefile}); + # Restore the original image + rm -rf ${outdir}; + mv ${outdir}{.bak,}; + # Update the CDS archives + for cmd in ${supportdir}/${image}/*_gen_cds*_exec.cmdline ; do + echo -e "Executing ${cmd}...\n$(cat ${cmd})"; + cat ${cmd} | sh -s; + done + done + fi +} + +function installjdk() { + local outputdir=${1} + local installdir=${2} + local jdkimagepath=${installdir}/images/%{jdkimage} + local jreimagepath=${installdir}/images/%{jreimage} + local unstripped=${jdkimagepath}.unstripped + + echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi + +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif + + # legacy-jre-image target does not install any man pages for the JRE + # We copy the jdk man directory and then remove pages for binaries that + # don't exist in the JRE + cp -a ${jdkimagepath}/man ${jreimagepath} + for manpage in $(find ${jreimagepath}/man -name '*.1'); do + filename=$(basename ${manpage}); + binary=${filename/.1/}; + if [ ! -f ${jreimagepath}/bin/${binary} ] ; then + echo "Removing ${manpage} from JRE for which no binary ${binary} exists"; + rm -f ${manpage}; + fi; + done + + for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do + + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + + # Install local files which are distributed with the JDK + install -m 644 %{SOURCE10} ${imagepath} + + # Print release information + cat ${imagepath}/release + fi + done +} + +function genchecksum() { + local checkedfile=${1} + + checkdir=$(dirname ${1}) + checkfile=$(basename ${1}) + + echo "Generating checksum for ${checkfile} in ${checkdir}..." + pushd ${checkdir} + sha256sum ${checkfile} > ${checkfile}.sha256sum + sha256sum --check ${checkfile}.sha256sum + popd +} + +# Create a reproducible tarball in an appropriate way for +# the version of tar in use +function createtar() { + local directory=${1} + local archive=${2} + local filter=${3} + local transform=${4} + local exclude=${5} + + if [ "x${filter}" != "x" ] ; then + local filteroption="-name ${filter}"; + fi + if [ "x${transform}" != "x" ] ; then + local transoption="--transform ${transform}"; + fi + if [ "x${exclude}" != "x" ] ; then + local excludeoption="--exclude=${exclude}"; + fi + + local common_tar_opts="--owner=0 --group=0 --numeric-owner \ + ${transoption} ${excludeoption} --create --xz" + # Capture tar version, removing the decimal point (so 1.28 => 128) + tarver=$(tar --version|head -n1|sed -re 's|tar \(GNU tar\) ([0-9]).([0-9]*)|\1\2|') + echo "Detected tar ${tarver}" + if [ ${tarver} -gt 128 ] ; then + local tar_time="$(date --utc --iso-8601=seconds --date=@"${OPENJDK_UPSTREAM_TAG_EPOCH}")" + local tar_opts="--mtime=${tar_time} --sort=name ${common_tar_opts}" + if test "x${filteroption}" = "x"; then + tar ${tar_opts} --file ${archive} ${directory} + else + tar ${tar_opts} --file ${archive} $(find ${directory} ${filteroption}) + fi + else + # See https://reproducible-builds.org/docs/archives/ + # RHEL-7 has tar 1.26 which does not support --sort=name (added + # in 1.28), so use find-piped-through-sort instead. Omit + # --pax-option since it made the docs package not reproducible + # due to PaxHeaders timestamp differences. + local tar_opts="--mtime=@${OPENJDK_UPSTREAM_TAG_EPOCH} \ + --no-recursion --null --files-from - \ + ${common_tar_opts}" + find ${directory} ${filteroption} -print0 | \ + LC_ALL=C sort -z | \ + tar ${tar_opts} --file ${archive} + fi +} + +function packagejdk() { + local imagesdir=$(pwd)/${1}/images + local docdir=$(pwd)/${1}/images/docs + local bundledir=$(pwd)/${1}/bundles + local packagesdir=$(pwd)/${2} + local srcdir=$(pwd)/%{top_level_dir_name} + local tapsetdir=$(pwd)/tapset + local altjavadir=$(pwd)/${3} + + echo "Packaging build from ${imagesdir} to ${packagesdir}..." + mkdir -p ${packagesdir} + pushd ${imagesdir} + + if [ "x$suffix" = "x" ] ; then + nameSuffix="" + else + nameSuffix=`echo "$suffix"| sed s/-/./` + fi + + jdkname=%{jdkportablename -- "$nameSuffix"} + jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"} + jrename=%{jreportablename -- "$nameSuffix"} + jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"} + staticname=%{staticlibsportablename -- "$nameSuffix"} + staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"} + + if [ "x$suffix" = "x" ] ; then + unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"} + + # Keep the unstripped version for consumption by RHEL RPMs + mv %{jdkimage}.unstripped ${jdkname} + createtar ${jdkname} ${unstrippedarchive} + genchecksum ${unstrippedarchive} + mv ${jdkname} %{jdkimage}.unstripped + fi + + # Rename directories for packaging + mv %{jdkimage} ${jdkname} + mv %{jreimage} ${jrename} + + # Release images have external debug symbols + if [ "x$suffix" = "x" ] ; then + debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"} + # We only use docs for the release build + docname=%{docportablename} + docarchive=${packagesdir}/%{docportablearchive} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + # These are from the source tree so no debug variants + miscname=%{miscportablename} + miscarchive=${packagesdir}/%{miscportablearchive} + + createtar ${jdkname} ${debugarchive} \*.debuginfo + genchecksum ${debugarchive} + + mkdir ${docname} + mv ${docdir} ${docname} + mv ${bundledir}/${built_doc_archive} ${docname} + createtar ${docname} ${docarchive} + genchecksum ${docarchive} + + mkdir ${miscname} + for s in 16 24 32 48 ; do + cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname} + done +%if %{with_systemtap} + cp -a ${tapsetdir}* ${miscname} +%endif + cp -av ${altjavadir}/%{alt_java_name}{,.1} ${miscname} + createtar ${miscname} ${miscarchive} + genchecksum ${miscarchive} + fi + + createtar ${jdkname} ${jdkarchive} "" "" "**.debuginfo" + genchecksum ${jdkarchive} + + createtar ${jrename} ${jrearchive} "" "" "**.debuginfo" + genchecksum ${jrearchive} + +%if %{include_staticlibs} + # Static libraries (needed for building graal vm with native image) + # Tar as overlay. Transform to the JDK name, since we just want to "add" + # static libraries to that folder + createtar "%{static_libs_image}/lib" ${staticarchive} "" \ + "s|^%{static_libs_image}/lib/*|${staticname}/lib/static/linux-%{archinstall}/glibc/|" + genchecksum ${staticarchive} +%endif + + # Revert directory renaming so testing will run + # TODO: testing should run on the packaged JDK + mv ${jdkname} %{jdkimage} + mv ${jrename} %{jreimage} + + popd #images + +} + +%ifarch %{devkit_arches} + DEVKIT_ROOT=$(pwd)/devkit + source ${DEVKIT_ROOT}/devkit.info + GCC="${DEVKIT_TOOLCHAIN_PATH}/gcc --sysroot=${DEVKIT_SYSROOT}" + LIBPATH="${DEVKIT_ROOT}/lib:${DEVKIT_ROOT}/lib64" +%else + GCC=$(which gcc) +%endif + +echo "Building %{SOURCE11}" +mkdir -p %{altjavaoutputdir} +LD_LIBRARY_PATH="${LIBPATH}" ${GCC} ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11} +echo "Generating %{alt_java_name} man page" +altjavamanpage=%{altjavaoutputdir}/%{alt_java_name}.1 +echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > ${altjavamanpage} +cat %{top_level_dir_name}/src/java.base/share/man/java.1 >> ${altjavamanpage} + +echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + echo "Building HotSpot only for the latest libjvm.so" + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal" ${DEVKIT_ROOT} + mv build/newboot/jdk/lib/%{vm_variant}/libjvm.so newboot/lib/%{vm_variant} +%else + systemjdk=%{bootjdk} +%endif + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + # We build with internal debug symbols and do + # our own stripping for one version of the + # release build + debug_symbols=internal + + builddir=%{buildoutputdir -- ${suffix}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}} + bootinstalldir=boot${installdir} + packagesdir=%{packageoutputdir -- ${suffix}} + + link_opt="%{link_type}" +%if %{system_libs} + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full +%endif + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols} ${DEVKIT_ROOT} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} ${DEVKIT_ROOT} + stripjdk ${builddir} ${DEVKIT_TOOLCHAIN_PATH} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} ${DEVKIT_ROOT} + stripjdk ${builddir} ${DEVKIT_TOOLCHAIN_PATH} + installjdk ${builddir} ${installdir} + fi + packagejdk ${installdir} ${packagesdir} %{altjavaoutputdir} + +%if %{system_libs} + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +%endif + +# build cycles +done # end of release / debug cycle loop + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +# portable builds have static_libs embedded, thus top_dir_abs_main_build_path is same as top_dir_abs_staticlibs_build_path +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=${top_dir_abs_main_build_path} +%endif + +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + +# Pre-test setup + +# System security properties are disabled by default on portable. +# Turn on system security properties +#sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ +#${JAVA_HOME}/conf/security/java.security + +# Set up tools +%ifarch %{devkit_arches} + DEVKIT_ROOT=$(pwd)/devkit + source ${DEVKIT_ROOT}/devkit.info + NM="${DEVKIT_TOOLCHAIN_PATH}/nm" +%else + NM=$(which nm) +%endif +# elfutils readelf supports more binaries than binutils version on RHEL 8 +# and debug symbols tests below were designed around this version +READELF=$(which eu-readelf) +# Only native gdb seems to work +# The devkit gdb needs the devkit stdc++ library but then the JVM +# segfaults when this is on the LD_LIBRARY_PATH +GDB=$(which gdb) + +# Check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Only test on one architecture (the fastest) for Java only tests +%ifarch %{jdk_test_arch} + + # Check unlimited policy has been used + $JAVA_HOME/bin/javac -d . %{SOURCE13} + $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + + # Check ECC is working + $JAVA_HOME/bin/javac -d . %{SOURCE14} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + + # Check system crypto (policy) is active and can be disabled + # Test takes a single argument - true or false - to state whether system + # security properties are enabled or not. + $JAVA_HOME/bin/javac -d . %{SOURCE15} + export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") + export SEC_DEBUG="-Djava.security.debug=properties" + # Specific to portable:System security properties to be off by default + $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false + $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + + # Check correct vendor values have been set + $JAVA_HOME/bin/javac -d . %{SOURCE16} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" + +%if ! 0%{?flatpak} + # Check translations are available for new timezones (during flatpak builds, the + # tzdb.dat used by this test is not where the test expects it, so this is + # disabled for flatpak builds) + # Disable test until we are on the latest JDK + $JAVA_HOME/bin/javac -d . %{SOURCE18} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE + $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR +%endif + + # Check src.zip has all sources. See RHBZ#1130490 + unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' + + # Check class files include useful debugging information + $JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" + $JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable + $JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable + + # Check generated class files include useful debugging information + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable + +%else + + # Just run a basic java -version test on other architectures + $JAVA_HOME/bin/java -version + +%endif + +# Check java launcher has no SSB mitigation +if ! ${NM} $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +# set_speculation function exists in both cases, so check for prctl call +%ifarch %{ssbd_arches} +${NM} %{altjavaoutputdir}/%{alt_java_name} | grep prctl +%else +if ! ${NM} %{altjavaoutputdir}/%{alt_java_name} | grep prctl ; then true ; else false; fi +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} +ls -l $STATIC_LIBS_HOME +ls -l $STATIC_LIBS_HOME/lib +${READELF} --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet4AddressImpl.c +${READELF} --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet6AddressImpl.c +%endif + +# Release builds strip the debug symbols into external .debuginfo files +if [ "x$suffix" = "x" ] ; then + so_suffix="debuginfo" +else + so_suffix="so" +fi +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + ${READELF} -S "$lib" | grep "] .debug_" + test $(${READELF} -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(${READELF} -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp and .S files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + ${READELF} -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + ${READELF} -S "$lib" | grep 'gnu' + if ${READELF} -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + ${READELF} -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +${GDB} -q "$JAVA_HOME/bin/java" < - 1:21.0.8.0.9-1.1 +- Update to jdk-21.0.8+9 (GA) +- Update release notes to 21.0.8+9 +- Switch to GA mode +- ** This tarball is embargoed until 2025-07-15 @ 1pm PT. ** + +* Thu Jul 10 2025 Andrew Hughes - 1:21.0.8.0.8-0.1.ea +- Update to jdk-21.0.8+8 (EA) +- Update release notes to 21.0.8+8 + +* Wed Jul 09 2025 Andrew Hughes - 1:21.0.8.0.2-0.1.ea +- Update to jdk-21.0.8+2 (EA) +- Update release notes to 21.0.8+2 +- Add timezone data update check to openjdk_news.sh +- Add duplicate check to openjdk_news.sh +- Exit if no fixes are obtained rather than try to run filters in openjdk_news.sh +- Related: OPENJDK-3949 + +* Tue Jul 08 2025 Andrew Hughes - 1:21.0.8.0.1-0.1.ea +- Update get_bundle_versions.sh to match other scripts +- * get_bundle_versions.sh: Add license +- * get_bundle_versions.sh: Set compile-command in Emacs +- * get_bundle_versions.sh: Use different error codes for different failures +- * get_bundle_versions.sh: Remove unneeded '.' in JPEG version +- * get_bundle_versions.sh: shellcheck: Double-quote variable references (SC2086) +- * get_bundle_versions.sh: shellcheck: Drop use of cat and pass file to awk directly (SC2002) +- Add OpenJDK 8u support to get_bundle_versions.sh +- Print bundle updates and backouts at end of openjdk_news.sh output +- Refer user to get_bundle_versions.sh when bundle updates are found by openjdk_news.sh +- Resolves: OPENJDK-3949 + +* Tue Jul 08 2025 Antonio Vieiro - 1:21.0.8.0.1-0.1.ea +- Add script to obtain bundled library versions from OpenJDK sources +- Related: OPENJDK-3949 + +* Tue Jul 08 2025 Thomas Fitzsimmons - 1:21.0.8.0.1-0.1.ea +- Warn about bundled provide version bumps and backouts in openjdk_news.sh +- Related: OPENJDK-3949 + +* Tue Jul 08 2025 Andrew Hughes - 1:21.0.8.0.1-0.1.ea +- Update to jdk-21.0.8+1 (EA) +- Update release notes to 21.0.8+1 +- Bump freetype version to 2.13.3 following JDK-8348596 +- Bump harfbuzz version to 10.4.0 following JDK-8348597 +- Bump lcms2 version to 2.17.0 following JDK-8348110 +- Bump libpng version to 1.6.47 following JDK-8348598 +- Switch to EA mode +- Drop JDK-8351500 local patch which is now available in 21.0.8+1 upstream + +* Fri Jul 04 2025 Andrew Hughes - 1:21.0.7.0.6-3 +- Move riscv64 addition to ExclusiveArch to devkit_arches on RHEL +- Related: OPENJDK-3850 + +* Tue May 20 2025 Kashyap Chamarthy - 1:21.0.7.0.6-3 +- Enable riscv64 arch; thanks: Songsong Zhang +- Resolves: OPENJDK-3850 + +* Thu May 08 2025 Andrew Hughes - 1:21.0.7.0.6-2 +- Add local version of JDK-8351500 for early interim release before 21.0.8 +- Resolves: OPENJDK-3679 + +* Fri Apr 11 2025 Andrew Hughes - 1:21.0.7.0.6-1 +- Update to jdk-21.0.7+6 (GA) +- Update release notes to 21.0.7+6 +- Rebase FIPS support against 21.0.7+5 +- ** This tarball is embargoed until 2025-04-15 @ 1pm PT. ** +- Resolves: OPENJDK-3789 + +* Sat Jan 11 2025 Andrew Hughes - 1:21.0.6.0.7-1 +- Update to jdk-21.0.6+7 (GA) +- Update release notes to 21.0.6+7 +- Build with DWARF 4 debuginfo for compatibility with older toolchains +- Check for CentOS being defined to determine use of devkit +- Bump devkit requirement to 1.0-9 to bring in updated sysroot +- Drop workaround of building s390x with dynamic libstdc++ +- Turn on fresh_libjvm now 21.0.5 with JDK-8329088 is released +- ** This tarball is embargoed until 2025-01-21 @ 1pm PT. ** +- Resolves: OPENJDK-3556 +- Resolves: OPENJDK-3590 +- Related: OPENJDK-3070 + +* Thu Nov 28 2024 Andrew Hughes - 1:21.0.5.0.11-2 +- Bump devkit requirement to 1.0-8 to bring in the gcc with --enable-linker-build-id +- Related: OPENJDK-3068 + +* Wed Oct 16 2024 Andrew Hughes - 1:21.0.5.0.11-1 +- Update to jdk-21.0.5+11 (GA) +- Update release notes to 21.0.5+11 +- Remove local JDK-8327501 & JDK-8328366 backport as this is now upstream. + +* Sat Oct 12 2024 Andrew Hughes - 1:21.0.5.0.10-1 +- Update to jdk-21.0.5+10 (GA) +- Update release notes to 21.0.5+10 +- Switch to GA mode. +- Revert JDK-8327501 & JDK-8328366 backport until more mature. +- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. ** +- Resolves: OPENJDK-3327 +- Resolves: OPENJDK-3084 + +* Thu Oct 10 2024 Andrew Hughes - 1:21.0.5.0.9-0.1.ea +- Update to jdk-21.0.5+9 (EA) +- Update release notes to 21.0.5+9 + +* Wed Sep 18 2024 Andrew Hughes - 1:21.0.5.0.5-0.1.ea +- Update to jdk-21.0.5+5 (EA) +- Update release notes to 21.0.5+5 + +* Sun Sep 15 2024 Andrew Hughes - 1:21.0.5.0.1-0.1.ea +- Update to jdk-21.0.5+1 (EA) +- Update release notes to 21.0.5+1 +- Switch to EA mode +- Bump giflib version to 5.2.2 following JDK-8328999 +- Bump libpng version to 1.6.43 following JDK-8329004 +- Turn off fresh_libjvm following JDK-8329088 which changes jdk.internal.vm.StackChunk in CDS archive +- Add build scripts to repository to ease remembering all CentOS & RHEL targets and options +- Make build scripts executable + +* Fri Jul 12 2024 Andrew Hughes - 1:21.0.4.0.7-1 +- Update to jdk-21.0.4+7 (GA) +- Update release notes to 21.0.4+7 +- Switch to GA mode. +- Sync with RHEL 7 portable build: + - Conditionally define __os_install_post, dtsversion & pkgos only on RHEL 7 + - Use ExclusiveArch over ExcludeArch + - Depend on devtoolset only on RHEL 7 + - Use javapackages-filesystem rather than manually defining _jvmdir + - Restrict pandoc dependency to RHEL/CentOS 8 + - Drop unused component macro +- Sync ExclusiveArch with devkit_arches on RHEL only +- ** This tarball is embargoed until 2024-07-16 @ 1pm PT. ** +- Resolves: OPENJDK-2756 +- Resolves: OPENJDK-3163 + +* Wed Jun 26 2024 Andrew Hughes - 1:21.0.4.0.5-0.1.ea +- Update to jdk-21.0.4+5 (EA) +- Update release notes to 21.0.4+5 +- Move unstripped, misc and doc tarball handling into normal build / no suffix blocks +- Limit Java only tests to one architecture using jdk_test_arch +- Drop unneeded tzdata-java build dependency following 3e3cf8fa2df7bac2f6a60a0ddd596ec39228a3e1 +- Resolves: OPENJDK-3133 +- Resolves: OPENJDK-3237 +- Resolves: OPENJDK-3182 +- Resolves: OPENJDK-3190 + +* Sat Jun 22 2024 Andrew Hughes - 1:21.0.4.0.1-0.1.ea +- Update to jdk-21.0.4+1 (EA) +- Update release notes to 21.0.4+1 +- Switch to EA mode +- Bump LCMS 2 version to 2.16.0 following JDK-8321489 +- Add zlib build requirement or bundled version (1.3.1), depending on system_libs setting +- Resolves: OPENJDK-3061 +- Resolves: OPENJDK-3064 + +* Sat Apr 13 2024 Andrew Hughes - 1:21.0.3.0.9-1 +- Update to jdk-21.0.3+9 (GA) +- Update release notes to 21.0.3+9 +- Switch to GA mode. +- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. ** + +* Thu Apr 04 2024 Andrew Hughes - 1:21.0.3.0.7-0.1.ea +- Update to jdk-21.0.3+7 (EA) +- Update release notes to 21.0.3+7 +- Require tzdata 2024a due to upstream inclusion of JDK-8322725 +- Only require tzdata 2023d for now as 2024a is unavailable in buildroot +- Drop JDK-8009550 which is now available upstream +- Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254 + +* Wed Mar 20 2024 Thomas Fitzsimmons - 1:21.0.3.0.1-0.1.ea +- generate_source_tarball.sh: Add WITH_TEMP environment variable +- generate_source_tarball.sh: Multithread xz on all available cores +- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable +- generate_source_tarball.sh: Update comment about tarball naming +- generate_source_tarball.sh: Reformat comment header +- generate_source_tarball.sh: Reformat and update help output +- generate_source_tarball.sh: Do a shallow clone, for speed +- generate_source_tarball.sh: Append -ea designator when required +- generate_source_tarball.sh: Eliminate some removal prompting +- generate_source_tarball.sh: Make tarball reproducible +- generate_source_tarball.sh: Prefix temporary directory with temp- +- generate_source_tarball.sh: Remove temporary directory exit conditions +- generate_source_tarball.sh: Fix -ea logic to add dash +- generate_source_tarball.sh: Set compile-command in Emacs +- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT +- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks +- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- generate_source_tarball.sh: shellcheck: Double-quote variable references (SC2086) +- generate_source_tarball.sh: shellcheck: Do not use -a (SC2166) +- generate_source_tarball.sh: shellcheck: Do not use $ on arithmetic variables (SC2004) +- Use backward-compatible patch syntax +- generate_source_tarball.sh: Ignore -ga tags with OPENJDK_LATEST +- generate_source_tarball.sh: Fix whitespace +- generate_source_tarball.sh: Remove trailing period in echo +- generate_source_tarball.sh: Use long-style argument to grep +- generate_source_tarball.sh: Add license +- generate_source_tarball.sh: Add indentation instructions for Emacs +- Remove -T0 argument from systemtap tar invocation +- Use RHEL-7 tar-1.26-compatible invocations for reproducible tarballs +- createtar: Add exclude option +- packagejdk: Exclude debuginfo when creating jdkarchive and jrearchive tarballs +- Resolves: OPENJDK-2995 + +* Mon Mar 18 2024 Andrew Hughes - 1:21.0.3.0.1-0.1.ea +- Update to jdk-21.0.3+1 (EA) +- Update release notes to 21.0.3+1 +- Switch to EA mode +- Require tzdata 2023d due to upstream inclusion of JDK-8322725 +- Bump FreeType version to 2.13.2 following JDK-8316028 +- Add module build path to stripped directories to catch jpackageapplauncher files +- Move alt-java man page to the misc tarball so it is not in the JDK image +- generate_source_tarball.sh: Update examples in header for clarity +- generate_source_tarball.sh: Cleanup message issued when checkout already exists +- generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP +- generate_source_tarball.sh: Only add --depth=1 on non-local repositories +- icedtea_sync.sh: Reinstate from rhel-8.9.0 branch +- Move maintenance scripts to a scripts subdirectory +- discover_trees.sh: Set compile-command and indentation instructions for Emacs +- discover_trees.sh: shellcheck: Do not use -o (SC2166) +- discover_trees.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- discover_trees.sh: shellcheck: Double-quote variable references (SC2086) +- generate_source_tarball.sh: Add authorship +- icedtea_sync.sh: Set compile-command and indentation instructions for Emacs +- icedtea_sync.sh: shellcheck: Double-quote variable references (SC2086) +- icedtea_sync.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: Set compile-command and indentation instructions for Emacs +- openjdk_news.sh: shellcheck: Double-quote variable references (SC2086) +- openjdk_news.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: shellcheck: Remove deprecated egrep usage (SC2196) +- generate_source_tarball.sh: Output values of new options WITH_TEMP and OPENJDK_LATEST +- generate_source_tarball.sh: Double-quote DEPTH reference (SC2086) +- generate_source_tarball.sh: Avoid empty DEPTH reference while still appeasing shellcheck +- Vary reproducible tar creation by version of tar detected +- Set OPENJDK_UPSTREAM_TAG_EPOCH & VERSION_FILE at start of build section as in 17u +- Change --with-source-date value to 'version' to match Temurin builds +- Re-run jlink to regenerate the jmods directory and lib/modules with stripped libraries +- Rebuild CDS archives against the updated lib/modules +- Require openjdk-devkit 1.0-4 to bring in fixes for .comment section and deterministic archives +- Bump devkit requirement to 1.0-5 to bring in the bootstrapped version +- Set LD_LIBRARY_PATH when calling gcc to build alt-java +- Set LD_LIBRARY_PATH when calling configure +- Set LD_LIBRARY_PATH when calling make +- Bump devkit requirement to 1.0-6 to bring in the AS=/as fix +- Resolves: OPENJDK-2820 +- Resolves: OPENJDK-2821 +- Resolves: OPENJDK-2585 +- Resolves: OPENJDK-3138 + +* Fri Mar 15 2024 Andrew Hughes - 1:21.0.2.0.13-1 +- Update to jdk-21.0.2+13 (GA) +- Update release notes to 21.0.2+13 +- Bump libpng version to 1.6.40 following JDK-8316030 +- Bump HarfBuzz version to 8.2.2 following JDK-8313643 + +* Mon Mar 11 2024 Andrew Hughes - 1:21.0.1.0.12-2 +- Use a devkit to build on architectures where we have one (s390x, aarch64, ppc64le, x86_64) +- Use a dynamic libstdc++ on s390x to workaround failure with static libstdc++ +- Use the devkit tools during the check stage so they can understand the generated binaries +- Use eu-readelf on devkit and non-devkit builds as debug symbol tests rely on its behaviour +- Use system gdb for both builds as devkit version fails (needs devkit libraries, then JDK segfaults with them) +- Filter out annobin plugin when using the devkit +- Drop static libstdc++ build dependency on devkit builds as it should come from the devkit +- Introduce tar_opts to avoid repetition of lengthy tar creation options + +* Thu Feb 08 2024 Thomas Fitzsimmons - 1:21.0.1.0.12-2 +- Invoke xz in multi-threaded mode +- Remove ppc64le with-jobs=1 workaround +- Make portable tarball modification times reproducible + +* Fri Oct 27 2023 Andrew Hughes - 1:21.0.1.0.12-1 +- Update to jdk-21.0.1.0+12 (GA) +- Update release notes to 21.0.1.0+12 +- Update openjdk_news script to specify subdirectory last +- Add missing discover_trees script required by openjdk_news +- Synchronise bundled versions with 21u sources (FreeType, LCMS, HarfBuzz, libpng) +- Sync generate_tarball.sh with 11u & 17u version +- Update bug URL for RHEL to point to the Red Hat customer portal +- Fix upstream release URL for OpenJDK source +- Update buildjdkver to match the featurever + +* Fri Oct 27 2023 Andrew Hughes - 1:21.0.0.0.35-4 +- Rebuild jmods using the stripped binaries in release builds +- Make sure the unstripped JDK is customised by the installjdk function +- Resolves: OPENJDK-1974 + +* Thu Oct 26 2023 Andrew Hughes - 1:21.0.0.0.35-3 +- Re-enable SystemTap support and perform only substitutions possible without final NVR available +- Depend on graphviz & pandoc for full documentation support +- Fix typo which stops the EA designator being included in the build +- Include tapsets in the miscellaneous tarball +- Drop unused globals for tapset installation + +* Thu Aug 24 2023 Andrew Hughes - 1:21.0.0.0.35-2 +- Update documentation (README.md, add missing JEP to release notes) +- Replace alt-java patch with a binary separate from the JDK +- Drop stale patches that are of little use any more: +- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work +- * No accessibility subpackage to warrant RH1648242 patch any more +- * No use of system libjpeg turbo to warrant RH649512 patch any more +- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed +- Related: rhbz#2192749 + +* Mon Aug 21 2023 Andrew Hughes - 1:21.0.0.0.35-1 +- Update to jdk-21.0.0+35 +- Update release notes to 21.0.0+35 +- Update system crypto policy & FIPS patch from new fips-21u tree +- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal +- Drop fakefeaturever now it is no longer needed +- Hardcode buildjdkver while the build JDK is not yet 21 +- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball +- Use upstream release URL for OpenJDK source +- Re-enable tzdata tests now we are on the latest JDK and things are back in sync +- Related: rhbz#2192749 + +* Mon Aug 21 2023 Petra Alice Mikova - 1:21.0.0.0.35-1 +- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798 +- Related: rhbz#2192749 + +* Wed Aug 16 2023 Andrew Hughes - 1:20.0.0.0.36-1 +- Update to jdk-20.0.2+9 +- Update release notes to 20.0.2+9 +- Update system crypto policy & FIPS patch from new fips-20u tree +- Update generate_tarball.sh ICEDTEA_VERSION +- Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit) +- Related: rhbz#2192749 + +* Wed Aug 16 2023 Jiri Vanek - 1:20.0.0.0.36-1 +- Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream +- Adapted rh1750419-redhat_alt_java.patch +- Related: rhbz#2192749 + +* Tue Aug 15 2023 Andrew Hughes - 1:19.0.1.0.10-1 +- Update to jdk-19.0.2 release +- Update release notes to 19.0.2 +- Rebase FIPS patches from fips-19u branch +- Remove references to sample directory removed by JDK-8284999 +- Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag +- Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases +- Related: rhbz#2192749 + +* Thu Aug 10 2023 Andrew Hughes - 1:18.0.2.0.9-1 +- Update to jdk-18.0.2 release +- Update release notes to actually reflect OpenJDK 18 +- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory +- Rebase FIPS patches from fips-18u branch +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built +- Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21 +- Switch bootjdkver to java-21-openjdk +- Disable tzdata tests until we are on the latest JDK and things are back in sync +- Related: rhbz#2192749 + +* Thu Aug 10 2023 Petra Alice Mikova - 1:18.0.0.0.37-1 +- Update to ea version of jdk18 +- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +- Related: rhbz#2192749 + +* Mon May 15 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Create java-21-openjdk-portable package based on java-17-openjdk-portable +- Related: rhbz#2192749 + +* Tue Apr 25 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Update to jdk-17.0.7.0+7 +- Update release notes to 17.0.7.0+7 +- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113 +- Reintroduce generate_source_tarball.sh from RHEL 9 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Update FIPS support against 17.0.7+6 and bring in latest changes: +- * RH2134669: Add missing attributes when registering services in FIPS mode. +- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +- * RH1940064: Enable XML Signature provider in FIPS mode +- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized +- Fix trailing '.' in tarball name +- Use rpmrelease in vendor version to avoid inclusion of dist tag +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 +- Resolves: rhbz#2134669 +- Resolves: rhbz#1940064 +- Resolves: rhbz#2173781 + +* Thu Apr 20 2023 Andrew Hughes - 1:17.0.6.0.10-7 +- Sync with existing RHEL 8 build, in order to start building portables on RHEL 8 +- Restore system bootstrap JDK (RHEL 8 has java-17-openjdk) +- Remove use of devtoolset (RHEL 8 native compilers should be sufficient) +- Explicitly exclude x86, as on RHEL RPMs + +* Tue Feb 21 2023 Andrew Hughes - 1:17.0.6.0.10-6 +- Add docs, icons and samples to the portable output +- Make sure generated checksums work and don't include full path +- The docs directory is a subdirectory of images, so remove confusing separate copying + +* Wed Feb 15 2023 Andrew Hughes - 1:17.0.6.0.10-5 +- Build with internal debuginfo as in RHEL and then create a stripped variant ourselves for the portable release build +- Restore compiler flags to those used in RHEL +- Drop unused static library patch +- Drop syslookup workaround which was fixed by JDK-8276572 over a year ago + +* Tue Feb 14 2023 Andrew Hughes - 1:17.0.6.0.10-4 +- Separate JDK packaging into a separate function +- Use variables to make it clearer what is going on +- Use a package output directory as we do for building and installing +- Workaround missing manpage directory in the JRE image + +* Sun Feb 12 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Adapt the portable build to use the same system library handling as RHEL builds + +* Sat Jan 14 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Add missing release note for JDK-8295687 +- Resolves: rhbz#2160111 + +* Fri Jan 13 2023 Andrew Hughes - 1:17.0.6.0.10-2 +- Update FIPS support to bring in latest changes +- * Add nss.fips.cfg support to OpenJDK tree +- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +- * Remove forgotten dead code from RH2020290 and RH2104724 +- * OJ1357: Fix issue on FIPS with a SecurityManager in place +- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build +- Resolves: rhbz#2118493 + +* Fri Jan 13 2023 Stephan Bergmann - 1:17.0.6.0.10-2 +- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat +- Related: rhbz#2160111 + +* Wed Jan 11 2023 Andrew Hughes - 1:17.0.6.0.10-1 +- Update to jdk-17.0.6.0+10 +- Update release notes to 17.0.6.0+10 +- Re-enable EA upstream status check now it is being actively maintained. +- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream +- Drop JDK-8275535 local patch now this has been accepted and backported upstream +- Drop local copy of JDK-8293834 now this is upstream +- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 +- Update TestTranslations.java to test the new America/Ciudad_Juarez zone +- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. ** +- Resolves: rhbz#2160111 + +* Sat Oct 15 2022 Andrew Hughes - 1:17.0.5.0.8-2 +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Update CLDR data with Europe/Kyiv (JDK-8293834) +- Drop JDK-8292223 patch which we found to be unnecessary +- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream +- Related: rhbz#2160111 + +* Thu Oct 13 2022 Andrew Hughes - 1:17.0.5.0.8-1 +- Update to jdk-17.0.5+8 (GA) +- Update release notes to 17.0.5+8 (GA) +- Switch to GA mode for final release. +- * This tarball is embargoed until 2022-10-18 @ 1pm PT. * +- Resolves: rhbz#2133695 + +* Fri Sep 02 2022 Andrew Hughes - 1:17.0.4.1.1-2 +- Update FIPS support to bring in latest changes +- * RH2023467: Enable FIPS keys export +- * RH2104724: Avoid import/export of DH private keys +- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +- * Build the systemconf library on all platforms +- * RH2048582: Support PKCS#12 keystores +- * RH2020290: Support TLS 1.3 in FIPS mode +- Resolves: rhbz#2123579 +- Resolves: rhbz#2123580 +- Resolves: rhbz#2123581 +- Resolves: rhbz#2123583 +- Resolves: rhbz#2123584 + +* Sun Aug 21 2022 Jayashree Huttanagoudar - 1:17.0.4.1.1-1 +- Added a missing change to portable NEWS file from upstream. + +* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-1 +- Update to jdk-17.0.4.1+1 +- Update release notes to 17.0.4.1+1 +- Add patch to provide translations for Europe/Kyiv added in tzdata2022b +- Add test to ensure timezones can be translated +- Resolves: rhbz#2119532 + +* Mon Jul 18 2022 Jayashree Huttanagoudar - 1:17.0.4.0.8-1 +- Commented out: fipsver f8142a23d0a which was from rhel-9-main +- Picked 17.0.4+8 GA tag from rhel-9.0.0 +- For Jul 2022 CPU fipsver is 765f970aef1 on rhel-9.0.0 + +* Mon Jul 18 2022 Andrew Hughes - 1:17.0.4.0.8-1 +- Update to jdk-17.0.4.0+8 (GA) +- Update release notes to 17.0.4.0+8 +- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 +- Switch to GA mode for release +- ** This tarball is embargoed until 2022-07-19 @ 1pm PT. ** + +* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. +- Related: rhbz#2084779 + +* Tue Jul 12 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.1.ea +- Tweaked line to print release information for portable + +* Tue Jul 12 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea +- Update to jdk-17.0.4.0+1 +- Update release notes to 17.0.4.0+1 +- Switch to EA mode for 17.0.4 pre-release builds. +- Print release file during build, which should now include a correct SOURCE value from .src-rev +- Update tarball script with IcedTea GitHub URL and .src-rev generation +- Include script to generate bug list for release notes +- Update tzdata requirement to 2022a to match JDK-8283350 +- Move EA designator check to prep so failures can be caught earlier +- Make EA designator check non-fatal while upstream is not maintaining it +- Related: rhbz#2084218 + +* Thu Jun 30 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-8 +- Comment line for portable: System security properties to be off by default + +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-8 +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode +- Resolves: rhbz#2102433 + +* Wed Jun 29 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-7 +- System security properties are disabled by default on portable. +- Commented out lines which are not applicable for portable. + +* Wed Jun 29 2022 Andrew Hughes - 1:17.0.3.0.7-7 +- Update FIPS support to bring in latest changes +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on +- Resolves: rhbz#2099844 +- Resolves: rhbz#2100677 + +* Tue Jun 28 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-6 +- Removed upstreamed patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch + +* Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-6 +- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- RH2023467: Enable FIPS keys export +- RH2094027: SunEC runtime permission for FIPS +- Resolves: rhbz#2029657 +- Resolves: rhbz#2096117 + +* Wed May 25 2022 Andrew Hughes - 1:17.0.3.0.7-5 +- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build + +* Tue May 24 2022 Jiri Vanek - 1:17.0.3.0.7-4 +- to pass aqa, fixing genuie failure in : +- java/lang/SecurityManager/CheckAccessClassInPackagePermissions.java#CheckAccessClassInPackagePermissions +- javax/xml/crypto/dsig/FileSocketPermissions.java#FileSocketPermissions +- added and applied patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch +- this, properly named, patch must go to all our jdk17 builds, and to the fips repo + +* Thu May 19 2022 Jiri Vanek - 1:17.0.3.0.7-3 +- to pass aqa: +- removed copy system tzdb in favour of in-tree +- removed Patch2: rh1648644-java_access_bridge_privileged_security.patch +- This is not intended to release untill we decide proper steps + +* Thu May 19 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-2 +- Include BOOT_JDK for s390x for portable +- BOOT_JDK downlaoded form hydra as + java-17-temurin-17.0.3.7-0.private.ojdk17~upstream.hotspot.release.sdk.el7.s390x.tarxz + and renamed +- Added cosmetic changes to bypass a failure for s390x + +* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-1 +- April 2022 security update to jdk 17.0.3+7 +- Remove JDK-8284548 and JDK-8284920 they are upstreamed now +- Resolves: rhbz#2073579 + +* Sat Apr 16 2022 Andrew Hughes - 1:17.0.3.0.6-3 +- Add JDK-8284920 fix for XPath regression +- Related: rhbz#2073575 + +* Fri Apr 15 2022 Andrew Hughes - 1:17.0.3.0.6-2 +- Remove the patch jdk8283911-default_promoted_version_pre.patch which missed in previous commit +- JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476 +- Related: rhbz#2073575 + +* Mon Apr 11 2022 Andrew Hughes - 1:17.0.3.0.6-1 +- April 2022 security update to jdk 17.0.3+6 +- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408) +- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga +- Update release notes to 17.0.3.0+6 +- Add missing README.md and generate_source_tarball.sh +- Introduce tests/tests.yml, based on the one in java-11-openjdk +- JDK-8283911 patch no longer needed now we're GA... +- Switch to GA mode for release +- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. ** +- Resolves: rhbz#2073575 + +* Wed Apr 06 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea +- Update to jdk-17.0.3.0+5 +- Update release notes to 17.0.3.0+5 +- Resolves: rhbz#2050460 + +* Tue Mar 29 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea +- Update to jdk-17.0.3.0+1 +- Update release notes to 17.0.3.0+1 +- Switch to EA mode for 17.0.3 pre-release builds. +- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value +- Related: rhbz#2050456 + +* Mon Feb 28 2022 Jayashree Huttanagoudar - 1:17.0.2.0.8-10 +- Update icedtea_sync.sh with suitable message for portable + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-10 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Handle Fedora in distro conditionals that currently only pertain to RHEL. +- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace +- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Need to support noarch for creating source RPMs for non-scratch builds. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Resolves: rhbz#2022822 + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-9 +- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +- Correction to previous changelog entry +- Resolves: rhbz#2052070 + +* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-8 +- Detect NSS at runtime for FIPS detection +- Resolves: rhbz#2051605 + +* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-7 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053521 + +* Tue Feb 08 2022 Andrew Hughes - 1:17.0.2.0.8-6 +- Minor cosmetic improvements to make spec more comparable between variants +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-5 +- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@ +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-4 +- Extend LTS check to exclude EPEL. +- Related: rhbz#2022822 + +* Tue Jan 18 2022 Andrew Hughes - 1:17.0.2.0.8-3 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent + +* Mon Jan 17 2022 Andrew Hughes - 1:17.0.2.0.8-2 +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Related: rhbz#2039366 + +* Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1 +- January 2022 security update to jdk 17.0.2+8 +- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java +- Resolves: rhbz#2039366 +- Minor change to the OUTPUT_FILE value to separate the name from the version with '-' + +* Mon Nov 29 2021 Severin Gehwolf - 1:17.0.1.0.12-3 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023537 + +* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-2 +- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1 +- October CPU update to jdk 17.0.1+12 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Add patch to allow plain key import. + +* Mon Oct 25 2021 Jiri Vanek - 1:17.0.0.0.35-5 +- cacerts symlink is resolved before passed to configure +- https://issues.redhat.com/browse/OPENJDK-487 +- Disable FIPS mode detection using NSS in favour of using /proc/sys/crypto/fips_enabled for now, so we don't link against NSS +-- effectively disabled Patch1008: rh1929465-improve_system_FIPS_detection.patch by settng --enable-sysconf-nss to --disable-sysconf-nss +-- the enable-sysconf-nss was bringing in hard depndence on nss. Without nss, even in non fips, jvm had not even started + +* Thu Sep 30 2021 Jiri Vanek - 1:17.0.0.0.35-4 +- initial import, based on jdk11 portbale, merged with jdk17 rpms and java-latest-openjdk for epel7 diff --git a/java-21-openjdk.spec b/java-21-openjdk.spec new file mode 100644 index 0000000..5c5da59 --- /dev/null +++ b/java-21-openjdk.spec @@ -0,0 +1,2476 @@ +# To rebuild this RPM, you must first rebuild the portable +# RPM using the java-21-openjdk-portable.specfile, install +# it and then adjust portablerelease and portablesuffix +# to match the new portable. + +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-21-openjdk.spec +# +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-21-openjdk.spec --without slowdebug --without fastdebug +# +# Only produce a release build on x86_64: +# $ fedpkg mockbuild --without slowdebug --without fastdebug + +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs +# Build with system libraries +%bcond_with system_libs + +# Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} +%define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif + +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global freetype_lib %{nil} +%else +%global system_libs 0 +%global link_type bundled +%global freetype_lib |libfreetype[.]so.* +%endif + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# With LTO flags enabled, debuginfo checks fail for some reason. Disable +# LTO for a passing build. This really needs to be looked at. +%define _lto_cflags %{nil} + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" +%global normal_suffix "" + +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global normal_build %{normal_suffix} +%else +%global normal_build %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives +# TODO - fix those hardcoded lists via single list +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# Indicates whether this is the default JDK on this version of RHEL +# Only the default/system JDK provides unversioned Provides like 'java', 'jre' and 'java-devel' +%global is_system_jdk 1 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs +%global multilib_arches %{power64} sparc64 x86_64 +# Set of architectures for which we build slowdebug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 riscv64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler +%global aot_arches x86_64 %{aarch64} +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} riscv64 +# Set of architectures which support class data sharing +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} riscv64 +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 riscv64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 +# Set of architectures for which java has short vector math library (libjsvml.so) +%global svml_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} +# Architecture on which we run Java only tests +%global jdk_test_arch x86_64 + +# By default, we build a debug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{debug_arches} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} +%global use_shenandoah_hotspot 1 +%else +%global use_shenandoah_hotspot 0 +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 +%endif + +%if %{include_debug_build} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable all builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if 0%{?flatpak} +%global bootstrap_build false +%else +%ifarch %{bootstrap_arches} +%global bootstrap_build true +%else +%global bootstrap_build false +%endif +%endif + +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} +%endif + +# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM +%global debug_symbols internal + +# unlike portables,the rpms have to use static_libs_target very dynamically +%global bootstrap_targets images +%global release_targets images docs-zip +# No docs nor bootcycle for debug builds +%global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# debugedit tool for rewriting ELF file paths +%if 0%{?rhel} >= 10 +# From RHEL 10, the tool is in its own package installed in the usual location +%global debugedit %{_bindir}/debugedit +%else +# On earlier versions of RHEL, it is part of the rpm package +%global debugedit %{_rpmconfigdir}/debugedit +%endif + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _target_cpu +%ifarch x86_64 +%global archinstall amd64 +%global stapinstall x86_64 +%endif +%ifarch ppc +%global archinstall ppc +%global stapinstall powerpc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%global stapinstall powerpc +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%global stapinstall powerpc +%endif +%ifarch %{ix86} +%global archinstall i686 +%global stapinstall i386 +%endif +%ifarch ia64 +%global archinstall ia64 +%global stapinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%global stapinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%global stapinstall s390 +%endif +%ifarch %{arm} +%global archinstall arm +%global stapinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%global stapinstall arm64 +%endif +%ifarch riscv64 +%global archinstall riscv64 +%global stapinstall riscv64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%global stapinstall %{_target_cpu} +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%global stapinstall %{_target_cpu} +%endif +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} +%endif + +%ifarch %{systemtap_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global featurever 21 +%global interimver 0 +%global updatever 8 +%global patchver 0 +# We don't add any LTS designator for STS packages (Fedora and EPEL). +# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. +%if 0%{?rhel} && !0%{?epel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else + %global lts_designator "" + %global lts_designator_zip "" +%endif + +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://access.redhat.com/support/cases/ +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif +%global oj_vendor_version (Red_Hat-%{version}-%{portablerelease}) + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 6.0.0pre00-c848b93a8598 +# Define current Git revision for the FIPS support patches +%global fipsver 9203d50836c +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + +# Define the OS the portable JDK is built on +# This is undefined for CentOS & openjdk-portable-rhel-8 builds and +# equals 'rhel7' for openjdk-portable-rhel-7 builds +%if 0 +%global pkgos rhel7 +%endif + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{vcstag} +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 9 +%global rpmrelease 1 +# Settings used by the portable build +%global portablerelease 1 +# Portable suffix differs between RHEL and CentOS +%if 0%{?centos} == 0 +%global portablesuffix %{?pkgos:el7_9}%{!?pkgos:el8} +%else +%global portablesuffix el9 +%endif +%global portablebuilddir /builddir/build/BUILD + +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit +%if %is_system_jdk +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global build_type GA +%global ea_designator "" +%global ea_designator_zip %{nil} +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global build_type EA +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{featurever}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs +# output dir stub +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{compatiblename}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{compatiblename}%{?1}} + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|lible[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for any debug packages +%global exclude_from_regexp ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$|^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __provides_exclude_from %{exclude_from_regexp} +%global __requires_exclude_from %{exclude_from_regexp} +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + +# VM variant being built +%ifarch %{zero_arches} +%global vm_variant zero +%else +%global vm_variant server +%endif + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global alt_java_name alt-java + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + +%if %{with_systemtap} +# Where to install systemtap tapset (links) +# We would like these to be in a package specific sub-dir, +# but currently systemtap doesn't support that, so we have to +# use the root tapset dir for now. To distinguish between 64 +# and 32 bit architectures we place the tapsets under the arch +# specific dir (note that systemtap will only pickup the tapset +# for the primary arch for now). Systemtap uses the machine name +# aka target_cpu as architecture specific directory name. +%global tapsetroot /usr/share/systemtap +%global tapsetdirttapset %{tapsetroot}/tapset/ +%global tapsetdir %{tapsetdirttapset}/%{stapinstall} +%endif + +# not-duplicated scriptlets for normal/debug packages +%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : + +%define post_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : +} + +# We want fastdebug and slowdebug alternatives to have a lower +# priority than the normal alternatives, so the normal alternatives +# are the default. +# If the argument to this macro is non-nil, that is either -fastdebug +# or -slowdebug, then priority_for will expand to a value one less +# than the priority global. If the argument to this macro is nil, +# that is represents the non-debug or normal package, then the result +# is the normal priority macro value. +# This computation is done at RPM macro expansion time, rather than at +# runtime, to keep scriptlets as simple as possible. +%define priority_for() %{expand:%[%{?1:1}%{!?1:0} ? %{priority} - 1 : %{priority}]} + +%global man_comp .gz + +%define alternatives_java_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +alternatives --install %{_bindir}/java java %{jrebindir -- %{?1}}/java %{priority_for -- %{?1}} \\ + --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ + --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\ + --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ + --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ + --slave %{_mandir}/man1/java.1%{man_comp} java.1%{man_comp} %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/%{alt_java_name}.1%{man_comp} %{alt_java_name}.1%{man_comp} %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jcmd.1%{man_comp} jcmd.1%{man_comp} %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/keytool.1%{man_comp} keytool.1%{man_comp} %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/rmiregistry.1%{man_comp} rmiregistry.1%{man_comp} %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1%{man_comp} +alternatives --install %{_jvmdir}/jre-%{origin} jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} %{priority_for -- %{?1}} +alternatives --install %{_jvmdir}/jre-%{javaver} jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} %{priority_for -- %{?1}} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} %{priority_for -- %{?1}} +} + +%define post_headless() %{expand: +%{alternatives_java_install -- %{?1}} +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : +} + +%define postun_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +} + +# Perform alternatives removals in preun instead of postun so that we +# are removing live symbolic links instead of dangling symbolic links, +# even though the alternatives command does not seem to care. The +# documentation uses preun or postun without providing a rationale for +# using one over the other: +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Alternatives/ +# +# The [ $1 -eq 0 ] is an RPM scriptlet idiom meaning "only do the +# following if this scriptlet is being run during a straight package +# removal; in other words, do NOT do the following if this scriptlet +# is being run as part of an upgrade transaction". +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax +%define preun_headless() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +if [ $1 -eq 0 ] +then + alternatives --remove java %{jrebindir -- %{?1}}/java + alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} +fi +} + +# Invoke gtk-update-icon-cache in posttrans instead of post as an +# optimization. If other packages in the transaction install icons +# and use this optimization, then invocations of gtk-update-icon-cache +# will all happen in succession, and invocations after the first one +# will notice that the cache is fresh and immediately succeed. If +# this were instead done in each package's post, then the icon cache +# would be regenerated every time, rendering the whole transaction +# slower. +# See: +# https://lists.fedoraproject.org/archives/list/packaging\ +# @lists.fedoraproject.org/thread/HXIIKIHBMT3HELPKWH2BAXRNIF7BPPJD/ +# and: +# https://fedoraproject.org/wiki/Archive:PackagingDrafts/Icon_Cache +%define posttrans_script() %{expand: +%{update_desktop_icons} +} + +%define alternatives_javac_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +alternatives --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac %{priority_for -- %{?1}} \\ + --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ + --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ +%ifarch %{sa_arches} +%ifnarch %{zero_arches} + --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif +%endif + --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ + --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ + --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ + --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\ + --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\ + --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ + --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ + --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\ + --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\ + --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\ + --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\ + --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\ + --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\ + --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\ + --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\ + --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\ + --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\ + --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\ + --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\ + --slave %{_bindir}/jwebserver jwebserver %{sdkbindir -- %{?1}}/jwebserver \\ + --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\ + --slave %{_mandir}/man1/jar.1%{man_comp} jar.1%{man_comp} %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jarsigner.1%{man_comp} jarsigner.1%{man_comp} %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/javac.1%{man_comp} javac.1%{man_comp} %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/javadoc.1%{man_comp} javadoc.1%{man_comp} %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/javap.1%{man_comp} javap.1%{man_comp} %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jconsole.1%{man_comp} jconsole.1%{man_comp} %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jdb.1%{man_comp} jdb.1%{man_comp} %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jdeps.1%{man_comp} jdeps.1%{man_comp} %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jinfo.1%{man_comp} jinfo.1%{man_comp} %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jmap.1%{man_comp} jmap.1%{man_comp} %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jps.1%{man_comp} jps.1%{man_comp} %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jpackage.1%{man_comp} jpackage.1%{man_comp} %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jrunscript.1%{man_comp} jrunscript.1%{man_comp} %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jstack.1%{man_comp} jstack.1%{man_comp} %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jstat.1%{man_comp} jstat.1%{man_comp} %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jwebserver.1%{man_comp} jwebserver.1%{man_comp} %{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/jstatd.1%{man_comp} jstatd.1%{man_comp} %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1%{man_comp} \\ + --slave %{_mandir}/man1/serialver.1%{man_comp} serialver.1%{man_comp} %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1%{man_comp} +alternatives --install %{_jvmdir}/java-%{origin} java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} %{priority_for -- %{?1}} +alternatives --install %{_jvmdir}/java-%{javaver} java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} %{priority_for -- %{?1}} +} + +%define post_devel() %{expand: +%{alternatives_javac_install -- %{?1}} +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : +} + +%define preun_devel() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +if [ $1 -eq 0 ] +then + alternatives --remove javac %{sdkbindir -- %{?1}}/javac + alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} +fi +} + +%define postun_devel() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +update-desktop-database %{_datadir}/applications &> /dev/null || : + +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +} + +%define posttrans_devel() %{expand: +%{update_desktop_icons} +} + +%define alternatives_javadoc_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +alternatives --install %{_javadocdir}/java-%{origin} javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api %{priority_for -- %{?1}} +alternatives --install %{_javadocdir}/java-%{javaver} javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api %{priority_for -- %{?1}} +alternatives --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api %{priority_for -- %{?1}} +} + +%define preun_javadoc() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +if [ $1 -eq 0 ] +then + alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api + alternatives --remove javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api + alternatives --remove javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +fi +} + +%define alternatives_javadoczip_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +alternatives --install %{_javadocdir}/java-%{origin}.zip javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip %{priority_for -- %{?1}} +alternatives --install %{_javadocdir}/java-%{javaver}.zip javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip %{priority_for -- %{?1}} +# Weird legacy filename for backwards-compatibility +alternatives --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip %{priority_for -- %{?1}} +} + +%define preun_javadoc_zip() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +if [ $1 -eq 0 ] +then + alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip + alternatives --remove javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip + alternatives --remove javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +fi +} + +%define files_jre() %{expand: +%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so +} + +%define files_jre_headless() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/openjdk-devkit.specfile +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/0*.patch +%dir %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}} +%dir %{_sysconfdir}/.java/.systemPrefs +%dir %{_sysconfdir}/.java +%dir %{_jvmdir}/%{sdkdir -- %{?1}} +%{_jvmdir}/%{sdkdir -- %{?1}}/release +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib +%ifarch %{jit_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so +%if ! %{system_libs} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/lible.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} +%ifnarch %{zero_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so +%endif +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so +%ifarch %{svml_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsvml.so +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc +%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/*.so +%ifarch %{share_arches} +%attr(444, root, root) %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/classes.jsa +%ifnarch %{ix86} %{arm32} +%attr(444, root, root) %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/classes_nocoops.jsa +%endif +%endif +%dir %{etcjavasubdir} +%dir %{etcjavadir -- %{?1}} +%dir %{etcjavadir -- %{?1}}/lib +%dir %{etcjavadir -- %{?1}}/lib/security +%{etcjavadir -- %{?1}}/lib/security/cacerts +%dir %{etcjavadir -- %{?1}}/conf +%dir %{etcjavadir -- %{?1}}/conf/sdp +%dir %{etcjavadir -- %{?1}}/conf/management +%dir %{etcjavadir -- %{?1}}/conf/security +%dir %{etcjavadir -- %{?1}}/conf/security/policy +%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited +%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy + %{etcjavadir -- %{?1}}/conf/security/policy/README.txt +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access +# This is a config template, thus not config-noreplace +%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template +%config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/jaxp.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/conf +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/java +%ghost %{_jvmdir}/jre +%ghost %{_bindir}/%{alt_java_name} +%ghost %{_bindir}/jcmd +%ghost %{_bindir}/keytool +%ghost %{_bindir}/rmiregistry +%ghost %{_jvmdir}/jre-%{origin} +%ghost %{_jvmdir}/jre-%{javaver} +%ghost %{_jvmdir}/jre-%{javaver}-%{origin} +%endif +%endif +# https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved +} + +%define files_devel() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} +%ifnarch %{zero_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb +%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1* +%endif +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jwebserver +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver +%{_jvmdir}/%{sdkdir -- %{?1}}/include +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym +%if %{with_systemtap} +%{_jvmdir}/%{sdkdir -- %{?1}}/tapset +%endif +%{_datadir}/applications/*jconsole%{?1}.desktop +%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* + +%if %{with_systemtap} +%dir %{tapsetroot} +%dir %{tapsetdirttapset} +%dir %{tapsetdir} +%{tapsetdir}/*%{_arch}%{?1}.stp +%endif +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/javac +%ghost %{_jvmdir}/java +%ghost %{_bindir}/jlink +%ghost %{_bindir}/jmod +%ghost %{_bindir}/jhsdb +%ghost %{_bindir}/jar +%ghost %{_bindir}/jarsigner +%ghost %{_bindir}/javadoc +%ghost %{_bindir}/javap +%ghost %{_bindir}/jconsole +%ghost %{_bindir}/jdb +%ghost %{_bindir}/jdeps +%ghost %{_bindir}/jdeprscan +%ghost %{_bindir}/jfr +%ghost %{_bindir}/jimage +%ghost %{_bindir}/jinfo +%ghost %{_bindir}/jmap +%ghost %{_bindir}/jps +%ghost %{_bindir}/jpackage +%ghost %{_bindir}/jrunscript +%ghost %{_bindir}/jshell +%ghost %{_bindir}/jstack +%ghost %{_bindir}/jstat +%ghost %{_bindir}/jstatd +%ghost %{_bindir}/jwebserver +%ghost %{_bindir}/serialver +%ghost %{_jvmdir}/java-%{origin} +%ghost %{_jvmdir}/java-%{javaver} +%endif +%endif +} + +%define files_jmods() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/jmods +} + +%define files_demo() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/demo +} + +%define files_src() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip +} + +%define files_static_libs() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a +} + +%define files_javadoc() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java +%ghost %{_javadocdir}/java-%{origin} +%ghost %{_javadocdir}/java-%{javaver} +%endif +%endif +} + +%define files_javadoc_zip() %{expand: +%dir %{_javadocdir}/%{uniquejavadocdir -- %{?1}} +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java-zip +%ghost %{_javadocdir}/java-%{origin}.zip +%ghost %{_javadocdir}/java-%{javaver}.zip +%endif +%endif +} + +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +Requires: fontconfig%{?_isa} +Requires: xorg-x11-fonts-Type1 +# Require libXcomposite explicitly since it's only dynamically loaded +# at runtime. Fixes screenshot issues. See JDK-8150954. +Requires: libXcomposite%{?_isa} +# Requires rest of java +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# for java-X-openjdk package's desktop binding +# Where recommendations are available, recommend Gtk+ for the Swing look and feel +%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 +Recommends: gtk3%{?_isa} +%endif +# Recommend PipeWire for screenshots under Wayland. +%if 0%{?rhel} >= 9 || 0%{?fedora} > 0 +Recommends: pipewire%{?_isa} +%endif + +Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} + +# Standard JPackage base provides +Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java%{?1} = %{epoch}:%{version}-%{release} +Provides: jre%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_headless_rpo() %{expand: +# Require /etc/pki/java/cacerts +Requires: ca-certificates +# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros +Requires: javapackages-filesystem +# Require zone-info data provided by tzdata-java sub-package +# 2025a required as of JDK-8347965 +Requires: tzdata-java >= 2025a +# for support of kernel stream control +# libsctp.so.1 is being `dlopen`ed on demand +Requires: lksctp-tools%{?_isa} +# for printing support +Requires: cups-libs +# for system security properties +Requires: crypto-policies +# for FIPS PKCS11 provider +Requires: nss +# Post requires alternatives to install tool alternatives +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{alternatives_requires} +# Where suggestions are available, recommend the sctp and pcsc libraries +# for optional support of kernel stream control and card reader +%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 +Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa} +%endif + +# Standard JPackage base provides +Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-headless%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_devel_rpo() %{expand: +# Requires base package +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install tool alternatives +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{alternatives_requires} + +# Standard JPackage devel provides +Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_static_libs_rpo() %{expand: +Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +} + +# Requires the devel package which contains jmod and jlink +%define java_jmods_rpo() %{expand: +# As most jmods are bytecode, they should be OK without any _isa +# (java.base mod does contain native libraries) +Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +# The demo package depends on the full graphical JRE which is needed to +# run the demos. +%define java_demo_rpo() %{expand: +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +# The javadoc packages depend on the headless package for the legal documentation. +# Potentially, the legal documentation could be split into a small package +# which the javadoc and headless packages then depend on, but it does not +# seem worth the additional disruption just to have docs installed and no JDK. +# Arguments: +# - 1 = package name suffix (called twice for javadoc-zip with nil & -zip) +%define java_javadoc_rpo() %{expand: +# Standard JPackage javadoc provides +Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +# The src package depends on the headless package for the legal documentation. +# Potentially, the legal documentation could be split into a small package +# which the src and headless package then depend on, but it does not +# seem worth the additional disruption just to have sources installed and no JDK. +%define java_src_rpo() %{expand: +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +# Standard JPackage sources provides +Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 +# Define the root name of the portable packages +%global pkgnameroot java-%{featurever}-%{origin}-portable%{?pkgos:-%{pkgos}} + +# Define the architectures on which we build +ExclusiveArch: %{aarch64} %{ppc64le} s390x x86_64 riscv64 + +Name: java-%{javaver}-%{origin} +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# Equivalent for the portable build +%global prelease %{?eaprefix}%{portablerelease}%{?extraver} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} %{featurever} Runtime Environment +# Groups are only used up to RHEL 8 and on Fedora versions prior to F30 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + +# The source tarball, generated using generate_source_tarball.sh +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (6.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +Source9: jconsole.desktop.in + +# Source code for alt-java +Source11: alt-java.c + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# Ensure vendor settings are correct +Source16: CheckVendor.java + +# Ensure translations are available for new timezones +Source18: TestTranslations.java + +# Include portable spec and instructions on how to rebuild +Source19: README.md +Source20: java-%{featurever}-openjdk-portable.specfile +Source21: NEWS +Source22: openjdk-devkit.specfile +# Devkit patches; see https://github.com/rh-openjdk/jdk/tree/devkit +# To regenerate, use git format-patch -N jdk21u/master +# Add RHEL RPM URLs and turn off robots +Source23: 0001-Allow-devkit-to-work-with-RHEL.patch +# Turn off multilib on x86_64 +Source24: 0002-Disable-multilib-on-x86_64.patch +# Improve build logging (OPENJDK-3071) +Source25: 0003-Log-devkit-build-to-stdout.patch +# Remove .comment sections from sysroot objects +Source26: 0004-devkit-Remove-.comment-sections-from-sysroot-objects.patch +# Configure binutils with --enable-deterministic-archives +Source27: 0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch +# Configure gcc with --enable-linker-build-id (OPENJDK-3068) +Source28: 0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch +# Exclude systemtap-sdt-devel on s390x & ppc64* (OPENJDK-3070) +Source29: 0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch +# Use update repository on RHEL rather than GA (OPENJDK-3589) +Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch + +# Setup variables to reference correct sources +%global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz +%global staticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.static-libs.%{_arch}.tar.xz +%global docszip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.docs.%{_arch}.tar.xz +%global misczip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.misc.%{_arch}.tar.xz +%global slowdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.jdk.%{_arch}.tar.xz +%global slowdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.static-libs.%{_arch}.tar.xz +%global fastdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.jdk.%{_arch}.tar.xz +%global fastdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.static-libs.%{_arch}.tar.xz + +############################################ +# +# RPM/distribution specific patches +# +############################################ + +# Crypto policy and FIPS support patches +# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u +# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes +# Fixes currently included: +# PR3183, RH1340845: Follow system wide crypto policy +# PR3695: Allow use of system crypto policy to be disabled by the user +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +# RH1929465: Improve system FIPS detection +# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers +# RH1996182: Login to the NSS software token in FIPS mode +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +# RH2021263: Resolve outstanding FIPS issues +# RH2052819: Fix FIPS reliance on crypto policies +# RH2052829: Detect NSS at Runtime for FIPS detection +# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +# RH2023467: Enable FIPS keys export +# RH2094027: SunEC runtime permission for FIPS +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +# RH2090378: Revert to disabling system security properties and FIPS mode support together +# RH2104724: Avoid import/export of DH private keys +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +# Build the systemconf library on all platforms +# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream] +# RH2020290: Support TLS 1.3 in FIPS mode +# Add nss.fips.cfg support to OpenJDK tree +# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +# Remove forgotten dead code from RH2020290 and RH2104724 +# OJ1357: Fix issue on FIPS with a SecurityManager in place +# RH2134669: Add missing attributes when registering services in FIPS mode. +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +# RH1940064: Enable XML Signature provider in FIPS mode +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +Patch1001: fips-%{featurever}u-%{fipsver}.patch + +############################################# +# +# OpenJDK patches in need of upstreaming +# +############################################# + +# Currently empty + +############################################# +# +# OpenJDK patches which missed last update +# +############################################# + +# Currently empty + +############################################# +# +# Portable build specific patches +# +############################################# + +# Currently empty + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +# From RHEL 10, debugedit is in its own package +%if 0%{?rhel} >= 10 +BuildRequires: debugedit +%endif +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: fontconfig-devel +BuildRequires: gcc-c++ +BuildRequires: gdb +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirement for setting up nss.fips.cfg +BuildRequires: nss-devel +# Requirement for system security property test +BuildRequires: crypto-policies +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +BuildRequires: javapackages-filesystem +%if %{include_normal_build} +BuildRequires: %{pkgnameroot}-unstripped = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: %{pkgnameroot}-static-libs = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +%endif +%if %{include_fastdebug_build} +BuildRequires: %{pkgnameroot}-devel-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: %{pkgnameroot}-static-libs-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +%endif +%if %{include_debug_build} +BuildRequires: %{pkgnameroot}-devel-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: %{pkgnameroot}-static-libs-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +%endif +BuildRequires: %{pkgnameroot}-docs = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: %{pkgnameroot}-misc = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +# Zero-assembler build requirement +%ifarch %{zero_arches} +BuildRequires: libffi-devel +%endif +# 2025a required as of JDK-8347965 +BuildRequires: tzdata-java >= 2025a +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 + +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif +BuildRequires: make + +%if %{system_libs} +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +BuildRequires: zlib-devel +%else +# Version in src/java.desktop/share/legal/freetype.md +Provides: bundled(freetype) = 2.13.3 +# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.2 +# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h +Provides: bundled(harfbuzz) = 10.4.0 +# Version in src/java.desktop/share/native/liblcms/lcms2.h +Provides: bundled(lcms2) = 2.17.0 +# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h +Provides: bundled(libpng) = 1.6.47 +# Version in src/java.base/share/native/libzip/zlib/zlib.h +Provides: bundled(zlib) = 1.3.1 +%endif + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} %{featurever} runtime environment. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} %{featurever} runtime environment. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} %{featurever} runtime environment. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package headless +Summary: %{origin_nice} %{featurever} Headless Runtime Environment +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_headless_rpo %{nil}} + +%description headless +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%endif + +%if %{include_debug_build} +%package headless-slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_headless_rpo -- %{debug_suffix_unquoted}} + +%description headless-slowdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package headless-fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_headless_rpo -- %{fastdebug_suffix_unquoted}} + +%description headless-fastdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} %{featurever} Development Environment +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} %{featurever} development tools. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} %{featurever} development tools. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Tools +%endif + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} %{featurever} development tools . +%{fastdebug_warning} +%endif + +%if %{include_staticlibs} + +%if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} %{featurever} libraries for static linking + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} %{featurever} libraries for static linking. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on} + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on} + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{fastdebug_warning} +%endif + +# staticlibs +%endif + +%if %{include_normal_build} +%package jmods +Summary: JMods for %{origin_nice} %{featurever} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_jmods_rpo %{nil}} + +%description jmods +The JMods for %{origin_nice} %{featurever}. +%endif + +%if %{include_debug_build} +%package jmods-slowdebug +Summary: JMods for %{origin_nice} %{featurever} %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_jmods_rpo -- %{debug_suffix_unquoted}} + +%description jmods-slowdebug +The JMods for %{origin_nice} %{featurever}. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package jmods-fastdebug +Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Tools +%endif + +%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} + +%description jmods-fastdebug +The JMods for %{origin_nice} %{featurever}. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package demo +Summary: %{origin_nice} %{featurever} Demos +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_demo_rpo %{nil}} + +%description demo +The %{origin_nice} %{featurever} demos. +%endif + +%if %{include_debug_build} +%package demo-slowdebug +Summary: %{origin_nice} %{featurever} Demos %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_demo_rpo -- %{debug_suffix_unquoted}} + +%description demo-slowdebug +The %{origin_nice} %{featurever} demos. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package demo-fastdebug +Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_demo_rpo -- %{fastdebug_suffix_unquoted}} + +%description demo-fastdebug +The %{origin_nice} %{featurever} demos. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package src +Summary: %{origin_nice} %{featurever} Source Bundle +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_src_rpo %{nil}} + +%description src +The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever} +class library source code for use by IDE indexers and debuggers. +%endif + +%if %{include_debug_build} +%package src-slowdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_src_rpo -- %{debug_suffix_unquoted}} + +%description src-slowdebug +The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_debug}. +%endif + +%if %{include_fastdebug_build} +%package src-fastdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_src_rpo -- %{fastdebug_suffix_unquoted}} + +%description src-fastdebug +The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_fastdebug}. +%endif + +%if %{include_normal_build} +%package javadoc +Summary: %{origin_nice} %{featurever} API documentation +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Documentation +%endif +Requires: javapackages-filesystem +Requires: %{name}-headless%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?_isa} = %{epoch}:%{version}-%{release} +Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling +# Post requires alternatives to install javadoc alternative +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall javadoc alternative +Requires(postun): %{alternatives_requires} + +%{java_javadoc_rpo -- %{nil}} + +%description javadoc +The %{origin_nice} %{featurever} API documentation. +%package javadoc-zip +Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Documentation +%endif +Requires: javapackages-filesystem +Requires: %{name}-headless%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?_isa} = %{epoch}:%{version}-%{release} +Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling +# Post requires alternatives to install javadoc alternative +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall javadoc alternative +Requires(postun): %{alternatives_requires} + +%{java_javadoc_rpo -- -zip} +%{java_javadoc_rpo -- %{nil}} + +%description javadoc-zip +The %{origin_nice} %{featurever} API documentation compressed in a single archive. +%endif + +%prep + +echo "Preparing %{oj_vendor_version}" +echo "System is RHEL=%{?rhel}%{!?rhel:0}, CentOS=%{?centos}%{!?centos:0}, EPEL=%{?epel}%{!?epel:0}, Fedora=%{?fedora}%{!?fedora:0}" + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 13 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi + +export XZ_OPT="-T0" +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches + +%if %{system_libs} +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} +%endif + +# Patch the JDK +# This syntax is deprecated: +# %patchN [...] +# and should be replaced with: +# %patch -PN [...] +# For example: +# %patch1001 -p1 +# becomes: +# %patch -P1001 -p1 +# The replacement format suggested by recent (circa Fedora 38) RPM +# deprecation messages: +# %patch N [...] +# is not backward-compatible with prior (circa RHEL-8) versions of +# rpmbuild. +pushd %{top_level_dir_name} +# Add crypto policy and FIPS support +%patch -P1001 -p1 +popd # openjdk + +# The OpenJDK version file includes the current +# upstream version information. For some reason, +# configure does not automatically use the +# default pre-version supplied there (despite +# what the file claims), so we pass it manually +# to configure +VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf +if [ -f ${VERSION_FILE} ] ; then + UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) +else + echo "Could not find OpenJDK version file."; + exit 16 +fi +if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then + echo "WARNING: Designator mismatch"; + echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" + echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; + exit 17 +fi + +# Prepare desktop files +# The _X_ syntax indicates variables that are replaced by make upstream +# The @X@ syntax indicates variables that are replaced by configure upstream +for suffix in %{build_loop} ; do +for file in %{SOURCE9}; do + FILE=`basename $file | sed -e s:\.in$::g` + EXT="${FILE##*.}" + NAME="${FILE%.*}" + OUTPUT_FILE=$NAME$suffix.$EXT + sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE + sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE + sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE +done +done + +%build + +function customisejdk() { + local imagepath=${1} + + if [ -d ${imagepath} ] ; then + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security + + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + fi +} + +export XZ_OPT="-T0" + +mkdir -p $(dirname %{installoutputdir}) + +docdir=%{installoutputdir -- "-docs"} +tar -xJf %{docszip} +mv java-%{featurever}-openjdk*.docs.* ${docdir} + +miscdir=%{installoutputdir -- "-misc"} +tar -xJf %{misczip} +mv java-%{featurever}-openjdk*.misc.* ${miscdir} + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + jdkzip=%{releasezip} + staticlibzip=%{staticlibzip} + elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then + jdkzip=%{fastdebugzip} + staticlibzip=%{fastdebugstaticlibzip} + else # slowdebug + jdkzip=%{slowdebugzip} + staticlibzip=%{slowdebugstaticlibzip} + fi + + installdir=%{installoutputdir -- ${suffix}} + + # TODO: should verify checksums when using packages from buildroot + tar -xJf ${jdkzip} + tar -xJf ${staticlibzip} + mv java-%{featurever}-openjdk* ${installdir} + + # Fix build paths in ELF files so it looks like we built them + portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}" + for file in $(find ${installdir} -type f) ; do + if file ${file} | grep -q 'ELF'; then + %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file} + fi + done + + # Set tapset variables to match this build +%if %{with_systemtap} + for file in ${miscdir}/tapset${suffix}/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/%{vm_variant}/libjvm.so:g" $file > ${OUTPUT_FILE} +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -i -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" ${OUTPUT_FILE} +%else + sed -i -e "/@ABS_CLIENT_LIBJVM_SO@/d" ${OUTPUT_FILE} +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +%endif + + # Final setup on the main image + customisejdk ${installdir} + + # Print release information + cat ${installdir}/release + +# build cycles +done # end of release / debug cycle loop + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +export JAVA_HOME=$(pwd)/%{installoutputdir -- ${suffix}} + +# Pre-test setup + +# Check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Only test on one architecture (the fastest) for Java only tests +%ifarch %{jdk_test_arch} + + # Check unlimited policy has been used + $JAVA_HOME/bin/javac -d . %{SOURCE13} + $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + + # Check ECC is working + $JAVA_HOME/bin/javac -d . %{SOURCE14} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + + # Check system crypto (policy) is active and can be disabled + # Test takes a single argument - true or false - to state whether system + # security properties are enabled or not. + $JAVA_HOME/bin/javac -d . %{SOURCE15} + export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") + export SEC_DEBUG="-Djava.security.debug=properties" + $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true + $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + + # Check correct vendor values have been set + $JAVA_HOME/bin/javac -d . %{SOURCE16} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" + +%if ! 0%{?flatpak} + # Check translations are available for new timezones (during flatpak builds, the + # tzdb.dat used by this test is not where the test expects it, so this is + # disabled for flatpak builds) + # Disable test until we are on the latest JDK + $JAVA_HOME/bin/javac -d . %{SOURCE18} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE + $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR +%endif + + # Check src.zip has all sources. See RHBZ#1130490 + unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' + + # Check class files include useful debugging information + $JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" + $JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable + $JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable + + # Check generated class files include useful debugging information + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable + +%else + + # Just run a basic java -version test on other architectures + $JAVA_HOME/bin/java -version + +%endif + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +# set_speculation function exists in both cases, so check for prctl call +alt_java_binary=$RPM_BUILD_ROOT%{jrebindir -- $suffix}/%{alt_java_name} +%ifarch %{ssbd_arches} +nm ${alt_java_binary} | grep prctl +%else +if ! nm ${alt_java_binary} | grep prctl ; then true ; else false; fi +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +# Temporary workaround for debuginfo failure on x86_64 with devkit build +%ifnarch x86_64 +export STATIC_LIBS_HOME=${JAVA_HOME}/lib/static/linux-%{archinstall}/glibc +readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet4AddressImpl.c +readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet6AddressImpl.c +%endif +%endif + +so_suffix="so" +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < +%{lua_delete_old_link -- %{_jvmdir}/%{sdkdir -- %{?1}}} + +%post headless +%{post_headless %{nil}} +exit 0 + +%postun +%{postun_script %{nil}} +exit 0 + +%preun headless +%{preun_headless %{nil}} +exit 0 + +%posttrans +%{posttrans_script %{nil}} +exit 0 + +%post devel +%{post_devel %{nil}} +exit 0 + +%preun devel +%{preun_devel %{nil}} +exit 0 + +%postun devel +%{postun_devel %{nil}} +exit 0 + +%posttrans devel +%{posttrans_devel %{nil}} +exit 0 + +%pretrans javadoc -p +%{lua_delete_old_link -- %{_jvmdir}/%{sdkdir -- %{?1}}} +%{lua_delete_old_link -- %{_javadocdir}/%{uniquejavadocdir -- %{?1}}} + +%post javadoc +%{alternatives_javadoc_install %{nil}} +exit 0 + +%preun javadoc +%{preun_javadoc %{nil}} +exit 0 + +%pretrans javadoc-zip -p +%{lua_delete_old_link -- %{_jvmdir}/%{sdkdir -- %{?1}}} +%{lua_delete_old_link -- %{_javadocdir}/%{uniquejavadocdir -- %{?1}}} + +%post javadoc-zip +%{alternatives_javadoczip_install %{nil}} +exit 0 + +%preun javadoc-zip +%{preun_javadoc_zip %{nil}} +exit 0 +%endif + +%if %{include_debug_build} +%post slowdebug +%{post_script -- %{debug_suffix_unquoted}} +exit 0 + +%post headless-slowdebug +%{post_headless -- %{debug_suffix_unquoted}} +exit 0 + +%postun slowdebug +%{postun_script -- %{debug_suffix_unquoted}} +exit 0 + +%preun headless-slowdebug +%{preun_headless -- %{debug_suffix_unquoted}} +exit 0 + +%posttrans slowdebug +%{posttrans_script -- %{debug_suffix_unquoted}} +exit 0 + +%post devel-slowdebug +%{post_devel -- %{debug_suffix_unquoted}} +exit 0 + +%preun devel-slowdebug +%{preun_devel -- %{debug_suffix_unquoted}} +exit 0 + +%postun devel-slowdebug +%{postun_devel -- %{debug_suffix_unquoted}} +exit 0 + +%posttrans devel-slowdebug +%{posttrans_devel -- %{debug_suffix_unquoted}} +exit 0 +%endif + +%if %{include_fastdebug_build} +%post fastdebug +%{post_script -- %{fastdebug_suffix_unquoted}} +exit 0 + +%post headless-fastdebug +%{post_headless -- %{fastdebug_suffix_unquoted}} +exit 0 + +%postun fastdebug +%{postun_script -- %{fastdebug_suffix_unquoted}} +exit 0 + +%preun headless-fastdebug +%{preun_headless -- %{fastdebug_suffix_unquoted}} +exit 0 + +%posttrans fastdebug +%{posttrans_script -- %{fastdebug_suffix_unquoted}} +exit 0 + +%post devel-fastdebug +%{post_devel -- %{fastdebug_suffix_unquoted}} +exit 0 + +%preun devel-fastdebug +%{preun_devel -- %{fastdebug_suffix_unquoted}} +exit 0 + +%postun devel-fastdebug +%{postun_devel -- %{fastdebug_suffix_unquoted}} +exit 0 + +%posttrans devel-fastdebug +%{posttrans_devel -- %{fastdebug_suffix_unquoted}} +exit 0 +%endif + +%if %{include_normal_build} +%files +# main package builds always +%{files_jre %{nil}} +%else +%files +# placeholder +%endif + +%if %{include_normal_build} +%files headless +%{files_jre_headless %{nil}} + +%files devel +%{files_devel %{nil}} + +%if %{include_staticlibs} +%files static-libs +%{files_static_libs %{nil}} +%endif + +%files jmods +%{files_jmods %{nil}} + +%files demo +%{files_demo %{nil}} + +%files src +%{files_src %{nil}} + +%files javadoc +%{files_javadoc %{nil}} + +# This puts a huge documentation file in /usr/share +# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only +# same for debug variant +%files javadoc-zip +%{files_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%files slowdebug +%{files_jre -- %{debug_suffix_unquoted}} + +%files headless-slowdebug +%{files_jre_headless -- %{debug_suffix_unquoted}} + +%files devel-slowdebug +%{files_devel -- %{debug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-slowdebug +%{files_static_libs -- %{debug_suffix_unquoted}} +%endif + +%files jmods-slowdebug +%{files_jmods -- %{debug_suffix_unquoted}} + +%files demo-slowdebug +%{files_demo -- %{debug_suffix_unquoted}} + +%files src-slowdebug +%{files_src -- %{debug_suffix_unquoted}} +%endif + +%if %{include_fastdebug_build} +%files fastdebug +%{files_jre -- %{fastdebug_suffix_unquoted}} + +%files headless-fastdebug +%{files_jre_headless -- %{fastdebug_suffix_unquoted}} + +%files devel-fastdebug +%{files_devel -- %{fastdebug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-fastdebug +%{files_static_libs -- %{fastdebug_suffix_unquoted}} +%endif + +%files jmods-fastdebug +%{files_jmods -- %{fastdebug_suffix_unquoted}} + +%files demo-fastdebug +%{files_demo -- %{fastdebug_suffix_unquoted}} + +%files src-fastdebug +%{files_src -- %{fastdebug_suffix_unquoted}} + +%endif + +%changelog +* Thu Jul 10 2025 Andrew Hughes - 1:21.0.8.0.9-1.1 +- Update to jdk-21.0.8+9 (GA) +- Related: RHEL-100678 diff --git a/jconsole.desktop.in b/jconsole.desktop.in new file mode 100644 index 0000000..8a3b04d --- /dev/null +++ b/jconsole.desktop.in @@ -0,0 +1,10 @@ +[Desktop Entry] +Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@) +Comment=Monitor and manage OpenJDK applications +Exec=_SDKBINDIR_/jconsole +Icon=java-@JAVA_VER@-@JAVA_VENDOR@ +Terminal=false +Type=Application +StartupWMClass=sun-tools-jconsole-JConsole +Categories=Development;Profiling;Java; +Version=1.0 diff --git a/openjdk-devkit.specfile b/openjdk-devkit.specfile new file mode 100644 index 0000000..ffb09c1 --- /dev/null +++ b/openjdk-devkit.specfile @@ -0,0 +1,230 @@ +# Spec file for building a devkit for OpenJDK builds + +# We do not want debug packages +%global debug_package %{nil} +# Arch definitions from java-*-openjdk RPM +%global aarch64 aarch64 arm64 armv8 +# x86 is not supported by OpenJDK 17 +ExcludeArch: %{ix86} + +# New Version-String scheme-style defines +%global featurever 21 +%global interimver 0 +%global updatever 5 +%global patchver 0 +%global buildver 11 +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global build_type GA +%global ea_designator "" +%global ea_designator_zip %{nil} +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global build_type EA +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + +# Date devkit RPMs were download +%global rpm_download_date 20250117 + +Name: openjdk-devkit +Version: 1.0 +Release: 9%{?dist} +License: GPLv2 +URL: http://openjdk.java.net/ +Summary: OpenJDK Devkit + +# The source tarball, generated using generate_source_tarball.sh +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz +# The buildroot RPMs for each architecture +Source1: devkit-rpms-aarch64-%{rpm_download_date}.tar.xz +Source2: devkit-rpms-ppc64le-%{rpm_download_date}.tar.xz +Source3: devkit-rpms-s390x-%{rpm_download_date}.tar.xz +Source4: devkit-rpms-x86_64-%{rpm_download_date}.tar.xz +# Toolchain sources +Source5: binutils-2.39.tar.gz +Source6: gcc-11.3.0.tar.xz +Source7: gmp-6.2.1.tar.bz2 +Source8: mpc-1.2.1.tar.gz +Source9: mpfr-4.1.1.tar.bz2 +Source10: gdb-11.2.tar.xz + +# Devkit patches; see https://github.com/rh-openjdk/jdk/tree/devkit +# To regenerate, use git format-patch -N jdk21u/master +# Add RHEL RPM URLs and turn off robots +Patch0: 0001-Allow-devkit-to-work-with-RHEL.patch +# Turn off multilib on x86_64 +Patch1: 0002-Disable-multilib-on-x86_64.patch +# Improve build logging (OPENJDK-3071) +Patch2: 0003-Log-devkit-build-to-stdout.patch +# Remove .comment sections from sysroot objects +Patch3: 0004-devkit-Remove-.comment-sections-from-sysroot-objects.patch +# Configure binutils with --enable-deterministic-archives +Patch4: 0005-Tools.gmk-Configure-binutils-with-enable-determinist.patch +# Configure gcc with --enable-linker-build-id (OPENJDK-3068) +Patch5: 0006-Tools.gmk-Add-enable-linker-build-id-to-gcc-build.patch +# Exclude systemtap-sdt-devel on s390x & ppc64* (OPENJDK-3070) +Patch6: 0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch +# Use update repository on RHEL rather than GA (OPENJDK-3589) +Patch7: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch + +BuildRequires: make autoconf automake libtool gcc gcc-c++ wget glibc-devel texinfo tar bison + +# Setup variables to reference correct sources +%ifarch %{aarch64} +%global rpmtarball %{SOURCE1} +%endif +%ifarch ppc64le +%global rpmtarball %{SOURCE2} +%endif +%ifarch s390x +%global rpmtarball %{SOURCE3} +%endif +%ifarch x86_64 +%global rpmtarball %{SOURCE4} +%endif + +%description +OpenJDK Devkit + +%prep + +# Unpack OpenJDK sources only in build directory +%setup -q -T -c -a 0 + +# This syntax is deprecated: +# %patchN [...] +# and should be replaced with: +# %patch -PN [...] +# For example: +# %patch1001 -p1 +# becomes: +# %patch -P1001 -p1 +# The replacement format suggested by recent (circa Fedora 38) RPM +# deprecation messages: +# %patch N [...] +# is not backward-compatible with prior (circa RHEL-8) versions of +# rpmbuild. +pushd jdk-* +%patch -P0 -p1 +%patch -P1 -p1 +%patch -P2 -p1 +%patch -P3 -p1 +%patch -P4 -p1 +%patch -P5 -p1 +%patch -P6 -p1 +%patch -P7 -p1 +popd + +mkdir -p devkit/download +pushd devkit/download +tar -xJf %{rpmtarball} +ln -s %{SOURCE5} +ln -s %{SOURCE6} +ln -s %{SOURCE7} +ln -s %{SOURCE8} +ln -s %{SOURCE9} +ln -s %{SOURCE10} + +%build + +devkit_dir=$(pwd)/devkit +today=$(date +%Y%m%d) +arch=%{_target_cpu} +result_name=${arch}-linux-gnu-to-${arch}-linux-gnu +result_path=result/${result_name} + +pushd jdk-*/make/devkit + +# Build devkit first using the native toolchain, +# than again using itself +for variant in bootstrap product ; do + if [ -e ${devkit_dir}-bootstrap/${result_path}/bin/gcc ] ; then + ROOTDIR=${devkit_dir}-bootstrap/${result_path}; + BINDIR=${ROOTDIR}/bin; + TOOLS="CC=${BINDIR}/gcc CXX=${BINDIR}/g++ LD=${BINDIR}/ld \ + AR=${BINDIR}/ar AS=${BINDIR}/as RANLIB=${BINDIR}/ranlib \ + OBJDUMP=${BINDIR}/objdump" + LIBPATH="${ROOTDIR}/lib64:${ROOTDIR}/lib" + else + TOOLS="CC=$(which gcc) CXX=$(which g++) LD=$(which ld) \ + AR=$(which ar) AS=$(which as) RANLIB=$(which ranlib) \ + OBJDUMP=$(which objdump)" + fi + mkdir -p ${devkit_dir}-${variant} + ln -s ${devkit_dir}/download ${devkit_dir}-${variant} + LD_LIBRARY_PATH="${LIBPATH}" \ + make -f Tools.gmk all ${TOOLS} \ + HOST=${arch}-linux-gnu \ + BUILD=${arch}-linux-gnu \ + RESULT=${devkit_dir}-${variant}/result \ + OUTPUT_ROOT=${devkit_dir}-${variant} \ + TARGET=${arch}-linux-gnu \ + PREFIX=${devkit_dir}-${variant}/${result_path} \ + BASE_OS=RHEL +done + +make -r -f Tars.gmk \ + SRC_DIR=${devkit_dir}-product/${result_path} \ + TAR_FILE=${devkit_dir}-product/result/sdk-${result_name}-${today}.tar.gz +popd + +%install +mkdir -p %{buildroot}%{_datadir}/%{name} +cp -p devkit-product/result/*.tar.gz %{buildroot}%{_datadir}/%{name}/ + +%files +%{_datadir}/%{name} + +%changelog +* Fri Jan 17 2025 Andrew Hughes - 1.0-9 +- Update devkit RPMs to latest updates +- Exclude SystemTap RPMs from s390x and ppc64le +- Add a date stamp to the RPM bundles +- Resolves: OPENJDK-3070 += Resolves: OPENJDK-3589 + +* Wed Nov 27 2024 Andrew Hughes - 1.0-8 +- Add --enable-linker-build-id to gcc build +- Resolves: OPENJDK-3068 + +* Wed Oct 30 2024 Andrew Hughes - 1.0-7 +- Improve build logging by also writing to stdout +- Cleanup patches and rebase on jdk-21.0.5-ga +- Drop JDK-8323671 patch which is upstream as of 21.0.3+3 +- Resolves: OPENJDK-3071 + +* Tue Jun 11 2024 Andrew Hughes - 1.0-6 +- Fix typo where 'as' binary is accidentally capitalised in AS=/as + +* Wed May 01 2024 Andrew Hughes - 1.0-5 +- Bootstrap the devkit, building it again with itself + +* Mon Apr 08 2024 Andrew Hughes - 1.0-4 +- Include Thomas' patches to drop .comment sections and build binutils with deterministic archives +- Use backward-compatible patch syntax + +* Tue Feb 06 2024 Andrew Hughes - 1.0-3 +- Include JDK-8323671 patch so the binaries don't contain the full source path + +* Fri Dec 08 2023 Andrew Hughes - 1.0-2 +- Try to turn off multlib on x86_64 as we don't have the dependencies for it + +* Tue Dec 05 2023 Andrew Hughes - 1.0-1 +- Create RHEL 7 based devkit for building OpenJDK diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh new file mode 100644 index 0000000..25c2fc8 --- /dev/null +++ b/remove-intree-libraries.sh @@ -0,0 +1,164 @@ +#!/bin/sh + +# Arguments: +TREE=${1} +TYPE=${2} + +ZIP_SRC=src/java.base/share/native/libzip/zlib/ +FREETYPE_SRC=src/java.desktop/share/native/libfreetype/ +JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ +GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ +PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ +LCMS_SRC=src/java.desktop/share/native/liblcms/ + +if test "x${TREE}" = "x"; then + echo "$0 (MINIMAL|FULL)"; + exit 1; +fi + +if test "x${TYPE}" = "x"; then + TYPE=minimal; +fi + +if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then + echo "Type must be minimal or full"; + exit 2; +fi + +echo "Removing in-tree libraries from ${TREE}" +echo "Cleansing operation: ${TYPE}"; + +cd ${TREE} + +echo "Removing built-in libs (they will be linked)" + +# On full runs, allow for zlib & freetype having already been deleted by minimal +echo "Removing zlib" +if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then + echo "${ZIP_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${ZIP_SRC} +echo "Removing freetype" +if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then + echo "${FREETYPE_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${FREETYPE_SRC} + +# Minimal is limited to just zlib and freetype so finish here +if test "x${TYPE}" = "xminimal"; then + echo "Finished."; + exit 0; +fi + +echo "Removing libjpeg" +if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist + echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." + exit 1 +fi + +rm -vf ${JPEG_SRC}/jcomapi.c +rm -vf ${JPEG_SRC}/jdapimin.c +rm -vf ${JPEG_SRC}/jdapistd.c +rm -vf ${JPEG_SRC}/jdcoefct.c +rm -vf ${JPEG_SRC}/jdcolor.c +rm -vf ${JPEG_SRC}/jdct.h +rm -vf ${JPEG_SRC}/jddctmgr.c +rm -vf ${JPEG_SRC}/jdhuff.c +rm -vf ${JPEG_SRC}/jdhuff.h +rm -vf ${JPEG_SRC}/jdinput.c +rm -vf ${JPEG_SRC}/jdmainct.c +rm -vf ${JPEG_SRC}/jdmarker.c +rm -vf ${JPEG_SRC}/jdmaster.c +rm -vf ${JPEG_SRC}/jdmerge.c +rm -vf ${JPEG_SRC}/jdphuff.c +rm -vf ${JPEG_SRC}/jdpostct.c +rm -vf ${JPEG_SRC}/jdsample.c +rm -vf ${JPEG_SRC}/jerror.c +rm -vf ${JPEG_SRC}/jerror.h +rm -vf ${JPEG_SRC}/jidctflt.c +rm -vf ${JPEG_SRC}/jidctfst.c +rm -vf ${JPEG_SRC}/jidctint.c +rm -vf ${JPEG_SRC}/jidctred.c +rm -vf ${JPEG_SRC}/jinclude.h +rm -vf ${JPEG_SRC}/jmemmgr.c +rm -vf ${JPEG_SRC}/jmemsys.h +rm -vf ${JPEG_SRC}/jmemnobs.c +rm -vf ${JPEG_SRC}/jmorecfg.h +rm -vf ${JPEG_SRC}/jpegint.h +rm -vf ${JPEG_SRC}/jpeglib.h +rm -vf ${JPEG_SRC}/jquant1.c +rm -vf ${JPEG_SRC}/jquant2.c +rm -vf ${JPEG_SRC}/jutils.c +rm -vf ${JPEG_SRC}/jcapimin.c +rm -vf ${JPEG_SRC}/jcapistd.c +rm -vf ${JPEG_SRC}/jccoefct.c +rm -vf ${JPEG_SRC}/jccolor.c +rm -vf ${JPEG_SRC}/jcdctmgr.c +rm -vf ${JPEG_SRC}/jchuff.c +rm -vf ${JPEG_SRC}/jchuff.h +rm -vf ${JPEG_SRC}/jcinit.c +rm -vf ${JPEG_SRC}/jconfig.h +rm -vf ${JPEG_SRC}/jcmainct.c +rm -vf ${JPEG_SRC}/jcmarker.c +rm -vf ${JPEG_SRC}/jcmaster.c +rm -vf ${JPEG_SRC}/jcparam.c +rm -vf ${JPEG_SRC}/jcphuff.c +rm -vf ${JPEG_SRC}/jcprepct.c +rm -vf ${JPEG_SRC}/jcsample.c +rm -vf ${JPEG_SRC}/jctrans.c +rm -vf ${JPEG_SRC}/jdtrans.c +rm -vf ${JPEG_SRC}/jfdctflt.c +rm -vf ${JPEG_SRC}/jfdctfst.c +rm -vf ${JPEG_SRC}/jfdctint.c +rm -vf ${JPEG_SRC}/jversion.h +rm -vf ${JPEG_SRC}/README + +echo "Removing giflib" +if [ ! -d ${GIF_SRC} ]; then + echo "${GIF_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${GIF_SRC} + +echo "Removing libpng" +if [ ! -d ${PNG_SRC} ]; then + echo "${PNG_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${PNG_SRC} + +echo "Removing lcms" +if [ ! -d ${LCMS_SRC} ]; then + echo "${LCMS_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -vf ${LCMS_SRC}/cmscam02.c +rm -vf ${LCMS_SRC}/cmscgats.c +rm -vf ${LCMS_SRC}/cmscnvrt.c +rm -vf ${LCMS_SRC}/cmserr.c +rm -vf ${LCMS_SRC}/cmsgamma.c +rm -vf ${LCMS_SRC}/cmsgmt.c +rm -vf ${LCMS_SRC}/cmshalf.c +rm -vf ${LCMS_SRC}/cmsintrp.c +rm -vf ${LCMS_SRC}/cmsio0.c +rm -vf ${LCMS_SRC}/cmsio1.c +rm -vf ${LCMS_SRC}/cmslut.c +rm -vf ${LCMS_SRC}/cmsmd5.c +rm -vf ${LCMS_SRC}/cmsmtrx.c +rm -vf ${LCMS_SRC}/cmsnamed.c +rm -vf ${LCMS_SRC}/cmsopt.c +rm -vf ${LCMS_SRC}/cmspack.c +rm -vf ${LCMS_SRC}/cmspcs.c +rm -vf ${LCMS_SRC}/cmsplugin.c +rm -vf ${LCMS_SRC}/cmsps2.c +rm -vf ${LCMS_SRC}/cmssamp.c +rm -vf ${LCMS_SRC}/cmssm.c +rm -vf ${LCMS_SRC}/cmstypes.c +rm -vf ${LCMS_SRC}/cmsvirt.c +rm -vf ${LCMS_SRC}/cmswtpnt.c +rm -vf ${LCMS_SRC}/cmsxform.c +rm -vf ${LCMS_SRC}/lcms2.h +rm -vf ${LCMS_SRC}/lcms2_internal.h +rm -vf ${LCMS_SRC}/lcms2_plugin.h diff --git a/rpminspect.yaml b/rpminspect.yaml new file mode 100644 index 0000000..8b4fa58 --- /dev/null +++ b/rpminspect.yaml @@ -0,0 +1,3 @@ +--- +inspections: + javabytecode: off diff --git a/scripts/builds/build_centos.sh b/scripts/builds/build_centos.sh new file mode 100755 index 0000000..5625b93 --- /dev/null +++ b/scripts/builds/build_centos.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# Copyright (C) 2024 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Builds the RPM on CentOS 9 or 10 + +centpkg -v build + +# Local Variables: +# compile-command: "shellcheck build_centos.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/build_centos_portable_build.sh b/scripts/builds/build_centos_portable_build.sh new file mode 100755 index 0000000..41eb62f --- /dev/null +++ b/scripts/builds/build_centos_portable_build.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# Copyright (C) 2024 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Builds the portable on CentOS + +centpkg -v build --target java-openjdk-portable-build --rhel-target none + +# Local Variables: +# compile-command: "shellcheck build_centos_portable_build.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/build_rhel_10.sh b/scripts/builds/build_rhel_10.sh new file mode 100755 index 0000000..2e52c28 --- /dev/null +++ b/scripts/builds/build_rhel_10.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +# Copyright (C) 2024 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Builds the RPM on RHEL 10 + +NVR=${1} +USER=${2} + +if test "${NVR}" = ""; then + echo "${0} "; + exit 1; +fi + +if test "${USER}" = ""; then + echo "${0} "; + exit 2; +fi + +METADATA="{\"osci\": {\"upstream_nvr\": \"${NVR}\", \"upstream_owner_name\": \"${USER}\"}, \"rhel-target\": \"latest\"}" +rhpkg -v build --target=java-openjdk-rhel-10-build --custom-user-metadata "${METADATA}" + +# Local Variables: +# compile-command: "shellcheck build_rhel_10.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/build_rhel_7_portable_build.sh b/scripts/builds/build_rhel_7_portable_build.sh new file mode 100755 index 0000000..0cf02d0 --- /dev/null +++ b/scripts/builds/build_rhel_7_portable_build.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# Copyright (C) 2024 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Builds the portable on RHEL 7 + +rhpkg -v build --target=java-openjdk-rhel-7-build --skip-nvr-check + +# Local Variables: +# compile-command: "shellcheck build_rhel_7_portable_build.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/build_rhel_8.sh b/scripts/builds/build_rhel_8.sh new file mode 100755 index 0000000..c1ea948 --- /dev/null +++ b/scripts/builds/build_rhel_8.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +# Copyright (C) 2024 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Builds the RPM on RHEL 8 + +NVR=${1} +USER=${2} + +if test "${NVR}" = ""; then + echo "${0} "; + exit 1; +fi + +if test "${USER}" = ""; then + echo "${0} "; + exit 2; +fi + +METADATA="{\"osci\": {\"upstream_nvr\": \"${NVR}\", \"upstream_owner_name\": \"${USER}\"}, \"rhel-target\": \"latest\"}" +rhpkg -v build --target=java-openjdk-rhel-8-build --custom-user-metadata "${METADATA}" + +# Local Variables: +# compile-command: "shellcheck build_rhel_8.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/build_rhel_9.sh b/scripts/builds/build_rhel_9.sh new file mode 100755 index 0000000..a39e35f --- /dev/null +++ b/scripts/builds/build_rhel_9.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +# Copyright (C) 2024 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Builds the RPM on RHEL 9 + +NVR=${1} +USER=${2} + +if test "${NVR}" = ""; then + echo "${0} "; + exit 1; +fi + +if test "${USER}" = ""; then + echo "${0} "; + exit 2; +fi + +METADATA="{\"osci\": {\"upstream_nvr\": \"${NVR}\", \"upstream_owner_name\": \"${USER}\"}, \"rhel-target\": \"latest\"}" +rhpkg -v build --target=java-openjdk-rhel-9-build --custom-user-metadata "${METADATA}" + +# Local Variables: +# compile-command: "shellcheck build_rhel_9.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/build_rhel_portable_build.sh b/scripts/builds/build_rhel_portable_build.sh new file mode 100755 index 0000000..3fd6a22 --- /dev/null +++ b/scripts/builds/build_rhel_portable_build.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# Copyright (C) 2024 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Builds the portable on RHEL 8 + +rhpkg -v build --target=java-openjdk-rhel-8-build --skip-nvr-check + +# Local Variables: +# compile-command: "shellcheck build_rhel_portable_build.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/build_vanilla.sh b/scripts/builds/build_vanilla.sh new file mode 100755 index 0000000..c4f67f7 --- /dev/null +++ b/scripts/builds/build_vanilla.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +# Copyright (C) 2024 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Builds a scratch build of vanilla OpenJDK with no local patches + +SEPARATE_ARCHES=${1} +CMD="--target java-openjdk-rhel-8-build --skip-nvr-check --nowait"; +SUPPORTED_ARCHES="aarch64 ppc64le s390x x86_64"; + +if [ "x${SEPARATE_ARCHES}" = "x" ] ; then + SEPARATE_ARCHES=0; +fi + +if [ ${SEPARATE_ARCHES} -eq 1 ] ; then + for arch in ${SUPPORTED_ARCHES}; do \ + rhpkg -v build --arches ${arch} --scratch ${CMD} ; \ + done && brew watch-task --mine +else + rhpkg -v build ${CMD} && brew watch-task --mine +fi + +# Local Variables: +# compile-command: "shellcheck build_vanilla.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/discover_trees.sh b/scripts/discover_trees.sh new file mode 100755 index 0000000..7a0b800 --- /dev/null +++ b/scripts/discover_trees.sh @@ -0,0 +1,61 @@ +#!/bin/sh + +# Copyright (C) 2024 Red Hat, Inc. +# Written by Andrew John Hughes . +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +TREE=${1} + +if test "${TREE}" = ""; then + TREE=${PWD} +fi + +if [ -e "${TREE}"/nashorn/.hg ] || [ -e "${TREE}"/nashorn/merge.changeset ] ; then + NASHORN="nashorn" ; +fi + +if [ -e "${TREE}"/corba/.hg ] || [ -e "${TREE}"/corba/merge.changeset ] ; then + CORBA="corba"; +fi + +if [ -e "${TREE}"/jaxp/.hg ] || [ -e "${TREE}"/jaxp/merge.changeset ] ; then + JAXP="jaxp"; +fi + +if [ -e "${TREE}"/jaxws/.hg ] || [ -e "${TREE}"/jaxws/merge.changeset ] ; then + JAXWS="jaxws"; +fi + +if [ -e "${TREE}"/langtools/.hg ] || [ -e "${TREE}"/langtools/merge.changeset ] ; then + LANGTOOLS="langtools"; +fi + +if [ -e "${TREE}"/jdk/.hg ] || [ -e "${TREE}"/jdk/merge.changeset ] ; then + JDK="jdk"; +fi + +if [ -e "${TREE}"/hotspot/.hg ] || [ -e "${TREE}"/hotspot/merge.changeset ] ; then + HOTSPOT="hotspot"; +fi + +SUBTREES="${CORBA} ${JAXP} ${JAXWS} ${LANGTOOLS} ${NASHORN} ${JDK} ${HOTSPOT}"; +echo "${SUBTREES}" + +# Local Variables: +# compile-command: "shellcheck discover_trees.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/generate_source_tarball.sh b/scripts/generate_source_tarball.sh new file mode 100755 index 0000000..ad163f3 --- /dev/null +++ b/scripts/generate_source_tarball.sh @@ -0,0 +1,294 @@ +#!/bin/bash + +# Copyright (C) 2024 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# Thomas Fitzsimmons +# Jiri Vanek +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Generates the source tarball for OpenJDK projects. +# +# There are multiple ways to specify the source code location and version: +# +# 1. Specify the version (VERSION), the location of the Git repository +# (REPO_ROOT) and the root of the output tarball name (FILE_NAME_ROOT) +# 2. Specify the version (VERSION) along with an upstream project name +# (PROJECT_NAME) and repository name (REPO_NAME) that can be used +# to construct the URL of the upstream OpenJDK repository. +# 3. Specify OPENJDK_LATEST=1 and allow the script to obtain the JDK +# feature version from the spec file, which is then used to +# obtain the latest build promotion from the upstream repository. +# +# An appropriate bootstrap JDK is also required for when ./configure +# is run within the checked out repository to generate the .src-rev. +# file. This can be specified by setting BOOT_JDK. +# +# Example 1: +# This will check out the specified version from the specified +# repository and construct a tarball called openjdk-17.0.3+5.tar.xz: +# +# $ VERSION=jdk-17.0.3+5 FILE_NAME_ROOT=open${VERSION} \ +# REPO_ROOT=$HOME/projects/openjdk/upstream/17u \ +# BOOT_JDK=/usr/lib/jvm/java-17-openjdk ./generate_source_tarball.sh +# +# Example 2: +# This will check out the same version as example 1, but from the +# upstream repository: +# +# $ VERSION=jdk-17.0.3+5 PROJECT_NAME=openjdk REPO_NAME=jdk17u \ +# BOOT_JDK=/usr/lib/jvm/java-17-openjdk ./generate_source_tarball.sh +# +# Example 3: +# This will read the OpenJDK feature version from the spec file, then create a +# tarball from the most recent tag for that version in the upstream Git +# repository. +# +# $ OPENJDK_LATEST=1 \ +# BOOT_JDK=/usr/lib/jvm/java-17-openjdk ./generate_source_tarball.sh +# + +set -e + +OPENJDK_URL_DEFAULT=https://github.com +COMPRESSION_DEFAULT=xz + +if [ "$1" = "help" ] ; then + echo "Behaviour may be specified by setting the following variables:" + echo + echo "VERSION - the version of the specified OpenJDK project" + echo " (required unless OPENJDK_LATEST is set)" + echo "PROJECT_NAME - the name of the OpenJDK project being archived" + echo " (needed to compute REPO_ROOT and/or" + echo " FILE_NAME_ROOT automatically;" + echo " optional if they are set explicitly)" + echo "REPO_NAME - the name of the OpenJDK repository" + echo " (needed to compute REPO_ROOT automatically;" + echo " optional if REPO_ROOT is set explicitly)" + echo "OPENJDK_URL - the URL to retrieve code from" + echo " (defaults to ${OPENJDK_URL_DEFAULT})" + echo "COMPRESSION - the compression type to use" + echo " (defaults to ${COMPRESSION_DEFAULT})" + echo "FILE_NAME_ROOT - name of the archive, minus extensions" + echo " (defaults to PROJECT_NAME-VERSION)" + echo "REPO_ROOT - the location of the Git repository to archive" + echo " (defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME.git)" + echo "TO_COMPRESS - what part of clone to pack" + echo " (defaults to ${VERSION})" + echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run" + echo " (defaults to packaged JDK version)" + echo "WITH_TEMP - run in a temporary directory" + echo " (defaults to disabled)" + echo "OPENJDK_LATEST - deduce VERSION from most recent upstream tag" + echo " (implies WITH_TEMP, computes everything else" + echo " automatically; Note: accesses network to read" + echo " tag list from remote Git repository)" + exit 1; +fi + +if [ "$OPENJDK_LATEST" != "" ] ; then + FEATURE_VERSION=$(echo '%featurever' \ + | rpmspec --shell ./*.spec 2>/dev/null \ + | grep --after-context 1 featurever \ + | tail --lines 1) + PROJECT_NAME=openjdk + REPO_NAME=jdk"${FEATURE_VERSION}"u + # Skip -ga tags since those are the same as the most recent non-ga tag, and + # the non-ga tag is the one that is used to generated the official source + # tarball. For example: + # ca760c86642aa2e0d9b571aaabac054c0239fbdc refs/tags/jdk-17.0.10-ga^{} + # 25a2e6c20c9a96853714284cabc6b456eb095070 refs/tags/jdk-17.0.10-ga + # ca760c86642aa2e0d9b571aaabac054c0239fbdc refs/tags/jdk-17.0.10+7^{} + # e49c5749b10f3e90274b72e9279f794fdd191d27 refs/tags/jdk-17.0.10+7 + VERSION=$(git ls-remote --tags --refs --sort=-version:refname \ + "${OPENJDK_URL_DEFAULT}/${PROJECT_NAME}/${REPO_NAME}.git" \ + "jdk-${FEATURE_VERSION}*" \ + | grep --invert-match '\-ga$' \ + | head --lines 1 | cut --characters 52-) + FILE_NAME_ROOT=open${VERSION} + WITH_TEMP=1 +fi + +if [ "$WITH_TEMP" != "" ] ; then + pushd "$(mktemp --directory --tmpdir temp-generated-source-tarball-XXX)" +fi + +if [ "$VERSION" = "" ] ; then + echo "No VERSION specified" + exit 2 +fi +echo "Version: ${VERSION}" + +NUM_VER=${VERSION##jdk-} +RELEASE_VER=${NUM_VER%%+*} +BUILD_VER=${NUM_VER##*+} +MAJOR_VER=${RELEASE_VER%%.*} +echo "Major version is ${MAJOR_VER}, release ${RELEASE_VER}, build ${BUILD_VER}" + +if [ "$BOOT_JDK" = "" ] ; then + echo "No boot JDK specified". + BOOT_JDK=/usr/lib/jvm/java-${MAJOR_VER}-openjdk; + echo -n "Checking for ${BOOT_JDK}..."; + if [ -d "${BOOT_JDK}" ] && [ -x "${BOOT_JDK}"/bin/java ] ; then + echo "Boot JDK found at ${BOOT_JDK}"; + else + echo "Not found"; + PREV_VER=$((MAJOR_VER - 1)); + BOOT_JDK=/usr/lib/jvm/java-${PREV_VER}-openjdk; + echo -n "Checking for ${BOOT_JDK}..."; + if [ -d ${BOOT_JDK} ] && [ -x ${BOOT_JDK}/bin/java ] ; then + echo "Boot JDK found at ${BOOT_JDK}"; + else + echo "Not found"; + exit 4; + fi + fi +else + echo "Boot JDK: ${BOOT_JDK}"; +fi + +if [ "$OPENJDK_URL" = "" ] ; then + OPENJDK_URL=${OPENJDK_URL_DEFAULT} + echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}" +else + echo "OpenJDK URL: ${OPENJDK_URL}" +fi + +if [ "$COMPRESSION" = "" ] ; then + # rhel 5 needs tar.gz + COMPRESSION=${COMPRESSION_DEFAULT} +fi +echo "Creating a tar.${COMPRESSION} archive" + +if [ "$FILE_NAME_ROOT" = "" ] ; then + if [ "$PROJECT_NAME" = "" ] ; then + echo "No PROJECT_NAME specified, needed by FILE_NAME_ROOT" + exit 1 + fi + FILE_NAME_ROOT=${PROJECT_NAME}-${VERSION} + echo "No file name root specified; default to ${FILE_NAME_ROOT}" +fi +if [ "$REPO_ROOT" = "" ] ; then + if [ "$PROJECT_NAME" = "" ] ; then + echo "No PROJECT_NAME specified, needed by REPO_ROOT" + exit 1 + fi + if [ "$REPO_NAME" = "" ] ; then + echo "No REPO_NAME specified, needed by REPO_ROOT" + exit 3 + fi + REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}.git" + echo "No repository root specified; default to ${REPO_ROOT}" +fi; + +if [ "$TO_COMPRESS" = "" ] ; then + TO_COMPRESS="${VERSION}" + echo "No targets to be compressed specified ; default to ${TO_COMPRESS}" +fi; + +echo -e "Settings:" +echo -e "\tVERSION: ${VERSION}" +echo -e "\tPROJECT_NAME: ${PROJECT_NAME}" +echo -e "\tREPO_NAME: ${REPO_NAME}" +echo -e "\tOPENJDK_URL: ${OPENJDK_URL}" +echo -e "\tCOMPRESSION: ${COMPRESSION}" +echo -e "\tFILE_NAME_ROOT: ${FILE_NAME_ROOT}" +echo -e "\tREPO_ROOT: ${REPO_ROOT}" +echo -e "\tTO_COMPRESS: ${TO_COMPRESS}" +echo -e "\tBOOT_JDK: ${BOOT_JDK}" +echo -e "\tWITH_TEMP: ${WITH_TEMP}" +echo -e "\tOPENJDK_LATEST: ${OPENJDK_LATEST}" + +if [ -d "${FILE_NAME_ROOT}" ] ; then + echo "Reusing existing ${FILE_NAME_ROOT}" + STAT_TIME="$(stat --format=%Y "${FILE_NAME_ROOT}")" + TAR_TIME="$(date --date=@"${STAT_TIME}" --iso-8601=seconds)" +else + mkdir "${FILE_NAME_ROOT}" + pushd "${FILE_NAME_ROOT}" + echo "Cloning ${VERSION} root repository from ${REPO_ROOT}" + if realpath -q "${REPO_ROOT}"; then + echo "Local path detected; not adding depth argument"; + DEPTH="--"; + else + DEPTH="--depth=1"; + echo "Remote repository detected; adding ${DEPTH}"; + fi + git clone -b "${VERSION}" "${DEPTH}" "${REPO_ROOT}" "${VERSION}" + pushd "${VERSION}" + TAR_TIME="$(git log --max-count 1 --format=%cI)" + popd + popd +fi +pushd "${FILE_NAME_ROOT}" + # Generate .src-rev so build has knowledge of the revision the tarball was + # created from + mkdir build + pushd build + sh "${PWD}"/../"${VERSION}"/configure --with-boot-jdk="${BOOT_JDK}" + make store-source-revision + popd + rm -rf build + + # Remove commit checks + echo "Removing $(find "${VERSION}" -name '.jcheck' -print)" + find "${VERSION}" -name '.jcheck' -print0 | xargs -0 rm -r + + # Remove history and GHA + echo "find ${VERSION} -name '.hgtags'" + find "${VERSION}" -name '.hgtags' -exec rm -v '{}' '+' + echo "find ${VERSION} -name '.hgignore'" + find "${VERSION}" -name '.hgignore' -exec rm -v '{}' '+' + echo "find ${VERSION} -name '.gitattributes'" + find "${VERSION}" -name '.gitattributes' -exec rm -v '{}' '+' + echo "find ${VERSION} -name '.gitignore'" + find "${VERSION}" -name '.gitignore' -exec rm -v '{}' '+' + # Work around some Git objects not having write permissions. + echo "chmod --recursive u+w ${VERSION}/.git" + chmod --recursive u+w "${VERSION}"/.git + echo "find ${VERSION} -name '.git'" + find "${VERSION}" -name '.git' -exec rm -rv '{}' '+' + echo "find ${VERSION} -name '.github'" + find "${VERSION}" -name '.github' -exec rm -rv '{}' '+' + + echo "Compressing remaining forest" + if [ "$COMPRESSION" = "xz" ] ; then + SWITCH=cJf + else + SWITCH=czf + fi + EA_PART="$(awk -F= \ + '/^DEFAULT_PROMOTED_VERSION_PRE/ { if ($2) print "-"$2 }' \ + "${VERSION}"/make/conf/version-numbers.conf)" + TARBALL_NAME=${FILE_NAME_ROOT}${EA_PART}.tar.${COMPRESSION} + XZ_OPT=${XZ_OPT-"-T0"} \ + tar --mtime="${TAR_TIME}" --owner=root --group=root --sort=name \ + --exclude-vcs -$SWITCH "${TARBALL_NAME}" "${TO_COMPRESS}" + mv "${TARBALL_NAME}" .. +popd +if [ "$WITH_TEMP" != "" ] ; then + echo "Tarball is: $(realpath .)/${TARBALL_NAME}" + popd +else + echo -n "Done. You may want to remove the uncompressed version" + echo " - $FILE_NAME_ROOT" +fi + +# Local Variables: +# compile-command: "shellcheck generate_source_tarball.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/get_bundle_versions.sh b/scripts/get_bundle_versions.sh new file mode 100755 index 0000000..dddbee4 --- /dev/null +++ b/scripts/get_bundle_versions.sh @@ -0,0 +1,172 @@ +#!/usr/bin/env sh + +# Copyright (C) 2025 Red Hat, Inc. +# Original written by Antonio Vieiro +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +if [ $# -ne 1 ]; then + echo "Usage: $0 openjdk-root-directory" + exit 1 +fi + +JDKROOT=$1 + +if [ ! -d "${JDKROOT}" ] ; then + echo "${JDKROOT} is not a directory."; + exit 2 +fi + +# Work out the OpenJDK version +# OpenJDK >= 10 has its version in the build machinery +# OpenJDK >= 17 stores it in a new location (JDK-8258246) +VERSION_FILE="${JDKROOT}"/make/conf/version-numbers.conf +printf "Checking for %s..." "${VERSION_FILE}"; +if [ ! -f "${VERSION_FILE}" ] ; then + VERSION_FILE="${JDKROOT}"/make/autoconf/version-numbers + echo "Not found; using old version file ${VERSION_FILE}"; +else + echo "found."; +fi +if [ -e "${VERSION_FILE}" ] ; then + openjdk_version=$(grep '^DEFAULT_VERSION_FEATURE' "${VERSION_FILE}" | cut -d '=' -f 2) +elif [ -e "${JDKROOT}"/jdk/src/java.base/share/classes/java/lang/Object.java ] ; then + openjdk_version=9; +elif [ -e "${JDKROOT}"/common/autoconf ] ; then + openjdk_version=8; +else + openjdk_version=7; +fi +echo "OpenJDK version: ${openjdk_version}"; + +# +# Freetype +# +if [ "${openjdk_version}" -gt 8 ] ; then + FREETYPE=src/java.desktop/share/native/libfreetype/include/freetype/freetype.h + ABS_FREETYPE="${JDKROOT}"/"${FREETYPE}" + if [ ! -f "${ABS_FREETYPE}" ]; then + echo "Freetype header not found!" + exit 2 + fi + FREETYPE_VERSION=$(awk '/#define FREETYPE_MAJOR/ {MAJOR=$3} /#define FREETYPE_MINOR/ {MINOR=$3} /#define FREETYPE_PATCH/ {PATCH=$3} END {printf "%s.%s.%s", MAJOR, MINOR, PATCH}' "${ABS_FREETYPE}") +else + echo "No bundled FreeType on ${openjdk_version}"; +fi + +# giflib +if [ "${openjdk_version}" -gt 8 ] ; then + GIFLIB=src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +else + GIFLIB=jdk/src/share/native/sun/awt/giflib/gif_lib.h +fi +ABS_GIFLIB="${JDKROOT}"/"${GIFLIB}" +if [ ! -f "${ABS_GIFLIB}" ]; then + echo "giflib header not found!" + exit 3 +fi +GIFLIB_VERSION=$(awk '/#define GIFLIB_MAJOR/ {MAJOR=$3} /#define GIFLIB_MINOR/ {MINOR=$3} /#define GIFLIB_RELEASE/ {PATCH=$3} END {printf "%s.%s.%s", MAJOR, MINOR, PATCH}' "${ABS_GIFLIB}") + +# harfbuzz +if [ "${openjdk_version}" -gt 8 ] ; then + HARFBUZZ=src/java.desktop/share/native/libharfbuzz/hb-version.h + ABS_HARFBUZZ="${JDKROOT}/${HARFBUZZ}" + if [ ! -f "${ABS_HARFBUZZ}" ]; then + echo "HarfBuzz header not found!" + exit 4 + fi + HARFBUZZ_VERSION=$(awk '/#define HB_VERSION_MAJOR/ {MAJOR=$3} /#define HB_VERSION_MINOR/ {MINOR=$3} /#define HB_VERSION_MICRO/ {PATCH=$3} END {printf "%s.%s.%s", MAJOR, MINOR, PATCH}' "${ABS_HARFBUZZ}") +else + echo "No HarfBuzz on ${openjdk_version}"; +fi + +# lcms +if [ "${openjdk_version}" -gt 8 ] ; then + LCMS=src/java.desktop/share/native/liblcms/lcms2.h +else + LCMS=jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h +fi +ABS_LCMS="${JDKROOT}"/"${LCMS}" +if [ ! -f "${ABS_LCMS}" ]; then + echo "lcms header not found!" + exit 5 +fi +LCMS_VERSION=$(awk '/#define LCMS_VERSION/ { MAJOR=int($3 / 1000); REST=$3 % 1000; MINOR=int(REST / 10); PATCH=REST % 10; } END {printf "%s.%s.%s", MAJOR, MINOR, PATCH}' "${ABS_LCMS}") + +# jpeg +if [ "${openjdk_version}" -gt 8 ] ; then + JPEG=src/java.desktop/share/native/libjavajpeg/jpeglib.h +else + JPEG=jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h +fi +ABS_JPEG="${JDKROOT}"/"${JPEG}" +if [ ! -f "${ABS_JPEG}" ]; then + echo "jpeg header not found!" + exit 6 +fi +JPEG_VERSION=$(awk '/#define JPEG_LIB_VERSION/ { VERSION=$3; MAJOR=int(VERSION / 10); MINOR=VERSION%10; } END {printf "%s%c", MAJOR, (MINOR+96)}' "${ABS_JPEG}") + +# png +if [ "${openjdk_version}" -gt 8 ] ; then + PNG=src/java.desktop/share/native/libsplashscreen/libpng/png.h +else + PNG=jdk/src/share/native/sun/awt/libpng/png.h +fi +ABS_PNG="${JDKROOT}"/"${PNG}" +if [ ! -f "${ABS_PNG}" ]; then + echo "png header not found!" + exit 7 +fi +PNG_VERSION=$(awk '/#define PNG_LIBPNG_VER_STRING/ { VERSION=$3; gsub("\"", "", VERSION) } END {print VERSION}' "${ABS_PNG}") + +# zlib +if [ "${openjdk_version}" -gt 8 ] ; then + ZLIB=src/java.base/share/native/libzip/zlib/zlib.h +else + ZLIB=jdk/src/share/native/java/util/zip/zlib/zlib.h +fi +ABS_ZLIB="${JDKROOT}"/"${ZLIB}" +if [ ! -f "${ABS_ZLIB}" ]; then + echo "zlib header not found!" + exit 8 +fi +ZLIB_VERSION=$(awk '/#define ZLIB_VERSION/ { VERSION=$3; gsub("\"", "", VERSION) } END {print VERSION}' "${ABS_ZLIB}") + +# Print output +printf "\nRPM definitions:\n" +if [ "${openjdk_version}" -gt 8 ] ; then + echo "# Version in ${FREETYPE}" + echo "Provides: bundled(freetype) = ${FREETYPE_VERSION}" +fi +echo "# Version in ${GIFLIB}" +echo "Provides: bundled(giflib) = ${GIFLIB_VERSION}" +if [ "${openjdk_version}" -gt 8 ] ; then + echo "# Version in ${HARFBUZZ}" + echo "Provides: bundled(harfbuzz) = ${HARFBUZZ_VERSION}" +fi +echo "# Version in ${LCMS}" +echo "Provides: bundled(lcms2) = ${LCMS_VERSION}" +echo "# Version in ${JPEG}" +echo "Provides: bundled(libjpeg) = ${JPEG_VERSION}" +echo "# Version in ${PNG}" +echo "Provides: bundled(libpng) = ${PNG_VERSION}" +echo "# Version in ${ZLIB}" +echo "Provides: bundled(zlib) = ${ZLIB_VERSION}" + +# Local Variables: +# compile-command: "shellcheck get_bundle_versions.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/icedtea_sync.sh b/scripts/icedtea_sync.sh new file mode 100755 index 0000000..3f5cb82 --- /dev/null +++ b/scripts/icedtea_sync.sh @@ -0,0 +1,198 @@ +#!/bin/bash + +# Copyright (C) 2024 Red Hat, Inc. +# Written by Andrew John Hughes . +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +ICEDTEA_USE_VCS=true + +ICEDTEA_VERSION=3.15.0 +ICEDTEA_URL=https://icedtea.classpath.org/download/source +ICEDTEA_SIGNING_KEY=CFDA0F9B35964222 + +ICEDTEA_HG_URL=https://icedtea.classpath.org/hg/icedtea11 +set -e + +RPM_DIR=${PWD} +if [ ! -f "${RPM_DIR}/jconsole.desktop.in" ] ; then + echo "Not in RPM source tree."; + exit 1; +fi + +if test "${TMPDIR}" = ""; then + TMPDIR=/tmp; +fi +WORKDIR=${TMPDIR}/it.sync + +echo "Using working directory ${WORKDIR}" +mkdir "${WORKDIR}" +pushd "${WORKDIR}" + +if test "${WGET}" = ""; then + WGET=$(which wget); + if test "${WGET}" = ""; then + echo "wget not found"; + exit 1; + fi +fi + +if test "${TAR}" = ""; then + TAR=$(which tar) + if test "${TAR}" = ""; then + echo "tar not found"; + exit 2; + fi +fi + +echo "Dependencies:"; +echo -e "\tWGET: ${WGET}"; +echo -e "\tTAR: ${TAR}\n"; + +if test "${ICEDTEA_USE_VCS}" = "true"; then + echo "Mode: Using VCS"; + + if test "${GREP}" = ""; then + GREP=$(which grep); + if test "${GREP}" = ""; then + echo "grep not found"; + exit 3; + fi + fi + + if test "${CUT}" = ""; then + CUT=$(which cut); + if test "${CUT}" = ""; then + echo "cut not found"; + exit 4; + fi + fi + + if test "${TR}" = ""; then + TR=$(which tr); + if test "${TR}" = ""; then + echo "tr not found"; + exit 5; + fi + fi + + if test "${HG}" = ""; then + HG=$(which hg); + if test "${HG}" = ""; then + echo "hg not found"; + exit 6; + fi + fi + + echo "Dependencies:"; + echo -e "\tGREP: ${GREP}"; + echo -e "\tCUT: ${CUT}"; + echo -e "\tTR: ${TR}"; + echo -e "\tHG: ${HG}"; + + echo "Checking out repository from VCS..."; + ${HG} clone ${ICEDTEA_HG_URL} icedtea + + echo "Obtaining version from configure.ac..."; + ROOT_VER=$(${GREP} '^AC_INIT' icedtea/configure.ac|${CUT} -d ',' -f 2|${TR} -d '[][:space:]') + echo "Root version from configure: ${ROOT_VER}"; + + VCS_REV=$(${HG} log -R icedtea --template '{node|short}' -r tip) + echo "VCS revision: ${VCS_REV}"; + + ICEDTEA_VERSION="${ROOT_VER}-${VCS_REV}" + echo "Creating icedtea-${ICEDTEA_VERSION}"; + mkdir "icedtea-${ICEDTEA_VERSION}" + echo "Copying required files from checkout to icedtea-${ICEDTEA_VERSION}"; + # Commented out for now as IcedTea 6's jconsole.desktop.in is outdated + #cp -a icedtea/jconsole.desktop.in ../icedtea-${ICEDTEA_VERSION} + cp -a "${RPM_DIR}/jconsole.desktop.in" "icedtea-${ICEDTEA_VERSION}" + cp -a icedtea/tapset "icedtea-${ICEDTEA_VERSION}" + + rm -rf icedtea +else + echo "Mode: Using tarball"; + + if test "${ICEDTEA_VERSION}" = ""; then + echo "No IcedTea version specified for tarball download."; + exit 3; + fi + + if test "${CHECKSUM}" = ""; then + CHECKSUM=$(which sha256sum) + if test "${CHECKSUM}" = ""; then + echo "sha256sum not found"; + exit 4; + fi + fi + + if test "${PGP}" = ""; then + PGP=$(which gpg) + if test "${PGP}" = ""; then + echo "gpg not found"; + exit 5; + fi + fi + + echo "Dependencies:"; + echo -e "\tCHECKSUM: ${CHECKSUM}"; + echo -e "\tPGP: ${PGP}\n"; + + echo "Checking for IcedTea signing key ${ICEDTEA_SIGNING_KEY}..."; + if ! gpg --list-keys ${ICEDTEA_SIGNING_KEY}; then + echo "IcedTea signing key ${ICEDTEA_SIGNING_KEY} not installed."; + exit 6; + fi + + echo "Downloading IcedTea release tarball..."; + ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz + echo "Downloading IcedTea tarball signature..."; + ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz.sig + echo "Downloading IcedTea tarball checksums..."; + ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.sha256 + + echo "Verifying checksums..."; + ${CHECKSUM} --check --ignore-missing icedtea-${ICEDTEA_VERSION}.sha256 + + echo "Checking signature..."; + ${PGP} --verify icedtea-${ICEDTEA_VERSION}.tar.xz.sig + + echo "Extracting files..."; + ${TAR} xJf icedtea-${ICEDTEA_VERSION}.tar.xz \ + icedtea-${ICEDTEA_VERSION}/tapset \ + icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in + + rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz + rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz.sig + rm -vf icedtea-${ICEDTEA_VERSION}.sha256 +fi + +echo "Replacing desktop files..."; +mv -v "icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in" "${RPM_DIR}" + +echo "Creating new tapset tarball..."; +mv -v "icedtea-${ICEDTEA_VERSION}" openjdk +${TAR} cJf "${RPM_DIR}/tapsets-icedtea-${ICEDTEA_VERSION}.tar.xz" openjdk + +rm -rvf openjdk + +popd +rm -rf "${WORKDIR}" + +# Local Variables: +# compile-command: "shellcheck icedtea_sync.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/openjdk_news.sh b/scripts/openjdk_news.sh new file mode 100755 index 0000000..9574915 --- /dev/null +++ b/scripts/openjdk_news.sh @@ -0,0 +1,114 @@ +#!/bin/bash + +# Copyright (C) 2024 Red Hat, Inc. +# Written by Andrew John Hughes , 2012-2022 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +OLD_RELEASE=$1 +NEW_RELEASE=$2 +REPO=$3 +SUBDIR=$4 +SCRIPT_DIR=$(dirname "${0}") + +if test "${SUBDIR}" = ""; then + echo "No subdirectory specified; using ."; + SUBDIR="."; +fi + +if test "$REPO" = ""; then + echo "No repository specified; using ${PWD}" + REPO=${PWD} +fi + +if test "${TMPDIR}" = ""; then + TMPDIR=/tmp; +fi + +echo "Repository: ${REPO}" + +if [ -e "${REPO}/.git" ] ; then + TYPE=git; +elif [ -e "${REPO}/.hg" ] ; then + TYPE=hg; +else + echo "No Mercurial or Git repository detected."; + exit 1; +fi + +if test "$OLD_RELEASE" = "" || test "$NEW_RELEASE" = ""; then + echo "ERROR: Need to specify old and new release"; + exit 2; +fi + +echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO" +rm -f "${TMPDIR}/fixes2" "${TMPDIR}/fixes3" "${TMPDIR}/fixes" +for repos in . $("${SCRIPT_DIR}/discover_trees.sh" "${REPO}"); +do + if test "$TYPE" = "hg"; then + hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R "$REPO/$repos" -G -M "${REPO}/${SUBDIR}" | \ + grep -E '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \ + sed 's#^[o:| ]*summary:\W*# - #' >> "${TMPDIR}/fixes2"; + hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R "$REPO/$repos" -G -M "${REPO}/${SUBDIR}" | \ + grep -E '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> "${TMPDIR}/fixes3"; + else + git -C "${REPO}" log --no-merges --pretty=format:%B "${NEW_RELEASE}...${OLD_RELEASE}" -- "${SUBDIR}" |grep -E '^[0-9]{7}' | \ + sed -r 's#^([0-9])# - JDK-\1#' >> "${TMPDIR}/fixes2"; + touch "${TMPDIR}/fixes3" ; # unused + fi +done + +sort "${TMPDIR}/fixes2" "${TMPDIR}/fixes3" > "${TMPDIR}/fixes4" +uniq "${TMPDIR}/fixes4" > "${TMPDIR}/fixes" +rm -f "${TMPDIR}/fixes2" "${TMPDIR}/fixes3" + +if ! [ -s "${TMPDIR}/fixes" ] ; then + echo "Failed to obtain fixes."; + exit 3; +fi + +echo "In ${TMPDIR}/fixes:" +cat "${TMPDIR}/fixes" + +printf "\nChecking for duplicates..."; +if uniq -d "${TMPDIR}/fixes4" | grep 'JDK' > "${TMPDIR}/dupes"; then + printf "found.\nWARNING: Review the following duplicates:\n"; + cat "${TMPDIR}/dupes"; +else + echo "No apparent duplicates."; +fi +rm -f "${TMPDIR}/fixes4"; + +printf "\nChecking for backouts..."; +if grep -i 'backout' "${TMPDIR}/fixes" > "${TMPDIR}/backouts"; then + printf "found.\nWARNING: Review the following backouts:\n" + cat "${TMPDIR}/backouts"; +else + echo "No apparent backouts."; +fi +printf "\nChecking for bundled library updates..."; +if grep -iE ':( \(tz\))? update.*(freetype|gif|harfbuzz|lcms|jpeg|png|timezone|zlib)' "${TMPDIR}/fixes" > "${TMPDIR}/bundles"; then + printf "found.\nWARNING: Review the following with respect to bundled provides:\n"; + cat "${TMPDIR}/bundles"; + echo "Compare the output of $(dirname "${0}")/get_bundle_versions.sh with the RPM using the JDK source tree" +else + echo "No apparent library updates."; +fi + +# Local Variables: +# compile-command: "shellcheck openjdk_news.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/sources b/sources new file mode 100644 index 0000000..e87b73d --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 +SHA512 (openjdk-21.0.8+9.tar.xz) = 81be6d151fdca910fbee9ea1a93b20af037d2dbafeb12fa368a6091096a22dcf997cf419bebe0261f016ce0fe1e74acd4fca54ca0840a3d69ad76ae7a1336e4c diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..c912769 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,21 @@ +--- +- hosts: localhost + roles: + - role: standard-test-source + tags: + - always + - role: standard-test-basic + tags: + - classic + - atomic + required_packages: + - java-21-openjdk-devel + tests: + - javaVersion1: + dir: ~ + run: set -ex; useradd franta1; su franta1 -c 'java -version'; + run: set -ex; useradd franta4; su franta4 -c 'javac -version'; + run: ls -l /usr/lib/jvm; + - javaVersion2: + dir: ~ + run: set -ex; useradd franta2; su franta2 -c 'java --version'