From 3fa91db452f2051c8edbbeaa2bd7e7930fe2476d Mon Sep 17 00:00:00 2001 From: tigro Date: Sun, 21 Jan 2024 21:48:00 +0300 Subject: [PATCH] Update to 17.0.10.0.7 --- .gitignore | 2 +- .java-17-openjdk-portable.metadata | 2 + .java-17-openjdk.metadata | 2 - SOURCES/NEWS | 2557 ---------- SOURCES/fips-17u-d63771ea660.patch | 7250 +++++++++++++++++++++++++++ SPECS/java-17-openjdk-portable.spec | 2123 ++++++++ SPECS/java-17-openjdk.spec | 1 - SPECS/java-17-openjdk.spec~c8 | 3512 ------------- 8 files changed, 9376 insertions(+), 6073 deletions(-) create mode 100644 .java-17-openjdk-portable.metadata delete mode 100644 .java-17-openjdk.metadata create mode 100644 SOURCES/fips-17u-d63771ea660.patch create mode 100644 SPECS/java-17-openjdk-portable.spec delete mode 120000 SPECS/java-17-openjdk.spec delete mode 100644 SPECS/java-17-openjdk.spec~c8 diff --git a/.gitignore b/.gitignore index 58b2310..fc81cf7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-17.0.9+9.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz +SOURCES/openjdk-17.0.10+7.tar.xz diff --git a/.java-17-openjdk-portable.metadata b/.java-17-openjdk-portable.metadata new file mode 100644 index 0000000..9588b0b --- /dev/null +++ b/.java-17-openjdk-portable.metadata @@ -0,0 +1,2 @@ +c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz +3bf0901457dc879dcf7cd5068c55d94c0b79ead0 SOURCES/openjdk-17.0.10+7.tar.xz diff --git a/.java-17-openjdk.metadata b/.java-17-openjdk.metadata deleted file mode 100644 index 2a092d0..0000000 --- a/.java-17-openjdk.metadata +++ /dev/null @@ -1,2 +0,0 @@ -a58b92201b1d3e26d8375f67708fe2e740cd39eb SOURCES/openjdk-17.0.9+9.tar.xz -c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 3a6ee47..e69de29 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -1,2557 +0,0 @@ -Key: - -JDK-X - https://bugs.openjdk.java.net/browse/JDK-X -CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY - -New in release OpenJDK 17.0.7 (2023-04-18): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk1707 - -* CVEs - - CVE-2023-21930 - - CVE-2023-21937 - - CVE-2023-21938 - - CVE-2023-21939 - - CVE-2023-21954 - - CVE-2023-21967 - - CVE-2023-21968 -* Security fixes - - JDK-8287404: Improve ping times - - JDK-8288436: Improve Xalan supports - - JDK-8294474: Better AES support - - JDK-8295304: Runtime support improvements - - JDK-8296676, JDK-8296622: Improve String platform support - - JDK-8296684: Improve String platform support - - JDK-8296692: Improve String platform support - - JDK-8296832: Improve Swing platform support - - JDK-8297371: Improve UTF8 representation redux - - JDK-8298191: Enhance object reclamation process - - JDK-8298310: Enhance TLS session negotiation - - JDK-8298667: Improved path handling - - JDK-8299129: Enhance NameService lookups -* Other changes - - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion - - JDK-6779701: Wrong defect ID in the code of test LocalRMIServerSocketFactoryTest.java - - JDK-8008243: Zero: Implement fast bytecodes - - JDK-8048190: NoClassDefFoundError omits original ExceptionInInitializerError - - JDK-8065097: [macosx] javax/swing/Popup/TaskbarPositionTest.java fails because Popup is one pixel off - - JDK-8144030: [macosx] test java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails (again) - - JDK-8155246: Throw error if default java.security file is missing - - JDK-8186765: Speed up test sun/net/www/protocol/https/HttpsClient/ProxyAuthTest.java - - JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails - - JDK-8195809: [TESTBUG] jps and jcmd -l support for containers is not tested - - JDK-8208077: File.listRoots performance degradation - - JDK-8209935: Test to cover CodeSource.getCodeSigners() - - JDK-8210927: JDB tests do not update source path after doing a redefine class - - JDK-8212961: [TESTBUG] vmTestbase/nsk/stress/jni/ native code cleanup - - JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java fails - - JDK-8223783: sun/net/www/http/HttpClient/MultiThreadTest.java sometimes detect threads+1 connections - - JDK-8230374: maxOutputSize, instead of javatest.maxOutputSize, should be used in TEST.properties - - JDK-8231491: JDI tc02x004 failed again due to wrong # of breakpoints - - JDK-8235297: sun/security/ssl/SSLSessionImpl/ResumptionUpdateBoundValues.java fails intermittent - - JDK-8241293: CompressedClassSpaceSizeInJmapHeap.java time out after 8 minutes - - JDK-8242115: C2 SATB barriers are not safepoint-safe - - JDK-8244669: convert clhsdb "mem" command from javascript to java - - JDK-8245654: Add Certigna Root CA - - JDK-8251177: [macosx] The text "big" is truncated in JTabbedPane - - JDK-8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" - - JDK-8258512: serviceability/sa/TestJmapCore.java timed out on macOS 10.13.6 - - JDK-8262386: resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java timed out - - JDK-8266974: duplicate property key in java.sql.rowset resource bundle - - JDK-8267038: Update IANA Language Subtag Registry to Version 2022-03-02 - - JDK-8270156: Add "randomness" and "stress" keys to JTreg tests which use StressGCM, StressLCM and/or StressIGVN - - JDK-8270476: Make floating-point test infrastructure more lambda and method reference friendly - - JDK-8271471: [IR Framework] Rare occurrence of "" in PrintIdeal/PrintOptoAssembly can let tests fail - - JDK-8271838: AmazonCA.java interop test fails - - JDK-8272702: Resolving URI relative path with no / may lead to incorrect toString - - JDK-8272985: Reference discovery is confused about atomicity and degree of parallelism - - JDK-8273154: Provide a JavadocTester method for non-overlapping, unordered output matching - - JDK-8273410: IR verification framework fails with "Should find method name in validIrRulesMap" - - JDK-8274911: testlibrary_tests/ir_framework/tests/TestIRMatching.java fails with "java.lang.RuntimeException: Should have thrown exception" - - JDK-8275173: testlibrary_tests/ir_framework/tests/TestCheckedTests.java fails after JDK-8274911 - - JDK-8275301: Unify C-heap buffer overrun checks into NMT - - JDK-8275320: NMT should perform buffer overrun checks - - JDK-8275582: Don't purge metaspace mapping lists - - JDK-8275704: Metaspace::contains() should be threadsafe - - JDK-8275843: Random crashes while the UI code is executed - - JDK-8276064: CheckCastPP with raw oop input floats below a safepoint - - JDK-8276086: Increase size of metaspace mappings - - JDK-8277485: Zero: Fix _fast_{i,f}access_0 bytecodes handling - - JDK-8277822: Remove debug-only heap overrun checks in os::malloc and friends - - JDK-8277946: NMT: Remove VM.native_memory shutdown jcmd command option - - JDK-8277990: NMT: Remove NMT shutdown capability - - JDK-8278961: Enable debug logging in java/net/DatagramSocket/SendDatagramToBadAddress.java - - JDK-8279024: Remove javascript references from clhsdb.html - - JDK-8279119: src/jdk.hotspot.agent/doc/index.html file contains references to scripts that no longer exist - - JDK-8279351: [TESTBUG] SADebugDTest.java does not handle "Address already in use" error - - JDK-8279614: The left line of the TitledBorder is not painted on 150 scale factor - - JDK-8280007: Enable Neoverse N1 optimizations for Arm Neoverse V1 & N2 - - JDK-8280048: Missing comma in copyright header - - JDK-8280132: Incorrect comparator com.sun.beans.introspect.MethodInfo.MethodOrder - - JDK-8280166: Extend java/lang/instrument/GetObjectSizeIntrinsicsTest.java test cases - - JDK-8280553: resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java can fail if GC occurs - - JDK-8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption - - JDK-8280784: VM_Cleanup unnecessarily processes all thread oops - - JDK-8280868: LineBodyHandlerTest.java creates and discards too many clients - - JDK-8280889: java/lang/instrument/GetObjectSizeIntrinsicsTest.java fails with -XX:-UseCompressedOops - - JDK-8280896: java/nio/file/Files/probeContentType/Basic.java fails on Windows 11 - - JDK-8281122: [IR Framework] Cleanup IR matching code in preparation for JDK-8280378 - - JDK-8281170: Test jdk/tools/jpackage/windows/WinInstallerIconTest always fails on Windows 11 - - JDK-8282036: Change java/util/zip/ZipFile/DeleteTempJar.java to stop HttpServer cleanly in case of exceptions - - JDK-8282143: Objects.requireNonNull should be ForceInline - - JDK-8282577: ICC_Profile.setData(int, byte[]) invalidates the profile - - JDK-8282771: Create test case for JDK-8262981 - - JDK-8282958: Rendering Issues with Borders on Windows High-DPI systems - - JDK-8283606: Tests may fail with zh locale on MacOS - - JDK-8283717: vmTestbase/nsk/jdi/ThreadStartEvent/thread/thread001 failed due to SocketTimeoutException - - JDK-8283719: java/util/logging/CheckZombieLockTest.java failing intermittently - - JDK-8283870: jdeprscan --help causes an exception when the locale is ja, zh_CN or de - - JDK-8284115: [IR Framework] Compilation is not found due to rare safepoint while dumping PrintIdeal/PrintOptoAssembly - - JDK-8284165: Add pid to process reaper thread name - - JDK-8284524: Create an automated test for JDK-4422362 - - JDK-8284726: Print active locale settings in hs_err reports and in VM.info - - JDK-8284767: Create an automated test for JDK-4422535 - - JDK-8285399: JNI exception pending in awt_GraphicsEnv.c:1432 - - JDK-8285690: CloneableReference subtest should not throw CloneNotSupportedException - - JDK-8285755: JDK-8285093 changed the default for --with-output-sync - - JDK-8285835: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work - - JDK-8285919: Remove debug printout from JDK-8285093 - - JDK-8285965: TestScenarios.java does not check for "" correctly - - JDK-8286030: Avoid JVM crash when containers share the same /tmp dir - - JDK-8286154: Fix 3rd party notices in test files - - JDK-8286562: GCC 12 reports some compiler warnings - - JDK-8286694: Incorrect argument processing in java launcher - - JDK-8286705: GCC 12 reports use-after-free potential bugs - - JDK-8286707: JFR: Don't commit JFR internal jdk.JavaMonitorWait events - - JDK-8286800: Assert in PhaseIdealLoop::dump_real_LCA is too strong - - JDK-8286844: com/sun/jdi/RedefineCrossEvent.java failed with 1 threads completed while VM suspended - - JDK-8286873: Improve websocket test execution time - - JDK-8286962: java/net/httpclient/ServerCloseTest.java failed once with ConnectException - - JDK-8287180: Update IANA Language Subtag Registry to Version 2022-08-08 - - JDK-8287217: C2: PhaseCCP: remove not visited nodes, prevent type inconsistency - - JDK-8287491: compiler/jvmci/errors/TestInvalidDebugInfo.java fails new assert: assert((uint)t < T_CONFLICT + 1) failed: invalid type # - - JDK-8287593: ShortResponseBody could be made more resilient to rogue connections - - JDK-8287754: Update jib GNU make dependency on Windows to latest cygwin build - - JDK-8288005: HotSpot build with disabled PCH fails for Windows AArch64 - - JDK-8288130: compiler error with AP and explicit record accessor - - JDK-8288332: Tier1 validate-source fails after 8279614 - - JDK-8288415: java/awt/PopupMenu/PopupMenuLocation.java is unstable in MacOS machines - - JDK-8288854: getLocalGraphicsEnvironment() on for multi-screen setups throws exception NPE - - JDK-8289400: Improve com/sun/jdi/TestScaffold error reporting - - JDK-8289440: Remove vmTestbase/nsk/monitoring/MemoryPoolMBean/isCollectionUsageThresholdExceeded/isexceeded003 from ProblemList.txt - - JDK-8289508: Improve test coverage for XPath Axes: ancestor, ancestor-or-self, preceding, and preceding-sibling - - JDK-8289511: Improve test coverage for XPath Axes: child - - JDK-8289647: AssertionError during annotation processing of record related tests - - JDK-8289948: Improve test coverage for XPath functions: Node Set Functions - - JDK-8290067: Show stack dimensions in UL logging when attaching threads - - JDK-8290083: ResponseBodyBeforeError: AssertionError or SSLException: Unsupported or unrecognized SSL message - - JDK-8290197: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails on some systems for the ".rar" extension - - JDK-8290322: Optimize Vector.rearrange over byte vectors for AVX512BW targets. - - JDK-8290836: Improve test coverage for XPath functions: String Functions - - JDK-8290837: Improve test coverage for XPath functions: Boolean Functions - - JDK-8290838: Improve test coverage for XPath functions: Number Functions - - JDK-8290850: C2: create_new_if_for_predicate() does not clone pinned phi input nodes resulting in a broken graph - - JDK-8290899: java/lang/String/StringRepeat.java test requests too much heap on windows x86 - - JDK-8290964: C2 compilation fails with assert "non-reduction loop contains reduction nodes" - - JDK-8291825: java/time/nontestng/java/time/zone/CustomZoneNameTest.java fails if defaultLocale and defaultFormatLocale are different - - JDK-8292033: Move jdk.X509Certificate event logic to JCA layer - - JDK-8292066: Convert TestInputArgument.sh and TestSystemLoadAvg.sh to java version - - JDK-8292159: TYPE_USE annotations on generic type arguments of record components discarded - - JDK-8292177: InitialSecurityProperty JFR event - - JDK-8292285: C2: remove unreachable block after NeverBranch-to-Goto conversion - - JDK-8292297: Fix up loading of override java.security properties file - - JDK-8292328: AccessibleActionsTest.java test instruction for show popup on JLabel did not specify shift key - - JDK-8292443: Weak CAS VarHandle/Unsafe tests should test always-failing cases - - JDK-8292602: ZGC: C2 late barrier analysis uses invalid dominator information - - JDK-8292660: C2: blocks made unreachable by NeverBranch-to-Goto conversion are removed incorrectly - - JDK-8292780: misc tests failed "assert(false) failed: graph should be schedulable" - - JDK-8292877: java/util/concurrent/atomic/Serial.java uses {Double,Long}Accumulator incorrectly - - JDK-8293000: Review running times of jshell regression tests - - JDK-8293326: jdk/sun/security/tools/jarsigner/compatibility/SignTwice.java slow on Windows - - JDK-8293466: libjsig should ignore non-modifying sigaction calls - - JDK-8293493: Signal Handlers printout should show signal block state - - JDK-8293531: C2: some vectorapi tests fail assert "Not monotonic" with flag -XX:TypeProfileLevel=222 - - JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections - - JDK-8293691: converting a defined BasicType value to a string should not crash the VM - - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings - - JDK-8293819: sun/util/logging/PlatformLoggerTest.java failed with "RuntimeException: Retrieved backing PlatformLogger level null is not the expected CONFIG" - - JDK-8293965: Code signing warnings after JDK-8293550 - - JDK-8293996: C2: fix and simplify IdealLoopTree::do_remove_empty_loop - - JDK-8294160: misc crash dump improvements - - JDK-8294217: Assertion failure: parsing found no loops but there are some - - JDK-8294310: compare.sh fails on macos after JDK-8293550 - - JDK-8294378: URLPermission constructor exception when using tr locale - - JDK-8294538: missing is_unloading() check in SharedRuntime::fixup_callers_callsite() - - JDK-8294548: Problem list SA core file tests on macosx-x64 due to JDK-8294316 - - JDK-8294580: frame::interpreter_frame_print_on() crashes if free BasicObjectLock exists in frame - - JDK-8294677: chunklevel::MAX_CHUNK_WORD_SIZE too small for some applications - - JDK-8294705: Disable an assertion in test/jdk/java/util/DoubleStreamSums/CompensatedSums.java - - JDK-8294902: Undefined Behavior in C2 regalloc with null references - - JDK-8294947: Use 64bit atomics in patch_verified_entry on x86_64 - - JDK-8294958: java/net/httpclient/ConnectTimeout tests are slow - - JDK-8295000: java/util/Formatter/Basic test cleanup - - JDK-8295066: Folding of loads is broken in C2 after JDK-8242115 - - JDK-8295116: C2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead - - JDK-8295211: Fix autoconf 2.71 warning "AC_CHECK_HEADERS: you should use literals" - - JDK-8295413: com/sun/jdi/EATests.java fails with compiler flag -XX:+StressReflectiveCode - - JDK-8295414: [Aarch64] C2: assert(false) failed: bad AD file - - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13 - - JDK-8295685: Update Libpng to 1.6.38 - - JDK-8295724: VirtualMachineError: Out of space in CodeCache for method handle intrinsic - - JDK-8295774: Write a test to verify List sends ItemEvent/ActionEvent - - JDK-8295777: java/net/httpclient/ConnectExceptionTest.java should not rely on system resolver - - JDK-8295788: C2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node" - - JDK-8296136: Use correct register in aarch64_enc_fast_unlock() - - JDK-8296239: ISO 4217 Amendment 174 Update - - JDK-8296329: jar validator doesn't account for minor class file version - - JDK-8296389: C2: PhaseCFG::convert_NeverBranch_to_Goto must handle both orders of successors - - JDK-8296548: Improve MD5 intrinsic for x86_64 - - JDK-8296611: Problemlist several sun/security tests until JDK-8295343 is resolved - - JDK-8296619: Upgrade jQuery to 3.6.1 - - JDK-8296675: Exclude linux-aarch64 in NSS tests - - JDK-8296878: Document Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters - - JDK-8296904: Improve handling of macos xcode toolchain - - JDK-8296912: C2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1 - - JDK-8296924: C2: assert(is_valid_AArch64_address(dest.target())) failed: bad address - - JDK-8297088: Update LCMS to 2.14 - - JDK-8297211: Expensive fillInStackTrace operation in HttpURLConnection.getOutputStream0 when no content-length in response - - JDK-8297259: Bump update version for OpenJDK: jdk-17.0.7 - - JDK-8297264: C2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top - - JDK-8297431: [JVMCI] HotSpotJVMCIRuntime.encodeThrowable should not throw an exception - - JDK-8297437: javadoc cannot link to old docs (with old style anchors) - - JDK-8297480: GetPrimitiveArrayCritical in imageioJPEG misses result - NULL check - - JDK-8297489: Modify TextAreaTextEventTest.java as to verify the content change of TextComponent sends TextEvent - - JDK-8297523: Various GetPrimitiveArrayCritical miss result - NULL check - - JDK-8297569: URLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378 - - JDK-8297642: PhaseIdealLoop::only_has_infinite_loops must detect all loops that never lead to termination - - JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication - - JDK-8297959: Provide better descriptions for some Operating System JFR events - - JDK-8297963: Partially fix string expansion issues in UTIL_DEFUN_NAMED and related macros - - JDK-8298027: Remove SCCS id's from awt jtreg tests - - JDK-8298035: Provide better descriptions for JIT compiler JFR events - - JDK-8298073: gc/metaspace/CompressedClassSpaceSizeInJmapHeap.java causes test task timeout on macosx - - JDK-8298093: improve cleanup and error handling of awt_parseColorModel in awt_parseImage.c - - JDK-8298108: Add a regression test for JDK-8297684 - - JDK-8298129: Let checkpoint event sizes grow beyond u4 limit - - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows - - JDK-8298459: Fix msys2 linking and handling out of tree build directory for source zip creation - - JDK-8298472: AArch64: Detect Ampere-1 and Ampere-1A CPUs and set default options - - JDK-8298527: Cygwin's uname -m returns different string than before - - JDK-8298568: Fastdebug build fails after JDK-8296389 - - JDK-8298588: WebSockets: HandshakeUrlEncodingTest unnecessarily depends on a response body - - JDK-8298649: JFR: RemoteRecordingStream support for checkpoint event sizes beyond u4 - - JDK-8298726: (fs) Change PollingWatchService to record last modified time as FileTime rather than milliseconds - - JDK-8298947: compiler/codecache/MHIntrinsicAllocFailureTest.java fails intermittently - - JDK-8299015: Ensure that HttpResponse.BodySubscribers.ofFile writes all bytes - - JDK-8299018: java/net/httpclient/HttpsTunnelAuthTest.java fails with java.io.IOException: HTTP/1.1 header parser received no bytes - - JDK-8299194: CustomTzIDCheckDST.java may fail at future date - - JDK-8299296: Write a test to verify the components selection sends ItemEvent - - JDK-8299388: java/util/regex/NegativeArraySize.java fails on Alpine and sometimes Windows - - JDK-8299424: containers/docker/TestMemoryWithCgroupV1.java fails on SLES12 ppc64le when testing Memory and Swap Limit - - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR - - JDK-8299470: sun/jvm/hotspot/SALauncher.java handling of negative rmiport args - - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java - - JDK-8299497: Usage of constructors of primitive wrapper classes should be avoided in java.desktop API docs - - JDK-8299520: TestPrintXML.java output error messages in case compare fails - - JDK-8299597: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.7 - - JDK-8299657: sun/tools/jhsdb/SAGetoptTest.java fails after 8299470 - - JDK-8299671: Speed up compiler/intrinsics/string/TestStringLatin1IndexOfChar.java - - JDK-8299789: Compilation of gtest causes build to fail if runtime libraries are in different dirs - - JDK-8299957: Enhance error logging in instrument coding with additional jplis_assert_msg - - JDK-8299970: Speed up compiler/arraycopy/TestArrayCopyConjoint.java - - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems - - JDK-8300205: Swing test bug8078268 make latch timeout configurable - - JDK-8300266: Detect Virtualization on Linux aarch64 - - JDK-8300490: Spaces in name of MacOS Code Signing Identity are not correctly handled after JDK-8293550 - - JDK-8300590: [JVMCI] BytecodeFrame.equals is broken - - JDK-8300642: [17u,11u] Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev - - JDK-8300692: GCC 12 reports some compiler warnings in bundled freetype - - JDK-8300751: [17u] Remove duplicate entry in javac.properties - - JDK-8300773: Address the inconsistency between the constant array and pool size - - JDK-8301170: perfMemory_windows.cpp add free_security_attr to early returns - - JDK-8301342: Prefer ArrayList to LinkedList in LayoutComparator - - JDK-8301397: [11u, 17u] Bump jtreg to fix issue with build JDK 11.0.18 - - JDK-8301760: Fix possible leak in SpNegoContext dispose - - JDK-8301842: JFR: increase checkpoint event size for stacktrace and string pool - - JDK-8302152: Speed up tests with infinite loops, sleep less - - JDK-8302692: [17u] Update GHA Boot JDK to 17.0.6 - - JDK-8302879: doc/building.md update link to jtreg builds - - JDK-8304871: Use default visibility for static library builds - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate -========================================================== -The following root certificate has been added to the cacerts truststore: - -Name: Certigna (Dhimyotis) -Alias Name: certignarootca -Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR - -JDK-8292177: New JFR Event: jdk.InitialSecurityProperty -======================================================= -The initial security properties loaded by the java.security.Security class -are now accessible in the new JFR event, `jdk.InitialSecurityProperty`. - -The event contains two fields: - -* key - the security property key -* value - the corresponding security property value - -The combination of this new event and the existing -`jdk.SecurityPropertyModification` event means that security -properties can now be monitored throughout their lifecycle. - -The initial security properties are now also printed to the standard -error output stream when `-Djava.security.debug=properties` is passed -to the Java virtual machine. - -JDK-8155246: Throw Error If Default java.security File Fails to Load -==================================================================== -A hardcoded set of security properties was used in previous releases -when the `java.security` file could not be loaded. This set of -properties were poorly maintained and it was not obvious to the user -that they were being utilised. This release instead throws an -`InternalError` if the `java.security` file can not be loaded. - -core-libs/java.io: - -JDK-8208077: File::listRoots Changed To Return All Available Drives On Windows -============================================================================== -The `java.io.File.listRoots()` method on Windows systems filtered out disk -drives that could not be accessed or did not have media loaded. The -use of this filtering led to observable performance issues. This release -now returns all available disk drives, unfiltered. - -New in release OpenJDK 17.0.6 (2023-01-17): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk1706 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html - -* CVEs - - CVE-2023-21835 - - CVE-2023-21843 -* Security fixes - - JDK-8286070: Improve UTF8 representation - - JDK-8286496: Improve Thread labels - - JDK-8287411: Enhance DTLS performance - - JDK-8288516: Enhance font creation - - JDK-8289350: Better media supports - - JDK-8293554: Enhanced DH Key Exchanges - - JDK-8293598: Enhance InetAddress address handling - - JDK-8293717: Objective view of ObjectView - - JDK-8293734: Improve BMP image handling - - JDK-8293742: Better Banking of Sounds - - JDK-8295687: Better BMP bounds -* Other changes - - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows - - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails - - JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails - - JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails - - JDK-8029633: Raw inner class constructor ref should not perform diamond inference - - JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails - - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled - - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails - - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java - - JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java - - JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout - - JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails - - JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...' - - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop" - - JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs - - JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos - - JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos - - JDK-8244670: convert clhsdb "whatis" command from javascript to java - - JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives. - - JDK-8255439: System Tray icons get corrupted when Windows scaling changes - - JDK-8256811: Delayed/missed jdwp class unloading events - - JDK-8257722: Improve "keytool -printcert -jarfile" output - - JDK-8262721: Add Tests to verify single iteration loops are properly optimized - - JDK-8265489: Stress test times out because of long ObjectSynchronizer::monitors_iterate(...) operation - - JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint - - JDK-8266519: Cleanup resolve() leftovers from BarrierSet et al - - JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java - - JDK-8268033: compiler/intrinsics/bmi/verifycode/BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow" - - JDK-8268276: Base64 Decoding optimization for x86 using AVX-512 - - JDK-8268297: jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out - - JDK-8268779: ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space" - - JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs - - JDK-8269404: Base64 Encoding optimization enhancements for x86 using AVX-512 - - JDK-8269571: NMT should print total malloc bytes and invocation count - - JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m) - - JDK-8270086: ARM32-softfp: Do not load CONSTANT_double using the condy helper methods in the interpreter - - JDK-8270155: ARM32: Improve register dump in hs_err - - JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction - - JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns. - - JDK-8270947: AArch64: C1: use zero_words to initialize all objects - - JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts - - JDK-8271834: TestStringDeduplicationAgeThreshold intermittent failures on Shenandoah - - JDK-8271956: AArch64: C1 build failed after JDK-8270947 - - JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" - - JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64 - - JDK-8272608: java_lang_System::allow_security_manager() doesn't set its initialization flag - - JDK-8272776: NullPointerException not reported - - JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947 - - JDK-8272809: JFR thread sampler SI_KERNEL SEGV in metaspace::VirtualSpaceList::contains - - JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java - - JDK-8273108: RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276 - - JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints - - JDK-8273380: ARM32: Default to {ldrexd,strexd} in StubRoutines::atomic_{load|store}_long - - JDK-8273459: Update code segment alignment to 64 bytes - - JDK-8273497: building.md should link to both md and html - - JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 - - JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12 - - JDK-8273685: Remove jtreg tag manual=yesno for java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction - - JDK-8273880: Zero: Print warnings when unsupported intrinsics are enabled - - JDK-8273881: Metaspace: test repeated deallocations - - JDK-8274029: Remove jtreg tag manual=yesno for java/awt/print/Dialog/DialogOrient.java - - JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI - - JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/Common.java delay is too high - - JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS - - JDK-8274456: Remove jtreg tag manual=yesno java/awt/print/PrinterJob/PageDialogTest.java - - JDK-8274527: Minimal VM build fails after JDK-8273459 - - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening - - JDK-8274903: Zero: Support AsyncGetCallTrace - - JDK-8275170: Some jtreg sound tests should be marked with sound keyword - - JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList - - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked - - JDK-8275569: Add linux-aarch64 to test-make profiles - - JDK-8276108: Wrong instruction generation in aarch64 backend - - JDK-8276904: Optional.toString() is unnecessarily expensive - - JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM" - - JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64 - - JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64 - - JDK-8277358: Accelerate CRC32-C - - JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check - - JDK-8277576: ProblemList runtime/ErrorHandling/CreateCoredumpOnCrash.java on macosx-X64 - - JDK-8277577: ProblemList compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64 - - JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64 - - JDK-8277866: gc/epsilon/TestMemoryMXBeans.java failed with wrong initial heap size - - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode - - JDK-8277928: Fix compilation on macosx-aarch64 after 8276108 - - JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch" - - JDK-8278826: Print error if Shenandoah flags are empty (instead of crashing) - - JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore - - JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop" - - JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out - - JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC - - JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails - - JDK-8280016: gc/g1/TestShrinkAuxiliaryData30 test fails on large machines - - JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes - - JDK-8280234: AArch64 "core" variant does not build after JDK-8270947 - - JDK-8280391: NMT: Correct NMT tag on CollectedHeap - - JDK-8280511: AArch64: Combine shift and negate to a single instruction - - JDK-8280554: resourcehogs/serviceability/sa/ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered - - JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object - - JDK-8280872: Reorder code cache segments to improve code density - - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR - - JDK-8280948: Write a regression test for JDK-4659800 - - JDK-8281296: Create a regression test for JDK-4515999 - - JDK-8281744: x86: Use short jumps in TIG::set_vtos_entry_points - - JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores - - JDK-8282276: Problem list failing two Robot Screen Capture tests - - JDK-8282347: AARCH64: Untaken branch in has_negatives stub - - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired - - JDK-8282402: Create a regression test for JDK-4666101 - - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template - - JDK-8282528: AArch64: Incorrect replicate2L_zero rule - - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary - - JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1 - - JDK-8282730: LdapLoginModule throw NPE from logout method after login failure - - JDK-8282777: Create a Regression test for JDK-4515031 - - JDK-8282857: Create a regression test for JDK-4702690 - - JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2 - - JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup - - JDK-8283298: Make CodeCacheSegmentSize a product flag - - JDK-8283337: Posix signal handler modification warning triggering incorrectly - - JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32 - - JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name - - JDK-8283999: Update JMH devkit to 1.35 - - JDK-8284533: Improve InterpreterCodelet data footprint - - JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction" - - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox - - JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X - - JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation - - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown" - - JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently - - JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp -XX:+DeoptimizeALot - - JDK-8285093: Introduce UTIL_ARG_WITH - - JDK-8285305: Create an automated test for JDK-4495286 - - JDK-8285373: Create an automated test for JDK-4702233 - - JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)" - - JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java - - JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java - - JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox - - JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment - - JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server" - - JDK-8286172: Create an automated test for JDK-4516019 - - JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3" - - JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable - - JDK-8286452: The array length of testSmallConstArray should be small and const - - JDK-8286460: Remove dependence on JAR filename in CDS tests - - JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2 - - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 - - JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray - - JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows - - JDK-8286872: Refactor add/modify notification icon (TrayIcon) - - JDK-8287011: Improve container information - - JDK-8287076: Document.normalizeDocument() produces different results - - JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance - - JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path - - JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative - - JDK-8287740: NSAccessibilityShowMenuAction not working for text editors - - JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile - - JDK-8288132: Update test artifacts in QuoVadis CA interop tests - - JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces - - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable - - JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding - - JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name - - JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support - - JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output - - JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented - - JDK-8289301: P11Cipher should not throw out of bounds exception during padding - - JDK-8289524: Add JFR JIT restart event - - JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException - - JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https - - JDK-8290207: Missing notice in dom.md - - JDK-8290209: jcup.md missing additional text - - JDK-8290374: Shenandoah: Remove inaccurate comment on SBS::load_reference_barrier() - - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1 - - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure - - JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes - - JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS - - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" - - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize - - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses - - JDK-8290839: jdk/jfr/event/compiler/TestJitRestart.java failed with "RuntimeException: No JIT restart event found: expected true, was false" - - JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM - - JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is false - - JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4 - - JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) - - JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 - - JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath - - JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region - - JDK-8292083: Detected container memory limit may exceed physical machine memory - - JDK-8292158: AES-CTR cipher state corruption with AVX-512 - - JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out - - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory - - JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle - - JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update - - JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library - - JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free - - JDK-8292816: GPL Classpath exception missing from assemblyprefix.h - - JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures - - JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading - - JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java - - JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6 - - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform - - JDK-8292903: enhance round_up_power_of_2 assertion output - - JDK-8293010: JDI ObjectReference/referringObjects/referringObjects001 fails: assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) failed: checking - - JDK-8293044: C1: Missing access check on non-accessible class - - JDK-8293232: Fix race condition in pkcs11 SessionManager - - JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if - - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present - - JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint - - JDK-8293535: jdk/javadoc/doclet/testJavaFX/TestJavaFxMode.java fail with jfx - - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts - - JDK-8293550: Optionally add get-task-allow entitlement to macos binaries - - JDK-8293578: Duplicate ldc generated by javac - - JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake" - - JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details - - JDK-8293672: Update freetype md file - - JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present - - JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception - - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation - - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent - - JDK-8293826: Closed test fails after JDK-8276108 on aarch64 - - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening - - JDK-8293834: Update CLDR data following tzdata 2022c update - - JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum - - JDK-8293965: Code signing warnings after JDK-8293550 - - JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC - - JDK-8294307: ISO 4217 Amendment 173 Update - - JDK-8294310: compare.sh fails on macos after JDK-8293550 - - JDK-8294357: (tz) Update Timezone Data to 2022d - - JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode - - JDK-8294740: Add cgroups keyword to TestDockerBasic.java - - JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md - - JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator - - JDK-8295173: (tz) Update Timezone Data to 2022e - - JDK-8295288: Some vm_flags tests associate with a wrong BugID - - JDK-8295405: Add cause in a couple of IllegalArgumentException and InvalidParameterException shown by sun/security/pkcs11 tests - - JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp - - JDK-8295419: JFR: Change name of jdk.JitRestart - - JDK-8295429: Update harfbuzz md file - - JDK-8295469: S390X: Optimized builds are broken - - JDK-8295554: Move the "sizecalc.h" to the correct location - - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev - - JDK-8295714: GHA ::set-output is deprecated and will be removed - - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error - - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor - - JDK-8295952: Problemlist existing compiler/rtm tests also on x86 - - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM - - JDK-8296108: (tz) Update Timezone Data to 2022f - - JDK-8296239: ISO 4217 Amendment 174 Update - - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing - - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException - - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation - - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent - - JDK-8296715: CLDR v42 update for tzdata 2022f - - JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect - - JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds - - JDK-8296956: [JVMCI] HotSpotResolvedJavaFieldImpl.getIndex returns wrong value - - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 - - JDK-8296958: [JVMCI] add API for retrieving ConstantValue attributes - - JDK-8296960: [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool - - JDK-8296961: [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField - - JDK-8296967: [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod - - JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used - - JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again - - JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java - - JDK-8297309: Memory leak in ShenandoahFullGC - - JDK-8297481: Create a regression test for JDK-4424517 - - JDK-8297530: java.lang.IllegalArgumentException: Negative length on strings concatenation - - JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run - - JDK-8297656: AArch64: Enable AES/GCM Intrinsics - - JDK-8297804: (tz) Update Timezone Data to 2022g - - JDK-8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6 - - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR - - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java - -Notes on individual issues: -=========================== - -client-libs/javax.imageio: - -JDK-8295687: Better BMP bounds -============================== -Loading a linked ICC profile within a BMP image is now disabled by -default. To re-enable it, set the new system property -`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property -replaces the old property, -`sun.imageio.plugins.bmp.disableLinkedProfiles`. - -client-libs/javax.sound: - -JDK-8293742: Better Banking of Sounds -===================================== -Previously, the SoundbankReader implementation, -`com.sun.media.sound.JARSoundbankReader`, would download a JAR -soundbank from a URL. This behaviour is now disabled by default. To -re-enable it, set the new system property `jdk.sound.jarsoundbank` to -`true`. - -security-libs/java.security: - -JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set -========================================================================================================== -Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to -hold principals and credentials so that it rejected null -values. Attempts to call add(null), contains(null) or remove(null) -were changed to throw a NullPointerException. - -However, the logout() methods in the LoginModule implementations -within the JDK were not updated to check for null values, which may -occur in the event of a failed login. As a result, a logout() call may -throw a NullPointerException. - -The LoginModule implementations have now been updated with such checks -and an implementation note added to the specification to suggest that -the same change is made in third party modules. Developers of third -party modules are advised to verify that their logout() method does not -throw a NullPointerException. - -security-libs/javax.net.ssl: - -JDK-8287411: Enhance DTLS performance -===================================== -The JDK now exchanges DTLS cookies for all handshakes, new and -resumed. The previous behaviour can be re-enabled by setting the new -system property `jdk.tls.enableDtlsResumeCookie` to `false`. - -New in release OpenJDK 17.0.5 (2022-10-18): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk1705 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html - -* Security fixes - - JDK-8282252: Improve BigInteger/Decimal validation - - JDK-8285662: Better permission resolution - - JDK-8286077, CVE-2022-21618: Wider MultiByte conversions - - JDK-8286511: Improve macro allocation - - JDK-8286519: Better memory handling - - JDK-8286526, CVE-2022-21619: Improve NTLM support - - JDK-8286910, CVE-2022-21624: Improve JNDI lookups - - JDK-8286918, CVE-2022-21628: Better HttpServer service - - JDK-8287446: Enhance icon presentations - - JDK-8288508: Enhance ECDSA usage - - JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage - - JDK-8289853: Update HarfBuzz to 4.4.1 - - JDK-8290334: Update FreeType to 2.12.1 -* Other changes - - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider - - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 - - JDK-7131823: bug in GIFImageReader - - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac - - JDK-8028265: Add legacy tz tests to OpenJDK - - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed - - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails - - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java - - JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes! - - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad" - - JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test. - - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values - - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch - - JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues - - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled. - - JDK-8227651: Tests fail with SSLProtocolException: Input record too big - - JDK-8240903: Add test to check that jmod hashes are reproducible - - JDK-8254318: Remove .hgtags - - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline - - JDK-8256844: Make NMT late-initializable - - JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom" - - JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class - - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly. - - JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled" - - JDK-8269039: Disable SHA-1 Signed JARs - - JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr - - JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections - - JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java - - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest - - JDK-8271344: Windows product version issue - - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8 - - JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData - - JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals - - JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null] - - JDK-8273040: Turning off JpAllowDowngrades (or Upgrades) - - JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts - - JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12 - - JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms - - JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false] - - JDK-8274597: Some of the dnd tests time out and fail intermittently - - JDK-8274856: Failing jpackage tests with fastdebug/release build - - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test - - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled - - JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold - - JDK-8276837: [macos]: Error when signing the additional launcher - - JDK-8277429: Conflicting jpackage static library name - - JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged" - - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable - - JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript - - JDK-8278311: Debian packaging doesn't work - - JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS - - JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS - - JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4 - - JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0 - - JDK-8279622: C2: miscompilation of map pattern as a vector reduction - - JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl - - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound - - JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed - - JDK-8280863: Update build README to reflect that MSYS2 is supported - - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method - - JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism - - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix - - JDK-8281181: Do not use CPU Shares to compute active processor count - - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 - - JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted) - - JDK-8281535: Create a regression test for JDK-4670051 - - JDK-8281569: Create tests for Frame.setMinimumSize() method - - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting - - JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button - - JDK-8281745: Create a regression test for JDK-4514331 - - JDK-8281988: Create a regression test for JDK-4618767 - - JDK-8282007: Assorted enhancements to jpackage testing framework - - JDK-8282046: Create a regression test for JDK-8000326 - - JDK-8282214: Upgrade JQuery to version 3.6.0 - - JDK-8282234: Create a regression test for JDK-4532513 - - JDK-8282280: Update Xerces to Version 2.12.2 - - JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access - - JDK-8282343: Create a regression test for JDK-4518432 - - JDK-8282351: jpackage does not work if class file has `$$` in the name on windows - - JDK-8282407: Missing ')' in MacResources.properties - - JDK-8282467: add extra diagnostics for JDK-8268184 - - JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler - - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 - - JDK-8282548: Create a regression test for JDK-4330998 - - JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc - - JDK-8282640: Create a test for JDK-4740761 - - JDK-8282778: Create a regression test for JDK-4699544 - - JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767 - - JDK-8282860: Write a regression test for JDK-4164779 - - JDK-8282933: Create a test for JDK-4529616 - - JDK-8282936: Write a regression test for JDK-4615365 - - JDK-8282937: Write a regression test for JDK-4820080 - - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions - - JDK-8283015: Create a test for JDK-4715496 - - JDK-8283087: Create a test or JDK-4715503 - - JDK-8283245: Create a test for JDK-4670319 - - JDK-8283277: ISO 4217 Amendment 171 Update - - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) - - JDK-8283457: [macos] libpng build failures with Xcode13.3 - - JDK-8283493: Create an automated regression test for RFE 4231298 - - JDK-8283507: Create a regression test for RFE 4287690 - - JDK-8283562: JDK-8282306 breaks gtests on zero - - JDK-8283597: [REDO] Invalid generic signature for redefined classes - - JDK-8283621: Write a regression test for CCC4400728 - - JDK-8283623: Create an automated regression test for JDK-4525475 - - JDK-8283624: Create an automated regression test for RFE-4390885 - - JDK-8283712: Create a manual test framework class - - JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows - - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test - - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee - - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode - - JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 - - JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS - - JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt - - JDK-8284077: Create an automated test for JDK-4170173 - - JDK-8284294: Create an automated regression test for RFE 4138746 - - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph - - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 - - JDK-8284521: Write an automated regression test for RFE 4371575 - - JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception - - JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest - - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset - - JDK-8284686: Interval of < 1 ms disables ExecutionSample events - - JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice - - JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512 - - JDK-8284898: Enhance PassFailJFrame - - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization - - JDK-8284950: CgroupV1 detection code should consider memory.swappiness - - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment - - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist - - JDK-8285081: Improve XPath operators count accuracy - - JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java - - JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity - - JDK-8285380: Fix typos in security - - JDK-8285398: Cache the results of constraint checks - - JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test - - JDK-8285693: Create an automated test for JDK-4702199 - - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null - - JDK-8285730: unify _WIN32_WINNT settings - - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 - - JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities - - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java - - JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe - - JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure - - JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5 - - JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes - - JDK-8286277: CDS VerifyError when calling clone() on object array - - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache - - JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45] - - JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage - - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled - - JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect - - JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis - - JDK-8286869: unify os::dir_is_empty across posix platforms - - JDK-8286870: Memory leak with RepeatCompilation - - JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5 - - JDK-8287073: NPE from CgroupV2Subsystem.getInstance() - - JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn - - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller - - JDK-8287113: JFR: Periodic task thread uses period for method sampling events - - JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host - - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event - - JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver - - JDK-8287366: Improve test failure reporting in GHA - - JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number - - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node - - JDK-8287463: JFR: Disable TestDevNull.java on Windows - - JDK-8287663: Add a regression test for JDK-8287073 - - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run - - JDK-8287724: Fix various issues with msys2 - - JDK-8287735: Provide separate event category for dll operations - - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete - - JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag - - JDK-8287895: Some langtools tests fail on msys2 - - JDK-8287896: PropertiesTest.sh fail on msys2 - - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows - - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests - - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier - - JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs - - JDK-8288003: log events for os::dll_unload - - JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic - - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes - - JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds - - JDK-8288467: remove memory_operand assert for spilled instructions - - JDK-8288499: Restore cancel-in-progress in GHA - - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... - - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp - - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small - - JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305 - - JDK-8288992: AArch64: CMN should be handled the same way as CMP - - JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible - - JDK-8289147: unify os::infinite_sleep on posix platforms - - JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion - - JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java - - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc - - JDK-8289486: Improve XSLT XPath operators count efficiency - - JDK-8289549: ISO 4217 Amendment 172 Update - - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl - - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun - - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad - - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter - - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 - - JDK-8289910: unify os::message_box across posix platforms - - JDK-8290000: Bump macOS GitHub actions to macOS 11 - - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC - - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown - - JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers - - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" - - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle - - JDK-8290456: remove os::print_statistics() - - JDK-8291595: [17u] Delete files missed in backport of 8269039 - - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr - - JDK-8292579: (tz) Update Timezone Data to 2022c - - JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5 - -Notes on individual issues: -=========================== - -core-libs/java.net: - -JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable -=========================================================================== -Two system properties have been added which control the keep alive -behavior of HttpURLConnection in the case where the server does not -specify a keep alive time. Two properties are defined for controlling -connections to servers and proxies separately. They are: - -* `http.keepAlive.time.server` -* `http.keepAlive.time.proxy` - -respectively. More information about them can be found on the -Networking Properties page: -https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html. - -security-libs/javax.crypto: - -JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location -===================================================================================== -The Windows KeyStore support in the SunMSCAPI provider has been -expanded to include access to the local machine location. The new -keystore types are: - -* "Windows-MY-LOCALMACHINE" -* "Windows-ROOT-LOCALMACHINE" - -The following keystore types were also added, allowing developers to -make it clear they map to the current user: - -* "Windows-MY-CURRENTUSER" (same as "Windows-MY") -* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT") - -JDK-8286918: Better HttpServer service -====================================== -The HttpServer can be optionally configured with a maximum connection -limit by setting the jdk.httpserver.maxConnections system property. A -value of 0 or a negative integer is ignored and considered to -represent no connection limit. In the case of a positive integer -value, any newly accepted connections will be first checked against -the current count of established connections and, if the configured -limit has been reached, then the newly accepted connection will be -closed immediately. - -hotspot/runtime: - -JDK-8281181: CPU Shares Ignored When Computing Active Processor Count -===================================================================== -Previous JDK releases used an incorrect interpretation of the Linux -cgroups parameter "cpu.shares". This might cause the JVM to use fewer -CPUs than available, leading to an under utilization of CPU resources -when the JVM is used inside a container. - -Starting from this JDK release, by default, the JVM no longer -considers "cpu.shares" when deciding the number of threads to be used -by the various thread pools. The `-XX:+UseContainerCpuShares` -command-line option can be used to revert to the previous -behavior. This option is deprecated and may be removed in a future JDK -release. - -security-libs/java.security: - -JDK-8269039: Disabled SHA-1 Signed JARs -======================================= -JARs signed with SHA-1 algorithms are now restricted by default and -treated as if they were unsigned. This applies to the algorithms used -to digest, sign, and optionally timestamp the JAR. It also applies to -the signature and digest algorithms of the certificates in the -certificate chain of the code signer and the Timestamp Authority, and -any CRLs or OCSP responses that are used to verify if those -certificates have been revoked. These restrictions also apply to -signed JCE providers. - -To reduce the compatibility risk for JARs that have been previously -timestamped, there is one exception to this policy: - -- Any JAR signed with SHA-1 algorithms and timestamped prior to - January 01, 2019 will not be restricted. - -This exception may be removed in a future JDK release. To determine if -your signed JARs are affected by this change, run: - -$ jarsigner -verify -verbose -certs` - -on the signed JAR, and look for instances of "SHA1" or "SHA-1" and -"disabled" and a warning that the JAR will be treated as unsigned in -the output. - -For example: - - Signed by "CN="Signer"" - Digest algorithm: SHA-1 (disabled) - Signature algorithm: SHA1withRSA (disabled), 2048-bit key - - WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: - - jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 - -JARs affected by these new restrictions should be replaced or -re-signed with stronger algorithms. - -Users can, *at their own risk*, remove these restrictions by modifying -the `java.security` configuration file (or override it by using the -`java.security.properties` system property) and removing "SHA1 usage -SignedJAR & denyAfter 2019-01-01" from the -`jdk.certpath.disabledAlgorithms` security property and "SHA1 -denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security -property. - -New in release OpenJDK 17.0.4.1 (2022-08-16): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk17041 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.1.txt - -* Other changes - - JDK-8292258: Bump update version for OpenJDK: jdk-17.0.4.1 - - JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large - -Notes on individual issues: -=========================== - -hotspot/compiler: - -JDK-8292396: C2 Compilation Errors Unpredictably Crashes JVM -============================================================ -Fixes a regression in the C2 JIT compiler which caused the Java -Runtime to crash unpredictably. - -New in release OpenJDK 17.0.4 (2022-07-19): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk1704 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt - -* Security fixes - - JDK-8272243: Improve DER parsing - - JDK-8272249: Better properties of loaded Properties - - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions - - JDK-8277608: Address IP Addressing - - JDK-8281859, CVE-2022-21540: Improve class compilation - - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations - - JDK-8283190: Improve MIDI processing - - JDK-8284370: Improve zlib usage - - JDK-8285407, CVE-2022-34169: Improve Xalan supports -* Other changes - - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn - - JDK-8181571: printing to CUPS fails on mac sandbox app - - JDK-8193682: Infinite loop in ZipOutputStream.close() - - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use - - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test - - JDK-8214733: runtime/8176717/TestInheritFD.java timed out - - JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel - - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled - - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode - - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR - - JDK-8255266: Update Public Suffix List to 3c213aa - - JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers - - JDK-8258814: Compilation logging crashes for thread suspension / debugging tests - - JDK-8263461: jdk/jfr/event/gc/detailed/TestEvacuationFailedEvent.java uses wrong mechanism to cause evacuation failure - - JDK-8263538: SharedArchiveConsistency.java should test -Xshare:auto as well - - JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/suspendthrd003/TestDescription.java failed with "agent_tools.cpp, 471: (foundThread = (jthread) jni_env->NewGlobalRef(foundThread)) != NULL" - - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - - JDK-8265317: [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL - - JDK-8267163: Rename anonymous loader tests to hidden loader tests - - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo - - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped - - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout - - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) - - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum - - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest - - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs - - JDK-8269135: TestDifferentProtectionDomains runs into timeout in client VM - - JDK-8269373: some tests in jdk/tools/launcher/ fails on localized Windows platform - - JDK-8269753: Misplaced caret in PatternSyntaxException's detail message - - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support - - JDK-8270021: Incorrect log decorators in gc/g1/plab/TestPLABEvacuationFailure.java - - JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree - - JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed: did not find too_many string in output - - JDK-8270468: TestRangeCheckEliminated fails because methods are not compiled - - JDK-8270797: ShortECDSA.java test is not complete - - JDK-8270837: fix typos in test TestSigParse.java - - JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom - - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack - - JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code - - JDK-8271302: Regex Test Refresh - - JDK-8272146: Disable Fibonacci test on memory constrained systems - - JDK-8272168: some hotspot runtime/logging tests don't check exit code - - JDK-8272169: runtime/logging/LoaderConstraintsTest.java doesn't build test.Empty - - JDK-8272358: Some tests may fail when executed with other locales than the US - - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 - - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security - - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" - - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency - - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests - - JDK-8273169: java/util/regex/NegativeArraySize.java failed after JDK-8271302 - - JDK-8273804: Platform.isTieredSupported should handle the no-compiler case - - JDK-8274172: Convert JavadocTester to use NIO - - JDK-8274233: Minor cleanup for ToolBox - - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun - - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines - - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend - - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image - - JDK-8274751: Drag And Drop hangs on Windows - - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed - - JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS - - JDK-8274983: C1 optimizes the invocation of private interface methods - - JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/btree011/btree011.java crashes with memory exhaustion on Windows - - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty - - JDK-8275638: GraphKit::combine_exception_states fails with "matching stack sizes" assert - - JDK-8275745: Reproducible copyright headers - - JDK-8275830: C2: Receiver downcast is missing when inlining through method handle linkers - - JDK-8275854: C2: assert(stride_con != 0) failed: missed some peephole opt - - JDK-8276260: (se) Remove java/nio/channels/Selector/Wakeup.java from ProblemList (win) - - JDK-8276657: XSLT compiler tries to define a class with empty name - - JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC - - JDK-8276825: hotspot/runtime/SelectionResolution test errors - - JDK-8276863: Remove test/jdk/sun/security/ec/ECDSAJavaVerify.java - - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary - - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations - - JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics - - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive - - JDK-8277087: ZipException: zip END header not found at ZipFile#Source.findEND - - JDK-8277123: jdeps does not report some exceptions correctly - - JDK-8277165: jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories - - JDK-8277166: Data race in jdeps VersionHelper - - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread - - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch - - JDK-8277893: Arraycopy stress tests - - JDK-8277906: Incorrect type for IV phi of long counted loops after CCP - - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge - - JDK-8278014: [vectorapi] Remove test run script - - JDK-8278065: Refactor subclassAudits to use ClassValue - - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method - - JDK-8278472: Invalid value set to CANDIDATEFORM structure - - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null" - - JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15 - - JDK-8278766: Enable OpenJDK build support for reproducible jars and jmods using --date - - JDK-8278794: Infinite loop in DeflaterOutputStream.finish() - - JDK-8278796: Incorrect behavior of FloatVector.withLane on X86 - - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs - - JDK-8278948: compiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler - - JDK-8278966: two microbenchmarks tests fail "assert(!jvms->method()->has_exception_handlers()) failed: no exception handler expected" after JDK-8275638 - - JDK-8279182: MakeZipReproducible ZipEntry timestamps not localized to UTC - - JDK-8279219: [REDO] C2 crash when allocating array of size too large - - JDK-8279227: Access Bridge: Wrong frame position and hit test result on HiDPI display - - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! - - JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM - - JDK-8279515: C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked - - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism - - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64 - - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java - - JDK-8279560: AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment - - JDK-8279586: [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking - - JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails with -XX:TieredStopAtLevel=1 on machines with many cores - - JDK-8279668: x86: AVX2 versions of vpxor should be asserted - - JDK-8279822: CI: Constant pool entries in error state are not supported - - JDK-8279834: Alpine Linux fails to build when --with-source-date enabled - - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region - - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos - - JDK-8279958: Provide configure hints for Alpine/apk package managers - - JDK-8280004: DCmdArgument::parse_value() should handle NULL input - - JDK-8280041: Retry loop issues in java.io.ClassCache - - JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN - - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized - - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang - - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS - - JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor - - JDK-8280600: C2: assert(!had_error) failed: bad dominance - - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. - - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination - - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs - - JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint - - JDK-8280940: gtest os.release_multi_mappings_vm is racy - - JDK-8280941: os::print_memory_mappings() prints segment preceeding the inclusion range - - JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y - - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly - - JDK-8281043: Intrinsify recursive ObjectMonitor locking for PPC64 - - JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter - - JDK-8281262: Windows builds in different directories are not fully reproducible - - JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly - - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info - - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths - - JDK-8281318: Improve jfr/event/allocation tests reliability - - JDK-8281338: NSAccessibilityPressAction action for tree node and NSAccessibilityShowMenuAcgtion action not working - - JDK-8281450: Remove unnecessary operator new and delete from ObjectMonitor - - JDK-8281522: Rename ADLC classes which have the same name as hotspot variants - - JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/ - - JDK-8281615: Deadlock caused by jdwp agent - - JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions - - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature - - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 - - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling - - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder - - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway - - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1 - - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test - - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads - - JDK-8282225: GHA: Allow one concurrent run per PR only - - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers - - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive - - JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert - - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 - - JDK-8282345: handle latest VS2022 in abstract_vm_version - - JDK-8282382: Report glibc malloc tunables in error reports - - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale - - JDK-8282444: Module finder incorrectly assumes default file system path-separator character - - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4 - - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output - - JDK-8282551: Properly initialize L32X64MixRandom state - - JDK-8282583: Update BCEL md to include the copyright notice - - JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes - - JDK-8282592: C2: assert(false) failed: graph should be schedulable - - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig() - - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap - - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows - - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value - - JDK-8283017: GHA: Workflows break with update release versions - - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails - - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c - - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing - - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize - - JDK-8283315: jrt-fs.jar not always deterministically built - - JDK-8283323: libharfbuzz optimization level results in extreme build times - - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled - - JDK-8283350: (tz) Update Timezone Data to 2022a - - JDK-8283408: Fix a C2 crash when filling arrays with unsafe - - JDK-8283422: Create a new test for JDK-8254790 - - JDK-8283451: C2: assert(_base == Long) failed: Not a Long - - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak - - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info - - JDK-8283641: Large value for CompileThresholdScaling causes assert - - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM - - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate - - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo - - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c - - JDK-8284094: Memory leak in invoker_completeInvokeRequest() - - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4 - - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer - - JDK-8284437: Building from different users/workspace is not always deterministic - - JDK-8284458: CodeHeapState::aggregate() leaks blob_name - - JDK-8284507: GHA: Only check test results if testing was not skipped - - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler - - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member - - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2 - - JDK-8284620: CodeBuffer may leak _overflow_arena - - JDK-8284622: Update versions of some Github Actions used in JDK workflow - - JDK-8284661: Reproducible assembly builds without relative linking - - JDK-8284754: print more interesting env variables in hs_err and VM.info - - JDK-8284758: [linux] improve print_container_info - - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping - - JDK-8284866: Add test to JDK-8273056 - - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java - - JDK-8284992: Fix misleading Vector API doc for LSHR operator - - JDK-8285342: Zero build failure with clang due to values not handled in switch - - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id() - - JDK-8285397: JNI exception pending in CUPSfuncs.c:250 - - JDK-8285445: cannot open file "NUL:" - - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 - - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java - - JDK-8285686: Update FreeType to 2.12.0 - - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head - - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head - - JDK-8285728: Alpine Linux build fails with busybox tar - - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols - - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine - - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService - - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java - - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc - - JDK-8286198: [linux] Fix process-memory information - - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources - - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause - - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups - - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk - - JDK-8286855: javac error on invalid jar should only print filename - - JDK-8287109: Distrust.java failed with CertificateExpiredException - - JDK-8287119: Add Distrust.java to ProblemList - - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions - - JDK-8287336: GHA: Workflows break on patch versions - - JDK-8287362: FieldAccessWatch testcase failed on AIX platform - - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows - -Notes on individual issues: -=========================== - -core-libs/java.net: - -JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos -================================================================ -Support has been added for TLS channel binding tokens for -Negotiate/Kerberos authentication over HTTPS through -javax.net.HttpsURLConnection. - -Channel binding tokens are increasingly required as an enhanced form -of security which can mitigate certain kinds of socially engineered, -man in the middle (MITM) attacks. They work by communicating from a -client to a server the client's understanding of the binding between -connection security (as represented by a TLS server cert) and higher -level authentication credentials (such as a username and -password). The server can then detect if the client has been fooled by -a MITM and shutdown the session/connection. - -The feature is controlled through a new system property -`jdk.https.negotiate.cbt` which is described fully at the following -page: - -https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt - -core-libs/java.lang: - -JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder -===================================================================== -ProcessBuilder on Windows is restored to address a regression caused -by JDK-8250568. Previously, an argument to ProcessBuilder that -started with a double-quote and ended with a backslash followed by a -double-quote was passed to a command incorrectly and may cause the -command to fail. For example the argument `"C:\\Program Files\"`, -would be seen by the command with extra double-quotes. This update -restores the long standing behavior that does not treat the backslash -before the final double-quote specially. - - -core-libs/java.util.jar: - -JDK-8278386: Default JDK compressor will be closed when IOException is encountered -================================================================================== -`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods -have been modified to close out the associated default JDK compressor -before propagating a Throwable up the -stack. `ZIPOutputStream.closeEntry()` method has been modified to -close out the associated default JDK compressor before propagating an -IOException, not of type ZipException, up the stack. - -core-libs/java.io: - -JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File -================================================================================================= -The Windows implementation of `java.io.File` allows access to NTFS -Alternate Data Streams (ADS) by default. Such streams have a structure -like “filename:streamname”. A system property `jdk.io.File.enableADS` -has been added to control this behavior. To disable ADS support in -`java.io.File`, the system property `jdk.io.File.enableADS` should be -set to `false` (case ignored). Stricter path checking however prevents -the use of special devices such as `NUL:` - -New in release OpenJDK 17.0.3 (2022-04-19): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk1703 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt - -* Security fixes - - JDK-8269938: Enhance XML processing passes redux - - JDK-8270504, CVE-2022-21426: Better XPath expression handling - - JDK-8272255: Completely handle MIDI files - - JDK-8272261: Improve JFR recording file processing - - JDK-8272588: Enhanced recording parsing - - JDK-8272594: Better record of recordings - - JDK-8274221: More definite BER encodings - - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0 - - JDK-8275151, CVE-2022-21443: Improved Object Identification - - JDK-8277227: Better identification of OIDs - - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support - - JDK-8277672, CVE-2022-21434: Better invocation handler handling - - JDK-8278356: Improve file creation - - JDK-8278449: Improve keychain support - - JDK-8278798: Improve supported intrinsic - - JDK-8278805: Enhance BMP image loading - - JDK-8278972, CVE-2022-21496: Improve URL supports - - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo -* Other changes - - JDK-8177814: jdk/editpad is not in jdk TEST.groups - - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64 - - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently - - JDK-8225559: assertion error at TransTypes.visitApply - - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful - - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails - - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test - - JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1 - - JDK-8251216: Implement MD5 intrinsics on AArch64 - - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost" - - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" - - JDK-8263567: gtests don't terminate the VM safely - - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark - - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups - - JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it - - JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only - - JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM - - JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file - - JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java - - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long' - - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error - - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" - - JDK-8270117: Broken jtreg link in "Building the JDK" page - - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor - - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity - - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key - - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty - - JDK-8271506: Add ResourceHashtable support for deleting selected entries - - JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests - - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories - - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates - - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() - - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication - - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code - - JDK-8272600: (test) Use native "sleep" in Basic.java - - JDK-8272866: java.util.random package summary contains incorrect mixing function in table - - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled - - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt - - JDK-8273277: C2: Move conditional negation into rc_predicate - - JDK-8273341: Update Siphash to version 1.0 - - JDK-8273351: bad tag in jdk.random module-info.java - - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12 - - JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm - - JDK-8273387: remove some unreferenced gtk-related functions - - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests - - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests - - JDK-8273526: Extend the OSContainer API pids controller with pids.current - - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java - - JDK-8273655: content-types.properties files are missing some common types - - JDK-8273682: Upgrade Jline to 3.20.0 - - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time - - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3 - - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions - - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12 - - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform) - - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes - - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches - - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures - - JDK-8274471: Add support for RSASSA-PSS in OCSP Response - - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root - - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake - - JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS - - JDK-8274658: ISO 4217 Amendment 170 Update - - JDK-8274714: Incorrect verifier protected access error message - - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976 - - JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes - - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler - - JDK-8274935: dumptime_table has stale entry - - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info - - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions - - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime - - JDK-8275586: Zero: Simplify interpreter initialization - - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow - - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault - - JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg - - JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64 - - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 - - JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException - - JDK-8275800: Redefinition leaks MethodData::_extra_data_lock - - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method - - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue - - JDK-8276057: Update JMH devkit to 1.33 - - JDK-8276141: XPathFactory set/getProperty method - - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" - - JDK-8276314: [JVMCI] check alignment of call displacement during code installation - - JDK-8276623: JDK-8275650 accidentally pushed "out" file - - JDK-8276654: element-list order is non deterministic - - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common() - - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod - - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content - - JDK-8276841: Add support for Visual Studio 2022 - - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible" - - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 - - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64 - - JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits - - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows - - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for - - JDK-8277383: VM.metaspace optionally show chunk freelist details - - JDK-8277385: Zero: Enable CompactStrings support - - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last - - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop - - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs - - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 - - JDK-8277497: Last column cell in the JTable row is read as empty cell - - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found." - - JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER - - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad - - JDK-8277795: ldap connection timeout not honoured under contention - - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64 - - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording - - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 - - JDK-8278016: Add compiler tests to tier{2,3} - - JDK-8278020: ~13% variation in Renaissance-Scrabble - - JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation - - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError - - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute' - - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx - - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx - - JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup - - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux - - JDK-8278185: Custom JRE cannot find non-ASCII named module inside - - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d - - JDK-8278241: Implement JVM SpinPause on linux-aarch64 - - JDK-8278309: [windows] use of uninitialized OSThread::_state - - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output - - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine - - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec - - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT - - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic - - JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column - - JDK-8278604: SwingSet2 table demo does not have accessible description set for images - - JDK-8278627: Shenandoah: TestHeapDump test failed - - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134 - - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3 - - JDK-8278824: Uneven work distribution when scanning heap roots in G1 - - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob - - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 - - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__ - - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t - - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 - - JDK-8279124: VM does not handle SIGQUIT during initialization - - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers - - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest - - JDK-8279379: GHA: Print tests that are in error - - JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344 - - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it - - JDK-8279445: Update JMH devkit to 1.34 - - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms - - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT - - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition - - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also - - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 - - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 - - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks - - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" - - JDK-8280002: jmap -histo may leak stream - - JDK-8280155: [PPC64, s390] frame size checks are not yet correct - - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492 - - JDK-8280414: Memory leak in DefaultProxySelector - - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} - - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames - - JDK-8281460: Let ObjectMonitor have its own NMT category - - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX - - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 - - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character - - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods - - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException - - JDK-8284920: Incorrect Token type causes XPath expression to return empty result - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8274791: Support for RSASSA-PSS in OCSP Response -==================================================== -An OCSP response signed with the RSASSA-PSS algorithm is now supported. - -New in release OpenJDK 17.0.2 (2022-01-18): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk1702 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt - -* Security fixes - - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside - - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization - - JDK-8268488: More valuable DerValues - - JDK-8268494: Better inlining of inlined interfaces - - JDK-8268512: More content for ContentInfo - - JDK-8268813, CVE-2022-21283: Better String matching - - JDK-8269151: Better construction of EncryptedPrivateKeyInfo - - JDK-8269944: Better HTTP transport redux - - JDK-8270386, CVE-2022-21291: Better verification of scan methods - - JDK-8270392, CVE-2022-21293: Improve String constructions - - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps - - JDK-8270492, CVE-2022-21282: Better resolution of URIs - - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management - - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities - - JDK-8270952, CVE-2022-21277: Improve TIFF file handling - - JDK-8271962: Better TrueType font loading - - JDK-8271968: Better canonical naming - - JDK-8271987: Manifest improved manifest entries - - JDK-8272014, CVE-2022-21305: Better array indexing - - JDK-8272026, CVE-2022-21340: Verify Jar Verification - - JDK-8272236, CVE-2022-21341: Improve serial forms for transport - - JDK-8272272: Enhance jcmd communication - - JDK-8272462: Enhance image handling - - JDK-8273290: Enhance sound handling - - JDK-8273756, CVE-2022-21360: Enhance BMP image support - - JDK-8273838, CVE-2022-21365: Enhanced BMP processing - - JDK-8274096, CVE-2022-21366: Improve decoding of image files -* Other changes - - JDK-4819544: SwingSet2 JTable Demo throws NullPointerException - - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing - - JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap - - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently - - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream - - JDK-8214761: Bug in parallel Kahan summation implementation - - JDK-8223923: C2: Missing interference with mismatched unsafe accesses - - JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir(). - - JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name - - JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines())) - - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled - - JDK-8261579: AArch64: Support for weaker memory ordering in Atomic - - JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol - - JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null - - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert - - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream - - JDK-8263375: Support stack watermarks in Zero VM - - JDK-8263773: Reenable German localization for builds at Oracle - - JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer - - JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer - - JDK-8264291: Create implementation for NSAccessibilityCell protocol peer - - JDK-8264292: Create implementation for NSAccessibilityList protocol peer - - JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer - - JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer - - JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer - - JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer - - JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer - - JDK-8264298: Create implementation for NSAccessibilityRow protocol peer - - JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer - - JDK-8266239: Some duplicated javac command-line options have repeated effect - - JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color - - JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true - - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl - - JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility - - JDK-8267387: Create implementation for NSAccessibilityOutline protocol - - JDK-8267388: Create implementation for NSAccessibilityTable protocol - - JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button" - - JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs. - - JDK-8268361: Fix the infinite loop in next_line - - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML - - JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests - - JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler - - JDK-8268860: Windows-Aarch64 build is failing in GitHub actions - - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc - - JDK-8268885: duplicate checkcast when destination type is not first type of intersection type - - JDK-8268893: jcmd to trim the glibc heap - - JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition - - JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)" - - JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783 - - JDK-8269113: Javac throws when compiling switch (null) - - JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java - - JDK-8269269: [macos11] SystemIconTest fails with ClassCastException - - JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString() - - JDK-8269481: SctpMultiChannel never releases own file descriptor - - JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows - - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles - - JDK-8269687: pauth_aarch64.hpp include name is incorrect - - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 - - JDK-8269924: Shenandoah: Introduce weak/strong marking asserts - - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked - - JDK-8270110: Shenandoah: Add test for JDK-8269661 - - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS - - JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests - - JDK-8270290: NTLM authentication fails if HEAD request is used - - JDK-8270317: Large Allocation in CipherSuite - - JDK-8270320: JDK-8270110 committed invalid copyright headers - - JDK-8270517: Add Zero support for LoongArch - - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS - - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling - - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file - - JDK-8270901: Typo PHASE_CPP in CompilerPhaseType - - JDK-8270946: X509CertImpl.getFingerprint should not return the empty String - - JDK-8271071: accessibility of a table on macOS lacks cell navigation - - JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug - - JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h - - JDK-8271170: Add unit test for what jpackage app launcher puts in the environment - - JDK-8271215: Fix data races in G1PeriodicGCTask - - JDK-8271254: javac generates unreachable code when using empty semicolon statement - - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" - - JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call - - JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes - - JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1 - - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop - - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java - - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity - - JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. - - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling - - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" - - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions - - JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop - - JDK-8271605: Update JMH devkit to 1.32 - - JDK-8271718: Crash when during color transformation the color profile is replaced - - JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers - - JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest - - JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used - - JDK-8271868: Warn user when using mac-sign option with unsigned app-image. - - JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18 - - JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112 - - JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64 - - JDK-8272114: Unused _last_state in osThread_windows - - JDK-8272170: Missing memory barrier when checking active state for regions - - JDK-8272305: several hotspot runtime/modules don't check exit codes - - JDK-8272318: Improve performance of HeapDumpAllTest - - JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher - - JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes - - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions - - JDK-8272345: macos doesn't check `os::set_boot_path()` result - - JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0" - - JDK-8272391: Undeleted debug information - - JDK-8272413: Incorrect num of element count calculation for vector cast - - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong - - JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272570: C2: crash in PhaseCFG::global_code_motion - - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272639: jpackaged applications using microphone on mac - - JDK-8272703: StressSeed should be set via FLAG_SET_ERGO - - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit - - JDK-8272783: Epsilon: Refactor tests to improve performance - - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests - - JDK-8272838: Move CriticalJNI tests out of tier1 - - JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1 - - JDK-8272850: Drop zapping values in the Zap* option descriptions - - JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test - - JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag - - JDK-8272859: Javadoc external links should only have feature version number in URL - - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups - - JDK-8272970: Parallelize runtime/InvocationTests/ - - JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop - - JDK-8273021: C2: Improve Add and Xor ideal optimizations - - JDK-8273026: Slow LoginContext.login() on multi threading application - - JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7 - - JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert - - JDK-8273176: handle latest VS2019 in abstract_vm_version - - JDK-8273229: Update OS detection code to recognize Windows Server 2022 - - JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash - - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit - - JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT - - JDK-8273308: PatternMatchTest.java fails on CI - - JDK-8273314: Add tier4 test groups - - JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test - - JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory - - JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods - - JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs - - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 - - JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size - - JDK-8273361: InfoOptsTest is failing in tier1 - - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero - - JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop - - JDK-8273376: Zero: Disable vtable/itableStub gtests - - JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP - - JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record - - JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1} - - JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java - - JDK-8273450: Fix the copyright header of SVML files - - JDK-8273451: Remove unreachable return in mutexLocker::wait - - JDK-8273483: Zero: Clear pending JNI exception check in native method handler - - JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option - - JDK-8273487: Zero: Handle "zero" variant in runtime tests - - JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths - - JDK-8273498: compiler/c2/Test7179138_1.java timed out - - JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes - - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure - - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated - - JDK-8273592: Backout JDK-8271868 - - JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image. - - JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian - - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch - - JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests - - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F - - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher - - JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease - - JDK-8273695: Safepoint deadlock on VMOperation_lock - - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem - - JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly - - JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java - - JDK-8273808: Cleanup AddFontsToX11FontPath - - JDK-8273826: Correct Manifest file name and NPE checks - - JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out - - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral - - JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release() - - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() - - JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported - - JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds - - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character - - JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled - - JDK-8273968: JCK javax_xml tests fail in CI - - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects - - JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM - - JDK-8274083: Update testing docs to mention tiered testing - - JDK-8274087: Windows DLL path not set correctly. - - JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition - - JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC - - JDK-8274215: Remove globalsignr2ca root from 17.0.2 - - JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86 - - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp - - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated - - JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160 - - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m - - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern - - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror" - - JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile - - JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU - - JDK-8274381: missing CAccessibility definitions in JNI code - - JDK-8274383: JNI call of getAccessibleSelection on a wrong thread - - JDK-8274401: C2: GraphKit::load_array_element bypasses Access API - - JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough" - - JDK-8274407: (tz) Update Timezone Data to 2021c - - JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl - - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b - - JDK-8274468: TimeZoneTest.java fails with tzdata2021b - - JDK-8274501: c2i entry barriers read int as long on AArch64 - - JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected - - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah - - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah - - JDK-8274550: c2i entry barriers read int as long on PPC - - JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah - - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test - - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 - - JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume. - - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily - - JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers - - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform - - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST - - JDK-8274840: Update OS detection code to recognize Windows 11 - - JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior - - JDK-8274851: [ppc64] Port zgc to linux on ppc64le - - JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155) - - JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11 - - JDK-8275049: [ZGC] missing null check in ZNMethod::log_register - - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag - - JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed - - JDK-8275104: IR framework does not handle client VM builds correctly - - JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. - - JDK-8275131: Exceptions after a touchpad gesture on macOS - - JDK-8275141: recover corrupted line endings for the version-numbers.conf - - JDK-8275145: file.encoding system property has an incorrect value on Windows - - JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges - - JDK-8275302: unexpected compiler error: cast, intersection types and sealed - - JDK-8275426: PretouchTask num_chunks calculation can overflow - - JDK-8275604: Zero: Reformat opclabels_data - - JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless - - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem - - JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak - - JDK-8275766: (tz) Update Timezone Data to 2021e - - JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:] - - JDK-8275811: Incorrect instance to dispose - - JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective - - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e - - JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings - - JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml - - JDK-8276025: Hotspot's libsvml.so may conflict with user dependency - - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance - - JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3 - - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly - - JDK-8276112: Inconsistent scalar replacement debug info at safepoints - - JDK-8276122: Change openjdk project in jcheck to jdk-updates - - JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme - - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test - - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 - - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point - - JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration - - JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition - - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 - - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend - - JDK-8276572: Fake libsyslookup.so library causes tooling issues - - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie - - JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah - - JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager - - JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32 - - JDK-8276846: JDK-8273416 is incomplete for UseSSE=1 - - JDK-8276854: Windows GHA builds fail due to broken Cygwin - - JDK-8276864: Update boot JDKs to 17.0.1 in GHA - - JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders - - JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le - - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes - - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element - - JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points - - JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest] - - JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches - - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE - - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint - - JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup - -Notes on individual issues: -=========================== - -core-libs/java.io:serialization: - -JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element -========================================================================================= -`java.util.Vector` is updated to correctly report -`ClassNotFoundException that occurs during deserialization using -`java.io.ObjectInputStream.GetField.get(name, object)` when the class -of an element of the Vector is not found. Without this fix, a -`StreamCorruptedException` is thrown that does not provide information -about the missing class. - -security-libs/java.security: - -JDK-8272535: Removed Google's GlobalSign Root Certificate -========================================================= -The following root certificate from Google has been removed from the -`cacerts` keystore: - -Alias Name: globalsignr2ca [jdk] -Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 - -core-libs/java.io: - -JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows -============================================================================ -The initialization of the `file.encoding` system property on non macOS -platforms has been reverted to align with the behavior on or before -JDK 11. This has been an issue especially on Windows where the system -and user's locales are not the same. - -hotspot/gc: - -JDK-8277533: ZGC: Fixed long Process Non-Strong References times -================================================================ -A bug has been fixed that could cause long "Concurrent Process -Non-Strong References" times with ZGC. The bug blocked the GC from -making significant progress, and caused both latency and throughput -issues for the Java application. - -The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g. - -[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms - -core-libs/java.time: - -JDK-8274857: Update Timezone Data to 2021c -=========================================== -IANA Time Zone Database, on which JDK's Date/Time libraries are based, -has been updated to version 2021c -(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note -that with this update, some of the time zone rules prior to the year -1970 have been modified according to the changes which were introduced -with 2021b. For more detail, refer to the announcement of 2021b -(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) - -New in release OpenJDK 17.0.1 (2021-10-19): -=========================================== -Live versions of these release notes can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt - -* Security fixes - - JDK-8263314: Enhance XML Dsig modes - - JDK-8265167, CVE-2021-35556: Richer Text Editors - - JDK-8265574: Improve handling of sheets - - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit - - JDK-8265776: Improve Stream handling for SSL - - JDK-8266097, CVE-2021-35561: Better hashing support - - JDK-8266103: Better specified spec values - - JDK-8266109: More Resilient Classloading - - JDK-8266115: More Manifest Jar Loading - - JDK-8266137, CVE-2021-35564: Improve Keystore integrity - - JDK-8266689, CVE-2021-35567: More Constrained Delegation - - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic - - JDK-8267712: Better LDAP reference processing - - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking - - JDK-8267735, CVE-2021-35586: Better BMP support - - JDK-8268193: Improve requests of certificates - - JDK-8268199: Correct certificate requests - - JDK-8268205: Enhance DTLS client handshake - - JDK-8268500: Better specified ParameterSpecs - - JDK-8268506: More Manifest Digests - - JDK-8269618, CVE-2021-35603: Better session identification - - JDK-8269624: Enhance method selection support - - JDK-8270398: Enhance canonicalization - - JDK-8270404: Better canonicalization -* Other changes - - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 - - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails - - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked - - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations - - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" - - JDK-8263531: Remove unused buffer int - - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java - - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type - - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file - - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. - - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance - - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms - - JDK-8269297: Bump version numbers for JDK 17.0.1 - - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient - - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events - - JDK-8269763: The JEditorPane is blank after JDK-8265167 - - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers - - JDK-8269882: stack-use-after-scope in NewObjectA - - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible - - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status - - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags - - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations - - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode - - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert - - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup - - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error - - JDK-8270344: Session resumption errors - - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added - - JDK-8271276: C2: Wrong JVM state used for receiver null check - - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4 - - JDK-8271589: fatal error with variable shift count integer rotate operation. - - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java - - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests - - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier - - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon - - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj - - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails - - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 - - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 - - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 - - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used - - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 - - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled - - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed - - JDK-8273358: macOS Monterey does not have the font Times needed by Serif - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8271434: Removed IdenTrust Root Certificate -=============================================== -The following root certificate from IdenTrust has been removed from -the `cacerts` keystore: - -Alias Name: identrustdstx3 [jdk] -Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. - -New in release OpenJDK 17.0.0 (2021-09-14): -=========================================== -The full list of changes in the interim releases from 11u to 17u can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-12.txt - * https://builds.shipilev.net/backports-monitor/release-notes-13.txt - * https://builds.shipilev.net/backports-monitor/release-notes-14.txt - * https://builds.shipilev.net/backports-monitor/release-notes-15.txt - * https://builds.shipilev.net/backports-monitor/release-notes-16.txt - * https://builds.shipilev.net/backports-monitor/release-notes-17.txt - -Major changes are listed below. Some changes may have been backported -to earlier releases following their first appearance in OpenJDK 12 -through to 17. - -NEW FEATURES -============ - -Language Features -================= - -Switch Expressions -================== -https://openjdk.java.net/jeps/325 -https://openjdk.java.net/jeps/354 -https://openjdk.java.net/jeps/361 - -Extend the `switch` statement so that it can be used as either a -statement or an expression, and that both forms can use either a -"traditional" or "simplified" scoping and control flow behavior. Both -forms can use either traditional `case ... :` labels (with fall -through) or new `case ... ->` labels (with no fall through), with a -further new statement for yielding a value from a `switch` -expression. These changes will simplify everyday coding, and also -prepare the way for the use of pattern matching in `switch`. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 12 & 13 and became final in OpenJDK 14. - -Text Blocks -=========== -https://openjdk.java.net/jeps/355 -https://openjdk.java.net/jeps/368 -https://openjdk.java.net/jeps/378 - -Add text blocks to the Java language. A text block is a multi-line -string literal that avoids the need for most escape sequences, -automatically formats the string in a predictable way, and gives the -developer control over format when desired. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 13 & 14 and became final in OpenJDK 15. - -Pattern Matching for instanceof -=============================== -https://openjdk.java.net/jeps/305 -https://openjdk.java.net/jeps/375 -https://openjdk.java.net/jeps/394 -http://cr.openjdk.java.net/~briangoetz/amber/pattern-match.html - -Enhance the Java programming language with pattern matching for the -`instanceof` operator. Pattern matching allows common logic in a -program, namely the conditional extraction of components from objects, -to be expressed more concisely and safely. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 14 & 15 and became final in OpenJDK 16. - -Records -======= -https://openjdk.java.net/jeps/359 -https://openjdk.java.net/jeps/384 -https://openjdk.java.net/jeps/395 - -Enhance the Java programming language with records. Records provide a -compact syntax for declaring classes which are transparent holders for -shallowly immutable data. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 14 & 15 and became final in OpenJDK 16. - -Sealed Classes -============== -https://openjdk.java.net/jeps/360 -https://openjdk.java.net/jeps/397 -https://openjdk.java.net/jeps/409 -https://cr.openjdk.java.net/~briangoetz/amber/datum.html - -Enhance the Java programming language with sealed classes and -interfaces. Sealed classes and interfaces restrict which other classes -or interfaces may extend or implement them. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 15 & 16 and became final in OpenJDK 17. - -Restore Always-Strict Floating-Point Semantics -============================================== -https://openjdk.java.net/jeps/306 - -Make floating-point operations consistently strict, rather than have -both strict floating-point semantics (`strictfp`) and subtly different -default floating-point semantics. This will restore the original -floating-point semantics to the language and VM, matching the -semantics before the introduction of strict and default floating-point -modes in Java SE 1.2. - -Pattern Matching for switch -=========================== -https://openjdk.java.net/jeps/406 - -Enhance the Java programming language with pattern matching for -`switch` expressions and statements, along with extensions to the -language of patterns. Extending pattern matching to `switch` allows an -expression to be tested against a number of patterns, each with a -specific action, so that complex data-oriented queries can be -expressed concisely and safely. - -This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK -17. - -Library Features -================ - -JVM Constants API -================= -https://openjdk.java.net/jeps/334 - -Introduce an API to model nominal descriptions of key class-file and -run-time artifacts, in particular constants that are loadable from the -constant pool. - -Reimplement the Legacy Socket API -================================= -https://openjdk.java.net/jeps/353 - -Replace the underlying implementation used by the `java.net.Socket` -and `java.net.ServerSocket` APIs with a simpler and more modern -implementation that is easy to maintain and debug. The new -implementation will be easy to adapt to work with user-mode threads, -a.k.a. fibers, currently being explored in Project Loom -(https://openjdk.java.net/projects/loom). - -JFR Event Streaming -=================== -https://openjdk.java.net/jeps/349 - -Expose JDK Flight Recorder data for continuous monitoring. - -Non-Volatile Mapped Byte Buffers -================================ -https://openjdk.java.net/jeps/352 - -Add new JDK-specific file mapping modes so that the `FileChannel` API -can be used to create `MappedByteBuffer` instances that refer to -non-volatile memory. - -Helpful NullPointerExceptions -============================= -https://openjdk.java.net/jeps/358 - -Improve the usability of `NullPointerException`s generated by the JVM -by describing precisely which variable was `null`. - -Foreign-Memory Access API -========================= -https://openjdk.java.net/jeps/370 -https://openjdk.java.net/jeps/383 -https://openjdk.java.net/jeps/393 - -Introduce an API to allow Java programs to safely and efficiently -access foreign memory outside of the Java heap. - -This was a incubation feature (https://openjdk.java.net/jeps/11) in -OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory -API in OpenJDK 17 (see below). - -Edwards-Curve Digital Signature Algorithm (EdDSA) -================================================= -https://openjdk.java.net/jeps/339 - -Implement cryptographic signatures using the Edwards-Curve Digital -Signature Algorithm (EdDSA) as described by RFC 8032 -(https://tools.ietf.org/html/rfc8032). - -Hidden Classes -============== -https://openjdk.java.net/jeps/371 - -Introduce hidden classes, which are classes that cannot be used -directly by the bytecode of other classes. Hidden classes are intended -for use by frameworks that generate classes at run time and use them -indirectly, via reflection. A hidden class may be defined as a member -of an access control nest (https://openjdk.java.net/jeps/181), and may -be unloaded independently of other classes. - -Reimplement the Legacy DatagramSocket API -========================================= -https://openjdk.java.net/jeps/373 - -Replace the underlying implementations of the -`java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with -simpler and more modern implementations that are easy to maintain and -debug. The new implementations will be easy to adapt to work with -virtual threads, currently being explored in Project Loom -(https://openjdk.java.net/projects/loom). This is a follow-on to JEP -353 (see above), which already reimplemented the legacy Socket API. - -Vector API -========== -https://openjdk.java.net/jeps/338 -https://openjdk.java.net/jeps/414 - -Provide an initial iteration of an incubator module, -`jdk.incubator.vector`, to express vector computations that reliably -compile at runtime to optimal vector hardware instructions on -supported CPU architectures and thus achieve superior performance to -equivalent scalar computations. - -This is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 16. - -Unix-Domain Socket Channels -=========================== -https://openjdk.java.net/jeps/380 - -Add Unix-domain (`AF_UNIX`) socket support to the socket channel and -server-socket channel APIs in the `java.nio.channels` package. Extend -the inherited channel mechanism to support Unix-domain socket channels -and server socket channels. - -Foreign Linker API (Incubator) -============================== -https://openjdk.java.net/jeps/389 - -Introduce an API that offers statically-typed, pure-Java access to -native code. This API, together with the Foreign-Memory API (see -above), will considerably simplify the otherwise error-prone process -of binding to a native library. - -This was an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 16, now superseded by the Foreign Function & -Memory API in OpenJDK 17 (see below). - -Strongly Encapsulate JDK Internals by Default -============================================= -https://openjdk.java.net/jeps/396 -https://openjdk.java.net/jeps/403 - -Strongly encapsulate all internal elements of the JDK by default, -except for critical internal APIs such as `sun.misc.Unsafe`. It will -no longer be possible to relax the strong encapsulation of internal -elements via a single command-line option, as was possible in OpenJDK -9 through 16. - -Enhanced Pseudo-Random Number Generators -======================================== -https://openjdk.java.net/jeps/356 - -Provide new interface types and implementations for pseudo-random -number generators (PRNGs), including jumpable PRNGs and an additional -class of splittable PRNG algorithms (LXM). - -Foreign Function & Memory API -============================= -https://openjdk.java.net/jeps/412 - -Introduce an API by which Java programs can interoperate with code and -data outside of the Java runtime. By efficiently invoking foreign -functions (i.e., code outside the JVM), and by safely accessing -foreign memory (i.e., memory not managed by the JVM), the API enables -Java programs to call native libraries and process native data without -the brittleness and danger of JNI. - -This API is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 17, and is an evolution of the Foreign Memory -Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK -16) (see above). - -Context-Specific Deserialization Filters -======================================== -https://openjdk.java.net/jeps/415 - -Allow applications to configure context-specific and -dynamically-selected deserialization filters via a JVM-wide filter -factory that is invoked to select a filter for each individual -deserialization operation. - -Tools -===== - -Packaging Tool -============== -https://openjdk.java.net/jeps/343 -https://openjdk.java.net/jeps/392 - -Provide the `jpackage` tool, for packaging self-contained Java -applications. - -JVM Features -============ - -Shenandoah: A Low-Pause-Time Garbage Collector -============================================== -https://openjdk.java.net/jeps/189 -https://openjdk.java.net/jeps/379 - -Add a new garbage collection (GC) algorithm named Shenandoah which -reduces GC pause times by doing evacuation work concurrently with the -running Java threads. Pause times with Shenandoah are independent of -heap size, meaning you will have the same consistent pause times -whether your heap is 200 MB or 200 GB. - -Shenandoah has been provided in Red Hat builds of OpenJDK 8 since -8u131 in April 2017 and in all 11u builds. - -Upstream, it was introduced in OpenJDK 12 as an experimental feature -and became a production feature in OpenJDK 15. It was backported to -OpenJDK 11 with the 11.0.9 release in October 2020. - -Abortable Mixed Collections for G1 -================================== -https://openjdk.java.net/jeps/344 - -Make G1 mixed collections abortable if they might exceed the pause -target. - -Promptly Return Unused Committed Memory from G1 -=============================================== -https://openjdk.java.net/jeps/346 - -Enhance the G1 garbage collector to automatically return Java heap -memory to the operating system when idle. - -Dynamic CDS Archives -==================== -https://openjdk.java.net/jeps/310 -https://openjdk.java.net/jeps/350 - -Extend application class-data sharing to allow the dynamic archiving -of classes at the end of Java application execution. The archived -classes will include all loaded application classes and library -classes that are not present in the default, base-layer CDS archive. - -ZGC: Uncommit Unused Memory (Experimental) -========================================== -https://openjdk.java.net/jeps/351 - -Enhance ZGC to return unused heap memory to the operating system. - -NUMA-Aware Memory Allocation for G1 -=================================== -https://openjdk.java.net/jeps/345 - -Improve G1 performance on large machines by implementing NUMA-aware -memory allocation. - -ZGC on macOS (Experimental) -=========================== -https://openjdk.java.net/jeps/364 - -Port the ZGC garbage collector to macOS. - -ZGC on Windows (Experimental) -============================= -https://openjdk.java.net/jeps/365 - -Port the ZGC garbage collector to Windows. - -ZGC: A Scalable Low-Latency Garbage Collector (Production) -========================================================== -https://openjdk.java.net/jeps/377 - -Change the Z Garbage Collector from an experimental feature into a -product feature. - -ZGC: Concurrent Thread-Stack Processing -======================================= -https://openjdk.java.net/jeps/376 - -Move ZGC thread-stack processing from safepoints to a concurrent -phase. - -Elastic Metaspace -================= -https://openjdk.java.net/jeps/387 - -Return unused HotSpot class-metadata (i.e., metaspace) memory to the -operating system more promptly, reduce metaspace footprint, and -simplify the metaspace code in order to reduce maintenance costs. - -Ports -===== - -Alpine Linux Port -================= -https://openjdk.java.net/jeps/386 - -Port the JDK to Alpine Linux, and to other Linux distributions that -use musl as their primary C library, on both the x64 and AArch64 -architectures, - -Windows/AArch64 Port -==================== -https://openjdk.java.net/jeps/388 - -Port the JDK to Windows/AArch64. - -New macOS Rendering Pipeline -============================ -https://openjdk.java.net/jeps/382 - -Implement a Java 2D internal rendering pipeline for macOS using the -Apple Metal API as alternative to the existing pipeline, which uses -the deprecated Apple OpenGL API. - -macOS/AArch64 Port -================== -https://openjdk.java.net/jeps/391 - -Port the JDK to macOS/AArch64. - -DEPRECATIONS -============ - -Deprecate the ParallelScavenge + SerialOld GC Combination -========================================================= -https://openjdk.java.net/jeps/366 - -Deprecate the combination of the Parallel Scavenge and Serial Old -garbage collection algorithms. - -Deprecate and Disable Biased Locking -==================================== -https://openjdk.java.net/jeps/374 - -Disable biased locking by default, and deprecate all related -command-line options. - -Warnings for Value-Based Classes -================================ -https://openjdk.java.net/jeps/390 - -Designate the primitive wrapper classes as value-based and deprecate -their constructors for removal, prompting new deprecation -warnings. Provide warnings about improper attempts to synchronize on -instances of any value-based classes in the Java Platform. - -Deprecate the Applet API for Removal -==================================== -https://openjdk.java.net/jeps/398 - -Deprecate the Applet API for removal. It is essentially irrelevant -since all web-browser vendors have either removed support for Java -browser plug-ins or announced plans to do so. - -Deprecate the Security Manager for Removal -========================================== -https://openjdk.java.net/jeps/411 - -Deprecate the Security Manager for removal in a future release. The -Security Manager dates from Java 1.0. It has not been the primary -means of securing client-side Java code for many years, and it has -rarely been used to secure server-side code. To move Java forward, we -intend to deprecate the Security Manager for removal in concert with -the legacy Applet API (see above). . - -REMOVALS -======== - -Remove the Concurrent Mark Sweep (CMS) Garbage Collector -======================================================== -https://openjdk.java.net/jeps/363 - -Remove the Concurrent Mark Sweep (CMS) garbage collector. - -Remove the Pack200 Tools and API -================================ -https://openjdk.java.net/jeps/336 -https://openjdk.java.net/jeps/367 - -Remove the `pack200` and `unpack200` tools, and the `Pack200` API in -the `java.util.jar` package. These tools and API were deprecated for -removal in OpenJDK 11 with the express intent to remove them in a -future release. - -Remove the Nashorn JavaScript Engine -==================================== -https://openjdk.java.net/jeps/372 - -Remove the Nashorn JavaScript script engine and APIs, and the `jjs` -tool. The engine, the APIs, and the tool were deprecated for removal -in OpenJDK 11 with the express intent to remove them in a future -release. - -Remove the Solaris and SPARC Ports -================================== -https://openjdk.java.net/jeps/362 -https://openjdk.java.net/jeps/381 - -Remove the source code and build support for the Solaris/SPARC, -Solaris/x64, and Linux/SPARC ports. These ports were deprecated for -removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381). - -Remove RMI Activation -===================== -https://openjdk.java.net/jeps/385 -https://openjdk.java.net/jeps/407 -https://docs.oracle.com/en/java/javase/14/docs/specs/rmi/activation.html - -Remove the Remote Method Invocation (RMI) Activation mechanism, while -preserving the rest of RMI. RMI Activation is an obsolete part of RMI -that has been optional since OpenJDK 8 and was deprecated in OpenJDK -15. - -Remove the Experimental AOT and JIT Compiler -============================================ -https://openjdk.java.net/jeps/410 - -Remove the experimental Java-based ahead-of-time (AOT) and -just-in-time (JIT) compiler. This compiler has seen little use since -its introduction and the effort required to maintain it is -significant. Retain the experimental Java-level JVM compiler -interface (JVMCI) so that developers can continue to use -externally-built versions of the compiler for JIT compilation. \ No newline at end of file diff --git a/SOURCES/fips-17u-d63771ea660.patch b/SOURCES/fips-17u-d63771ea660.patch new file mode 100644 index 0000000..4830fb2 --- /dev/null +++ b/SOURCES/fips-17u-d63771ea660.patch @@ -0,0 +1,7250 @@ +diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4 +index 5f4b22bb27f..1ca9f5b8ffe 100644 +--- a/make/autoconf/build-aux/pkg.m4 ++++ b/make/autoconf/build-aux/pkg.m4 +@@ -179,3 +179,19 @@ else + ifelse([$3], , :, [$3]) + fi[]dnl + ])# PKG_CHECK_MODULES ++ ++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, ++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) ++dnl ------------------------------------------- ++dnl Since: 0.28 ++dnl ++dnl Retrieves the value of the pkg-config variable for the given module. ++AC_DEFUN([PKG_CHECK_VAR], ++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl ++AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl ++ ++_PKG_CONFIG([$1], [variable="][$3]["], [$2]) ++AS_VAR_COPY([$1], [pkg_cv_][$1]) ++ ++AS_VAR_IF([$1], [""], [$5], [$4])dnl ++])dnl PKG_CHECK_VAR +diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..f48fc7f7e80 +--- /dev/null ++++ b/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,87 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ AC_MSG_CHECKING([for NSS library directory]) ++ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) ++ ++ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++ AC_SUBST(NSS_LIBDIR) ++]) +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index 62db5b16c31..f0bb4333fc9 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + m4_include([lib-fontconfig.m4]) + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index 537c3e3043c..16ad3df6f09 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -841,6 +841,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++NSS_LIBDIR:=@NSS_LIBDIR@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk +index 4b894eeae4a..51567071aa8 100644 +--- a/make/modules/java.base/Gendata.gmk ++++ b/make/modules/java.base/Gendata.gmk +@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST + TARGETS += $(GENDATA_JAVA_SECURITY) + + ################################################################################ ++ ++GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in ++GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg ++ ++$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) ++ $(call LogInfo, Generating nss.fips.cfg) ++ $(call MakeTargetDir) ++ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ ++ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ ++ ) ++ ++TARGETS += $(GENDATA_NSS_FIPS_CFG) ++ ++################################################################################ +diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk +index 5658ff342e5..c8bc5bde1e1 100644 +--- a/make/modules/java.base/Lib.gmk ++++ b/make/modules/java.base/Lib.gmk +@@ -167,6 +167,29 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) ++ ++TARGETS += $(BUILD_LIBSYSTEMCONF) ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java +index 1fd6230d83b..683e3dd3a8d 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java +@@ -25,13 +25,12 @@ + + package com.sun.crypto.provider; + +-import java.util.Arrays; +- + import javax.crypto.SecretKey; + import javax.crypto.spec.SecretKeySpec; +-import javax.crypto.spec.PBEParameterSpec; ++import javax.crypto.spec.PBEKeySpec; + import java.security.*; + import java.security.spec.*; ++import sun.security.util.PBEUtil; + + /** + * This is an implementation of the HMAC algorithms as defined +@@ -108,79 +107,15 @@ abstract class HmacPKCS12PBECore extends HmacCore { + */ + protected void engineInit(Key key, AlgorithmParameterSpec params) + throws InvalidKeyException, InvalidAlgorithmParameterException { +- char[] passwdChars; +- byte[] salt = null; +- int iCount = 0; +- if (key instanceof javax.crypto.interfaces.PBEKey) { +- javax.crypto.interfaces.PBEKey pbeKey = +- (javax.crypto.interfaces.PBEKey) key; +- passwdChars = pbeKey.getPassword(); +- salt = pbeKey.getSalt(); // maybe null if unspecified +- iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified +- } else if (key instanceof SecretKey) { +- byte[] passwdBytes; +- if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || +- (passwdBytes = key.getEncoded()) == null) { +- throw new InvalidKeyException("Missing password"); +- } +- passwdChars = new char[passwdBytes.length]; +- for (int i=0; i attrs = new HashMap<>(3); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" +- + "|OAEPWITHMD5ANDMGF1PADDING" +- + "|OAEPWITHSHA1ANDMGF1PADDING" +- + "|OAEPWITHSHA-1ANDMGF1PADDING" +- + "|OAEPWITHSHA-224ANDMGF1PADDING" +- + "|OAEPWITHSHA-256ANDMGF1PADDING" +- + "|OAEPWITHSHA-384ANDMGF1PADDING" +- + "|OAEPWITHSHA-512ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Cipher", "RSA", +- "com.sun.crypto.provider.RSACipher", null, attrs); +- +- // common block cipher modes, pads +- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + +- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + +- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; +- final String BLOCK_MODES128 = BLOCK_MODES + +- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + +- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; +- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DES", +- "com.sun.crypto.provider.DESCipher", null, attrs); +- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", +- attrs); +- ps("Cipher", "Blowfish", +- "com.sun.crypto.provider.BlowfishCipher", null, attrs); +- +- ps("Cipher", "RC2", +- "com.sun.crypto.provider.RC2Cipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES128); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES", +- "com.sun.crypto.provider.AESCipher$General", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", +- attrs); +- ps("Cipher", "AES/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_128/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_128/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_128/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_128/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_192/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_192/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_192/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_192/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_256/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_256/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_256/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_256/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "GCM"); +- attrs.put("SupportedKeyFormats", "RAW"); +- +- ps("Cipher", "AES/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, +- attrs); +- psA("Cipher", "AES_128/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES128", +- attrs); +- psA("Cipher", "AES_192/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES192", +- attrs); +- psA("Cipher", "AES_256/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES256", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "CBC"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DESedeWrap", +- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "ARCFOUR", +- "com.sun.crypto.provider.ARCFOURCipher", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "ChaCha20", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", +- null, attrs); +- psA("Cipher", "ChaCha20-Poly1305", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", +- attrs); +- +- // PBES1 +- psA("Cipher", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", +- null); +- ps("Cipher", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); +- psA("Cipher", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", +- null); +- psA("Cipher", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", +- null); +- +- psA("Cipher", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", +- null); +- +- // PBES2 +- ps("Cipher", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); +- +- /* +- * Key(pair) Generator engines +- */ +- ps("KeyGenerator", "DES", +- "com.sun.crypto.provider.DESKeyGenerator"); +- psA("KeyGenerator", "DESede", +- "com.sun.crypto.provider.DESedeKeyGenerator", +- null); +- ps("KeyGenerator", "Blowfish", +- "com.sun.crypto.provider.BlowfishKeyGenerator"); +- psA("KeyGenerator", "AES", +- "com.sun.crypto.provider.AESKeyGenerator", +- null); +- ps("KeyGenerator", "RC2", +- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); +- psA("KeyGenerator", "ARCFOUR", +- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", +- null); +- ps("KeyGenerator", "ChaCha20", +- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); +- ps("KeyGenerator", "HmacMD5", +- "com.sun.crypto.provider.HmacMD5KeyGenerator"); +- +- psA("KeyGenerator", "HmacSHA1", +- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); +- psA("KeyGenerator", "HmacSHA224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", +- null); +- psA("KeyGenerator", "HmacSHA256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", +- null); +- psA("KeyGenerator", "HmacSHA384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", +- null); +- psA("KeyGenerator", "HmacSHA512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", +- null); +- psA("KeyGenerator", "HmacSHA512/224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", +- null); +- psA("KeyGenerator", "HmacSHA512/256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", +- null); +- +- psA("KeyGenerator", "HmacSHA3-224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", +- null); +- psA("KeyGenerator", "HmacSHA3-256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", +- null); +- psA("KeyGenerator", "HmacSHA3-384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", +- null); +- psA("KeyGenerator", "HmacSHA3-512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", +- null); +- +- psA("KeyPairGenerator", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyPairGenerator", +- null); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" ++ + "|OAEPWITHMD5ANDMGF1PADDING" ++ + "|OAEPWITHSHA1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-256ANDMGF1PADDING" ++ + "|OAEPWITHSHA-384ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Cipher", "RSA", ++ "com.sun.crypto.provider.RSACipher", null, attrs); ++ ++ // common block cipher modes, pads ++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + ++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + ++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; ++ final String BLOCK_MODES128 = BLOCK_MODES + ++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + ++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; ++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DES", ++ "com.sun.crypto.provider.DESCipher", null, attrs); ++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", ++ attrs); ++ ps("Cipher", "Blowfish", ++ "com.sun.crypto.provider.BlowfishCipher", null, attrs); ++ ++ ps("Cipher", "RC2", ++ "com.sun.crypto.provider.RC2Cipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES128); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES", ++ "com.sun.crypto.provider.AESCipher$General", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_128/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_128/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_128/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_192/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_192/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_192/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_256/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_256/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_256/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "GCM"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ++ ps("Cipher", "AES/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, ++ attrs); ++ psA("Cipher", "AES_128/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES128", ++ attrs); ++ psA("Cipher", "AES_192/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES192", ++ attrs); ++ psA("Cipher", "AES_256/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES256", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "CBC"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DESedeWrap", ++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "ARCFOUR", ++ "com.sun.crypto.provider.ARCFOURCipher", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "ChaCha20", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", ++ null, attrs); ++ psA("Cipher", "ChaCha20-Poly1305", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", ++ attrs); ++ ++ // PBES1 ++ psA("Cipher", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", ++ null); ++ ps("Cipher", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); ++ psA("Cipher", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("Cipher", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", ++ null); ++ ++ // PBES2 ++ ps("Cipher", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); ++ ++ /* ++ * Key(pair) Generator engines ++ */ ++ ps("KeyGenerator", "DES", ++ "com.sun.crypto.provider.DESKeyGenerator"); ++ psA("KeyGenerator", "DESede", ++ "com.sun.crypto.provider.DESedeKeyGenerator", ++ null); ++ ps("KeyGenerator", "Blowfish", ++ "com.sun.crypto.provider.BlowfishKeyGenerator"); ++ psA("KeyGenerator", "AES", ++ "com.sun.crypto.provider.AESKeyGenerator", ++ null); ++ ps("KeyGenerator", "RC2", ++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); ++ psA("KeyGenerator", "ARCFOUR", ++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", ++ null); ++ ps("KeyGenerator", "ChaCha20", ++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); ++ ps("KeyGenerator", "HmacMD5", ++ "com.sun.crypto.provider.HmacMD5KeyGenerator"); ++ ++ psA("KeyGenerator", "HmacSHA1", ++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); ++ psA("KeyGenerator", "HmacSHA224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", ++ null); ++ psA("KeyGenerator", "HmacSHA256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", ++ null); ++ psA("KeyGenerator", "HmacSHA384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", ++ null); ++ psA("KeyGenerator", "HmacSHA512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", ++ null); ++ psA("KeyGenerator", "HmacSHA512/224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", ++ null); ++ psA("KeyGenerator", "HmacSHA512/256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", ++ null); ++ ++ psA("KeyGenerator", "HmacSHA3-224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", ++ null); ++ psA("KeyGenerator", "HmacSHA3-256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", ++ null); ++ psA("KeyGenerator", "HmacSHA3-384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", ++ null); ++ psA("KeyGenerator", "HmacSHA3-512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", ++ null); ++ ++ psA("KeyPairGenerator", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyPairGenerator", ++ null); ++ } + + /* + * Algorithm parameter generation engines +@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + +- /* +- * Key Agreement engines +- */ +- attrs.clear(); +- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + +- "|javax.crypto.interfaces.DHPrivateKey"); +- psA("KeyAgreement", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyAgreement", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key Agreement engines ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + ++ "|javax.crypto.interfaces.DHPrivateKey"); ++ psA("KeyAgreement", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyAgreement", ++ attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -610,118 +619,120 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); + +- // PBKDF2 +- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +- null); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- +- /* +- * MAC +- */ +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); +- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", +- attrs); +- psA("Mac", "HmacSHA224", +- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); +- psA("Mac", "HmacSHA256", +- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); +- psA("Mac", "HmacSHA384", +- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); +- psA("Mac", "HmacSHA512", +- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); +- psA("Mac", "HmacSHA512/224", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); +- psA("Mac", "HmacSHA512/256", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); +- psA("Mac", "HmacSHA3-224", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); +- psA("Mac", "HmacSHA3-256", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); +- psA("Mac", "HmacSHA3-384", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); +- psA("Mac", "HmacSHA3-512", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); +- +- ps("Mac", "HmacPBESHA1", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", +- null, attrs); +- ps("Mac", "HmacPBESHA224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", +- null, attrs); +- ps("Mac", "HmacPBESHA256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", +- null, attrs); +- ps("Mac", "HmacPBESHA384", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", +- null, attrs); +- ps("Mac", "HmacPBESHA512", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", +- null, attrs); +- ps("Mac", "HmacPBESHA512/224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", +- null, attrs); +- ps("Mac", "HmacPBESHA512/256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", +- null, attrs); +- +- +- // PBMAC1 +- ps("Mac", "PBEWithHmacSHA1", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); +- ps("Mac", "PBEWithHmacSHA224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); +- ps("Mac", "PBEWithHmacSHA256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); +- ps("Mac", "PBEWithHmacSHA384", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); +- ps("Mac", "PBEWithHmacSHA512", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "SslMacMD5", +- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); +- ps("Mac", "SslMacSHA1", +- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); +- +- /* +- * KeyStore +- */ +- ps("KeyStore", "JCEKS", +- "com.sun.crypto.provider.JceKeyStore"); +- +- /* +- * SSL/TLS mechanisms +- * +- * These are strictly internal implementations and may +- * be changed at any time. These names were chosen +- * because PKCS11/SunPKCS11 does not yet have TLS1.2 +- * mechanisms, and it will cause calls to come here. +- */ +- ps("KeyGenerator", "SunTlsPrf", +- "com.sun.crypto.provider.TlsPrfGenerator$V10"); +- ps("KeyGenerator", "SunTls12Prf", +- "com.sun.crypto.provider.TlsPrfGenerator$V12"); +- +- ps("KeyGenerator", "SunTlsMasterSecret", +- "com.sun.crypto.provider.TlsMasterSecretGenerator", +- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), +- null); +- +- ps("KeyGenerator", "SunTlsKeyMaterial", +- "com.sun.crypto.provider.TlsKeyMaterialGenerator", +- List.of("SunTls12KeyMaterial"), null); +- +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { ++ // PBKDF2 ++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", ++ null); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ++ /* ++ * MAC ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); ++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", ++ attrs); ++ psA("Mac", "HmacSHA224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); ++ psA("Mac", "HmacSHA256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); ++ psA("Mac", "HmacSHA384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); ++ psA("Mac", "HmacSHA512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); ++ psA("Mac", "HmacSHA512/224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); ++ psA("Mac", "HmacSHA512/256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); ++ psA("Mac", "HmacSHA3-224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); ++ psA("Mac", "HmacSHA3-256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); ++ psA("Mac", "HmacSHA3-384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); ++ psA("Mac", "HmacSHA3-512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); ++ ++ ps("Mac", "HmacPBESHA1", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", ++ null, attrs); ++ ps("Mac", "HmacPBESHA224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", ++ null, attrs); ++ ps("Mac", "HmacPBESHA384", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", ++ null, attrs); ++ ++ ++ // PBMAC1 ++ ps("Mac", "PBEWithHmacSHA1", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); ++ ps("Mac", "PBEWithHmacSHA224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); ++ ps("Mac", "PBEWithHmacSHA384", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "SslMacMD5", ++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); ++ ps("Mac", "SslMacSHA1", ++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); ++ ++ /* ++ * KeyStore ++ */ ++ ps("KeyStore", "JCEKS", ++ "com.sun.crypto.provider.JceKeyStore"); ++ ++ /* ++ * SSL/TLS mechanisms ++ * ++ * These are strictly internal implementations and may ++ * be changed at any time. These names were chosen ++ * because PKCS11/SunPKCS11 does not yet have TLS1.2 ++ * mechanisms, and it will cause calls to come here. ++ */ ++ ps("KeyGenerator", "SunTlsPrf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V10"); ++ ps("KeyGenerator", "SunTls12Prf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V12"); ++ ++ ps("KeyGenerator", "SunTlsMasterSecret", ++ "com.sun.crypto.provider.TlsMasterSecretGenerator", ++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), ++ null); ++ ++ ps("KeyGenerator", "SunTlsKeyMaterial", ++ "com.sun.crypto.provider.TlsKeyMaterialGenerator", ++ List.of("SunTls12KeyMaterial"), null); ++ ++ ps("KeyGenerator", "SunTlsRsaPremasterSecret", ++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", ++ List.of("SunTls12RsaPremasterSecret"), null); ++ } + } + + // Return the instance of this class or create one if needed. +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index 2477027969c..06b1b6c671c 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -33,6 +33,7 @@ import java.net.URL; + import jdk.internal.access.JavaSecurityPropertiesAccess; + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -57,6 +58,11 @@ import sun.security.jca.*; + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -74,6 +80,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -97,6 +116,7 @@ public final class Security { + private static void initialize() { + props = new Properties(); + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -117,6 +137,60 @@ public final class Security { + } + loadProps(null, extraPropFile, overrideAll); + } ++ ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ if (systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { +@@ -124,10 +198,9 @@ public final class Security { + props.getProperty(key)); + } + } +- + } + +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..9d26a54f5d4 +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,232 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..3f3caac64dc +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index ea28bb8747e..77161eb3844 100644 +--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -40,6 +40,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -83,6 +84,7 @@ public class SharedSecrets { + private static JavaSecuritySpecAccess javaSecuritySpecAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -457,4 +459,15 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index fad70bdc058..29a813a485f 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -152,6 +152,8 @@ module java.base { + java.naming, + java.rmi, + jdk.charsets, ++ jdk.crypto.cryptoki, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.jfr, +diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java +index 912cad59714..7803e97f7ef 100644 +--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -30,6 +30,7 @@ import java.net.*; + import java.util.*; + import java.security.*; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetPropertyAction; + import sun.security.util.SecurityProviderConstants; +@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -94,89 +99,92 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); +- } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); + +- attrs.remove("KeySize"); ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ } + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); + /* + * Key Pair Generator engines + */ +@@ -184,9 +192,11 @@ public final class SunEntries { + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only + +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ if (!systemFipsEnabled) { ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + + /* + * Algorithm Parameter Generator engines +@@ -201,40 +211,42 @@ public final class SunEntries { + addWithAlias(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", attrs); + +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- +- /* +- * Digest engines +- */ +- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); +- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); + +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); ++ /* ++ * Digest engines ++ */ ++ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); ++ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); ++ } + + /* + * Certificates +diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +index ca79f25cc44..a12fcbbd6e7 100644 +--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -63,42 +68,49 @@ public final class SunRsaSignEntries { + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); +- add(p, "KeyPairGenerator", "RSA", +- "sun.security.rsa.RSAKeyPairGenerator$Legacy", +- getAliases("PKCS1"), null); +- addA(p, "Signature", "MD2withRSA", +- "sun.security.rsa.RSASignature$MD2withRSA", attrs); +- addA(p, "Signature", "MD5withRSA", +- "sun.security.rsa.RSASignature$MD5withRSA", attrs); +- addA(p, "Signature", "SHA1withRSA", +- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); +- addA(p, "Signature", "SHA224withRSA", +- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); +- addA(p, "Signature", "SHA256withRSA", +- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); +- addA(p, "Signature", "SHA384withRSA", +- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); +- addA(p, "Signature", "SHA512withRSA", +- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); +- addA(p, "Signature", "SHA512/224withRSA", +- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); +- addA(p, "Signature", "SHA512/256withRSA", +- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); +- addA(p, "Signature", "SHA3-224withRSA", +- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); +- addA(p, "Signature", "SHA3-256withRSA", +- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); +- addA(p, "Signature", "SHA3-384withRSA", +- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); +- addA(p, "Signature", "SHA3-512withRSA", +- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ ++ if (!systemFipsEnabled) { ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); ++ ++ if (!systemFipsEnabled) { ++ addA(p, "KeyPairGenerator", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); ++ addA(p, "Signature", "RSASSA-PSS", ++ "sun.security.rsa.RSAPSSSignature", attrs); ++ } ++ + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java +new file mode 100644 +index 00000000000..dc8bc72fccb +--- /dev/null ++++ b/src/java.base/share/classes/sun/security/util/PBEUtil.java +@@ -0,0 +1,297 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.util; ++ ++import java.security.AlgorithmParameters; ++import java.security.InvalidAlgorithmParameterException; ++import java.security.InvalidKeyException; ++import java.security.Key; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.SecureRandom; ++import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidParameterSpecException; ++import java.util.Arrays; ++import javax.crypto.Cipher; ++import javax.crypto.SecretKey; ++import javax.crypto.spec.IvParameterSpec; ++import javax.crypto.spec.PBEKeySpec; ++import javax.crypto.spec.PBEParameterSpec; ++ ++public final class PBEUtil { ++ ++ // Used by SunJCE and SunPKCS11 ++ public final static class PBES2Helper { ++ private int iCount; ++ private byte[] salt; ++ private IvParameterSpec ivSpec; ++ private final int defaultSaltLength; ++ private final int defaultCount; ++ ++ public PBES2Helper(int defaultSaltLength, int defaultCount) { ++ this.defaultSaltLength = defaultSaltLength; ++ this.defaultCount = defaultCount; ++ } ++ ++ public IvParameterSpec getIvSpec() { ++ return ivSpec; ++ } ++ ++ public AlgorithmParameters getAlgorithmParameters( ++ int blkSize, String pbeAlgo, Provider p, SecureRandom random) { ++ AlgorithmParameters params = null; ++ if (salt == null) { ++ // generate random salt and use default iteration count ++ salt = new byte[defaultSaltLength]; ++ random.nextBytes(salt); ++ iCount = defaultCount; ++ } ++ if (ivSpec == null) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } ++ PBEParameterSpec pbeSpec = new PBEParameterSpec( ++ salt, iCount, ivSpec); ++ try { ++ params = (p == null) ? ++ AlgorithmParameters.getInstance(pbeAlgo) : ++ AlgorithmParameters.getInstance(pbeAlgo, p); ++ params.init(pbeSpec); ++ } catch (NoSuchAlgorithmException nsae) { ++ // should never happen ++ throw new RuntimeException("AlgorithmParameters for " ++ + pbeAlgo + " not configured"); ++ } catch (InvalidParameterSpecException ipse) { ++ // should never happen ++ throw new RuntimeException("PBEParameterSpec not supported"); ++ } ++ return params; ++ } ++ ++ public PBEKeySpec getPBEKeySpec( ++ int blkSize, int keyLength, int opmode, Key key, ++ AlgorithmParameterSpec params, SecureRandom random) ++ throws InvalidKeyException, InvalidAlgorithmParameterException { ++ ++ if (key == null) { ++ throw new InvalidKeyException("Null key"); ++ } ++ ++ byte[] passwdBytes = key.getEncoded(); ++ char[] passwdChars = null; ++ PBEKeySpec pbeSpec; ++ try { ++ if ((passwdBytes == null) || !(key.getAlgorithm().regionMatches( ++ true, 0, "PBE", 0, 3))) { ++ throw new InvalidKeyException("Missing password"); ++ } ++ ++ // TBD: consolidate the salt, ic and IV parameter checks below ++ ++ // Extract salt and iteration count from the key, if present ++ if (key instanceof javax.crypto.interfaces.PBEKey) { ++ salt = ((javax.crypto.interfaces.PBEKey)key).getSalt(); ++ if (salt != null && salt.length < 8) { ++ throw new InvalidAlgorithmParameterException( ++ "Salt must be at least 8 bytes long"); ++ } ++ iCount = ((javax.crypto.interfaces.PBEKey)key) ++ .getIterationCount(); ++ if (iCount == 0) { ++ iCount = defaultCount; ++ } else if (iCount < 0) { ++ throw new InvalidAlgorithmParameterException( ++ "Iteration count must be a positive number"); ++ } ++ } ++ ++ // Extract salt, iteration count and IV from the params, ++ // if present ++ if (params == null) { ++ if (salt == null) { ++ // generate random salt and use default iteration count ++ salt = new byte[defaultSaltLength]; ++ random.nextBytes(salt); ++ iCount = defaultCount; ++ } ++ if ((opmode == Cipher.ENCRYPT_MODE) || ++ (opmode == Cipher.WRAP_MODE)) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } ++ } else { ++ if (!(params instanceof PBEParameterSpec)) { ++ throw new InvalidAlgorithmParameterException ++ ("Wrong parameter type: PBE expected"); ++ } ++ // salt and iteration count from the params take precedence ++ byte[] specSalt = ((PBEParameterSpec) params).getSalt(); ++ if (specSalt != null && specSalt.length < 8) { ++ throw new InvalidAlgorithmParameterException( ++ "Salt must be at least 8 bytes long"); ++ } ++ salt = specSalt; ++ int specICount = ((PBEParameterSpec) params) ++ .getIterationCount(); ++ if (specICount == 0) { ++ specICount = defaultCount; ++ } else if (specICount < 0) { ++ throw new InvalidAlgorithmParameterException( ++ "Iteration count must be a positive number"); ++ } ++ iCount = specICount; ++ ++ AlgorithmParameterSpec specParams = ++ ((PBEParameterSpec) params).getParameterSpec(); ++ if (specParams != null) { ++ if (specParams instanceof IvParameterSpec) { ++ ivSpec = (IvParameterSpec)specParams; ++ } else { ++ throw new InvalidAlgorithmParameterException( ++ "Wrong parameter type: IV expected"); ++ } ++ } else if ((opmode == Cipher.ENCRYPT_MODE) || ++ (opmode == Cipher.WRAP_MODE)) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } else { ++ throw new InvalidAlgorithmParameterException( ++ "Missing parameter type: IV expected"); ++ } ++ } ++ ++ passwdChars = new char[passwdBytes.length]; ++ for (int i = 0; i < passwdChars.length; i++) ++ passwdChars[i] = (char) (passwdBytes[i] & 0x7f); ++ ++ pbeSpec = new PBEKeySpec(passwdChars, salt, iCount, keyLength); ++ // password char[] was cloned in PBEKeySpec constructor, ++ // so we can zero it out here ++ } finally { ++ if (passwdChars != null) Arrays.fill(passwdChars, '\0'); ++ if (passwdBytes != null) Arrays.fill(passwdBytes, (byte)0x00); ++ } ++ return pbeSpec; ++ } ++ ++ public static AlgorithmParameterSpec getParameterSpec( ++ AlgorithmParameters params) ++ throws InvalidAlgorithmParameterException { ++ AlgorithmParameterSpec pbeSpec = null; ++ if (params != null) { ++ try { ++ pbeSpec = params.getParameterSpec(PBEParameterSpec.class); ++ } catch (InvalidParameterSpecException ipse) { ++ throw new InvalidAlgorithmParameterException( ++ "Wrong parameter type: PBE expected"); ++ } ++ } ++ return pbeSpec; ++ } ++ } ++ ++ // Used by SunJCE and SunPKCS11 ++ public static PBEKeySpec getPBAKeySpec(Key key, AlgorithmParameterSpec params) ++ throws InvalidKeyException, InvalidAlgorithmParameterException { ++ char[] passwdChars; ++ byte[] salt = null; ++ int iCount = 0; ++ if (key instanceof javax.crypto.interfaces.PBEKey) { ++ javax.crypto.interfaces.PBEKey pbeKey = ++ (javax.crypto.interfaces.PBEKey) key; ++ passwdChars = pbeKey.getPassword(); ++ salt = pbeKey.getSalt(); // maybe null if unspecified ++ iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified ++ } else if (key instanceof SecretKey) { ++ byte[] passwdBytes; ++ if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || ++ (passwdBytes = key.getEncoded()) == null) { ++ throw new InvalidKeyException("Missing password"); ++ } ++ passwdChars = new char[passwdBytes.length]; ++ for (int i=0; i ++# Value: clear text PIN value. ++# 2) env: ++# Value: environment variable containing the PIN value. ++# 3) file: ++# Value: path to a file containing the PIN value in its first ++# line. ++# ++# If the system property fips.nssdb.pin is also specified, it supersedes ++# the security property value defined here. ++# ++# When used as a system property, UTF-8 encoded values are valid. When ++# used as a security property (such as in this file), encode non-Basic ++# Latin Unicode characters with \uXXXX. ++# ++fips.nssdb.pin=pin: ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -329,6 +381,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in +new file mode 100644 +index 00000000000..55bbba98b7a +--- /dev/null ++++ b/src/java.base/share/conf/security/nss.fips.cfg.in +@@ -0,0 +1,8 @@ ++name = NSS-FIPS ++nssLibraryDirectory = @NSS_LIBDIR@ ++nssSecmodDirectory = ${fips.nssdb.path} ++nssDbMode = readWrite ++nssModule = fips ++ ++attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++ +diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy +index b22f26947af..02bea84e210 100644 +--- a/src/java.base/share/lib/security/default.policy ++++ b/src/java.base/share/lib/security/default.policy +@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { + grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +@@ -130,6 +131,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; +@@ -140,6 +142,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; ++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; ++ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; +diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..ddf9befe5bc +--- /dev/null ++++ b/src/java.base/share/native/libsystemconf/systemconf.c +@@ -0,0 +1,236 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef LINUX ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} ++ ++#else // !LINUX ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; ++} ++ ++#endif +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..d3f0bffb821 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,457 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.security.interfaces.RSAPrivateCrtKey; ++import java.security.interfaces.RSAPrivateKey; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.SecretKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAPrivateCrtKeyImpl; ++import sun.security.rsa.RSAUtil; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static volatile P11Key importerKey = null; ++ private static SecretKeySpec exporterKey = null; ++ private static volatile P11Key exporterKeyP11 = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ // Do not take the exporterKeyLock with the importerKeyLock held. ++ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); ++ private static volatile CK_MECHANISM importerKeyMechanism = null; ++ private static volatile CK_MECHANISM exporterKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ private static Cipher exporterCipher = null; ++ ++ private static volatile Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ importerKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, ++ long keyClass, long keyType, Map sensitiveAttrs) ++ throws PKCS11Exception { ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be exported in" + ++ " system FIPS mode."); ++ } ++ if (exporterKeyP11 == null) { ++ try { ++ exporterKeyLock.lock(); ++ if (exporterKeyP11 == null) { ++ if (exporterKeyMechanism == null) { ++ // Exporter Key creation has not been tried yet. Try it. ++ createExporterKey(token); ++ } ++ if (exporterKeyP11 == null || exporterCipher == null) { ++ if (debug != null) { ++ debug.println("Exporter Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ if (debug != null) { ++ debug.println("Exporter Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ } ++ long exporterKeyID = exporterKeyP11.getKeyID(); ++ try { ++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, ++ exporterKeyMechanism, exporterKeyID, hObject); ++ byte[] plainExportedKey = null; ++ exporterKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ if (keyClass == CKO_PRIVATE_KEY) { ++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); ++ } else if (keyClass == CKO_SECRET_KEY) { ++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ exporterKeyP11.releaseKeyID(); ++ } ++ } ++ ++ private static void exportPrivateKey( ++ Map sensitiveAttrs, long keyType, ++ byte[] plainExportedKey) throws Throwable { ++ if (keyType == CKK_RSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, ++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); ++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); ++ CK_ATTRIBUTE attr; ++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { ++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); ++ } ++ if (rsaPKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { ++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); ++ } ++ } else { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT); ++ } ++ } else if (keyType == CKK_DSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ new sun.security.provider.DSAPrivateKey(plainExportedKey) ++ .getX().toByteArray(); ++ } else if (keyType == CKK_EC) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) ++ .getS().toByteArray(); ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " unsupported CKO_PRIVATE_KEY key type: " + keyType); ++ } ++ } ++ ++ private static void checkAttrs(Map sensitiveAttrs, ++ String keyName, long... validAttrs) ++ throws PKCS11Exception { ++ int sensitiveAttrsCount = sensitiveAttrs.size(); ++ if (sensitiveAttrsCount <= validAttrs.length) { ++ int validAttrsCount = 0; ++ for (long validAttr : validAttrs) { ++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; ++ } ++ if (validAttrsCount == sensitiveAttrsCount) return; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " invalid attribute types for a " + keyName + " key object"); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec( ++ (byte[])importerKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Importer Key"); ++ } ++ } ++ } ++ ++ private static void createExporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Exporter Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ byte[] exporterKeyRaw = new byte[32]; ++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); ++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); ++ try { ++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); ++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); ++ if (exporterKeyP11 != null) { ++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, ++ new IvParameterSpec( ++ (byte[])exporterKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ exporterKey = null; ++ exporterKeyP11 = null; ++ exporterCipher = null; ++ // exporterKeyMechanism value is kept initialized to indicate that ++ // Exporter Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Exporter Key"); ++ } ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +new file mode 100644 +index 00000000000..f8d505ca815 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +@@ -0,0 +1,149 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.io.BufferedReader; ++import java.io.ByteArrayInputStream; ++import java.io.InputStream; ++import java.io.InputStreamReader; ++import java.io.IOException; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.nio.file.Paths; ++import java.nio.file.StandardOpenOption; ++import java.security.ProviderException; ++ ++import javax.security.auth.callback.Callback; ++import javax.security.auth.callback.CallbackHandler; ++import javax.security.auth.callback.PasswordCallback; ++import javax.security.auth.callback.UnsupportedCallbackException; ++ ++import sun.security.util.Debug; ++import sun.security.util.SecurityProperties; ++ ++final class FIPSTokenLoginHandler implements CallbackHandler { ++ ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ ++ private static final Debug debug = Debug.getInstance("sunpkcs11"); ++ ++ public void handle(Callback[] callbacks) ++ throws IOException, UnsupportedCallbackException { ++ if (!(callbacks[0] instanceof PasswordCallback)) { ++ throw new UnsupportedCallbackException(callbacks[0]); ++ } ++ PasswordCallback pc = (PasswordCallback)callbacks[0]; ++ pc.setPassword(getFipsNssdbPin()); ++ } ++ ++ private static char[] getFipsNssdbPin() throws ProviderException { ++ if (debug != null) { ++ debug.println("FIPS: Reading NSS DB PIN for token..."); ++ } ++ String pinProp = SecurityProperties ++ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); ++ if (pinProp != null && !pinProp.isEmpty()) { ++ String[] pinPropParts = pinProp.split(":", 2); ++ if (pinPropParts.length < 2) { ++ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + ++ " property value."); ++ } ++ String prefix = pinPropParts[0].toLowerCase(); ++ String value = pinPropParts[1]; ++ String pin = null; ++ if (prefix.equals("env")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' environment variable."); ++ } ++ pin = System.getenv(value); ++ } else if (prefix.equals("file")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' file."); ++ } ++ pin = getPinFromFile(Paths.get(value)); ++ } else if (prefix.equals("pin")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the " + ++ FIPS_NSSDB_PIN_PROP + " property."); ++ } ++ pin = value; ++ } else { ++ throw new ProviderException("Unsupported prefix for " + ++ FIPS_NSSDB_PIN_PROP + "."); ++ } ++ if (pin != null && !pin.isEmpty()) { ++ if (debug != null) { ++ debug.println("FIPS: non-empty PIN."); ++ } ++ /* ++ * C_Login in libj2pkcs11 receives the PIN in a char[] and ++ * discards the upper byte of each char, before passing ++ * the value to the NSS Software Token. However, the ++ * NSS Software Token accepts any UTF-8 PIN value. Thus, ++ * expand the PIN here to account for later truncation. ++ */ ++ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ return pinChar; ++ } ++ } ++ if (debug != null) { ++ debug.println("FIPS: empty PIN."); ++ } ++ return null; ++ } ++ ++ /* ++ * This method extracts the token PIN from the first line of a password ++ * file in the same way as NSS modutil. See for example the -newpwfile ++ * argument used to change the password for an NSS DB. ++ */ ++ private static String getPinFromFile(Path f) throws ProviderException { ++ try (InputStream is = ++ Files.newInputStream(f, StandardOpenOption.READ)) { ++ /* ++ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, ++ * reads up to 4096 bytes. In addition, the NSS Software Token ++ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN ++ * in nss/lib/softoken/pkcs11i.h). ++ */ ++ BufferedReader in = ++ new BufferedReader(new InputStreamReader( ++ new ByteArrayInputStream(is.readNBytes(4096)), ++ StandardCharsets.UTF_8)); ++ return in.readLine(); ++ } catch (IOException ioe) { ++ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + ++ " from the '" + f + "' file.", ioe); ++ } ++ } ++} +\ No newline at end of file +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +index 39bd783dd25..1146e7f9d80 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +@@ -37,6 +37,8 @@ import javax.crypto.*; + import javax.crypto.interfaces.*; + import javax.crypto.spec.*; + ++import jdk.internal.access.SharedSecrets; ++ + import sun.security.rsa.RSAUtil.KeyType; + import sun.security.rsa.RSAPublicKeyImpl; + import sun.security.rsa.RSAPrivateCrtKeyImpl; +@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil; + */ + abstract class P11Key implements Key, Length { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + private static final long serialVersionUID = -2575874101938349339L; + + private static final String PUBLIC = "public"; +@@ -139,9 +144,7 @@ abstract class P11Key implements Key, Length { + this.tokenObject = tokenObject; + this.sensitive = sensitive; + this.extractable = extractable; +- char[] tokenLabel = this.token.tokenInfo.label; +- isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' +- && tokenLabel[2] == 'S'); ++ isNSS = P11Util.isNSS(this.token); + boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS && + extractable && !tokenObject); + this.keyIDHolder = new NativeKeyHolder(this, keyID, session, +@@ -395,8 +398,10 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); + +- boolean keySensitive = (attrs[0].getBoolean() || +- attrs[1].getBoolean() || !attrs[2].getBoolean()); ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ boolean keySensitive = (!exportable && ++ (attrs[0].getBoolean() || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); + + switch (algorithm) { + case "RSA": +@@ -451,7 +456,8 @@ abstract class P11Key implements Key, Length { + + public String getFormat() { + token.ensureValid(); +- if (sensitive || !extractable || (isNSS && tokenObject)) { ++ if (!plainKeySupportEnabled && ++ (sensitive || !extractable || (isNSS && tokenObject))) { + return null; + } else { + return "RAW"; +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +index ba0b7faf3f8..4840a116b34 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +@@ -29,14 +29,17 @@ import java.nio.ByteBuffer; + + import java.security.*; + import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidKeySpecException; + + import javax.crypto.MacSpi; ++import javax.crypto.spec.PBEKeySpec; + + import sun.nio.ch.DirectBuffer; + + import sun.security.pkcs11.wrapper.*; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.util.PBEUtil; + + /** + * MAC implementation class. This class currently supports HMAC using +@@ -202,12 +205,23 @@ final class P11Mac extends MacSpi { + // see JCE spec + protected void engineInit(Key key, AlgorithmParameterSpec params) + throws InvalidKeyException, InvalidAlgorithmParameterException { +- if (params != null) { +- throw new InvalidAlgorithmParameterException +- ("Parameters not supported"); ++ if (algorithm.startsWith("HmacPBE")) { ++ PBEKeySpec pbeSpec = PBEUtil.getPBAKeySpec(key, params); ++ reset(true); ++ try { ++ p11Key = P11SecretKeyFactory.derivePBEKey( ++ token, pbeSpec, algorithm); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ } else { ++ if (params != null) { ++ throw new InvalidAlgorithmParameterException ++ ("Parameters not supported"); ++ } ++ reset(true); ++ p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); + } +- reset(true); +- p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); + try { + initialize(); + } catch (PKCS11Exception e) { +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java +new file mode 100644 +index 00000000000..ae4262703e6 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java +@@ -0,0 +1,200 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.security.AlgorithmParameters; ++import java.security.Key; ++import java.security.InvalidAlgorithmParameterException; ++import java.security.InvalidKeyException; ++import java.security.NoSuchAlgorithmException; ++import java.security.SecureRandom; ++import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidKeySpecException; ++import javax.crypto.BadPaddingException; ++import javax.crypto.CipherSpi; ++import javax.crypto.IllegalBlockSizeException; ++import javax.crypto.NoSuchPaddingException; ++import javax.crypto.ShortBufferException; ++import javax.crypto.spec.PBEKeySpec; ++ ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.util.PBEUtil; ++ ++final class P11PBECipher extends CipherSpi { ++ ++ private static final int DEFAULT_SALT_LENGTH = 20; ++ private static final int DEFAULT_COUNT = 4096; ++ ++ private final Token token; ++ private final String pbeAlg; ++ private final P11Cipher cipher; ++ private final int blkSize; ++ private final int keyLen; ++ private final PBEUtil.PBES2Helper pbes2Helper = new PBEUtil.PBES2Helper( ++ DEFAULT_SALT_LENGTH, DEFAULT_COUNT); ++ ++ P11PBECipher(Token token, String pbeAlg, long cipherMech) ++ throws PKCS11Exception, NoSuchAlgorithmException { ++ super(); ++ String cipherTrans; ++ if (cipherMech == CKM_AES_CBC_PAD || cipherMech == CKM_AES_CBC) { ++ cipherTrans = "AES/CBC/PKCS5Padding"; ++ } else { ++ throw new NoSuchAlgorithmException( ++ "Cipher transformation not supported."); ++ } ++ cipher = new P11Cipher(token, cipherTrans, cipherMech); ++ blkSize = cipher.engineGetBlockSize(); ++ assert P11Util.kdfDataMap.get(pbeAlg) != null; ++ keyLen = P11Util.kdfDataMap.get(pbeAlg).keyLen; ++ this.pbeAlg = pbeAlg; ++ this.token = token; ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineSetMode(String mode) ++ throws NoSuchAlgorithmException { ++ cipher.engineSetMode(mode); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineSetPadding(String padding) ++ throws NoSuchPaddingException { ++ cipher.engineSetPadding(padding); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetBlockSize() { ++ return cipher.engineGetBlockSize(); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetOutputSize(int inputLen) { ++ return cipher.engineGetOutputSize(inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineGetIV() { ++ return cipher.engineGetIV(); ++ } ++ ++ // see JCE spec ++ @Override ++ protected AlgorithmParameters engineGetParameters() { ++ return pbes2Helper.getAlgorithmParameters( ++ blkSize, pbeAlg, null, JCAUtil.getSecureRandom()); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ SecureRandom random) throws InvalidKeyException { ++ try { ++ engineInit(opmode, key, (AlgorithmParameterSpec) null, random); ++ } catch (InvalidAlgorithmParameterException e) { ++ throw new InvalidKeyException("requires PBE parameters", e); ++ } ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ AlgorithmParameterSpec params, SecureRandom random) ++ throws InvalidKeyException, ++ InvalidAlgorithmParameterException { ++ ++ PBEKeySpec pbeSpec = pbes2Helper.getPBEKeySpec(blkSize, keyLen, ++ opmode, key, params, random); ++ ++ Key derivedKey; ++ try { ++ derivedKey = P11SecretKeyFactory.derivePBEKey( ++ token, pbeSpec, pbeAlg); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ cipher.engineInit(opmode, derivedKey, pbes2Helper.getIvSpec(), random); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ AlgorithmParameters params, SecureRandom random) ++ throws InvalidKeyException, ++ InvalidAlgorithmParameterException { ++ engineInit(opmode, key, PBEUtil.PBES2Helper.getParameterSpec(params), ++ random); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineUpdate(byte[] input, int inputOffset, ++ int inputLen) { ++ return cipher.engineUpdate(input, inputOffset, inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineUpdate(byte[] input, int inputOffset, ++ int inputLen, byte[] output, int outputOffset) ++ throws ShortBufferException { ++ return cipher.engineUpdate(input, inputOffset, inputLen, ++ output, outputOffset); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineDoFinal(byte[] input, int inputOffset, ++ int inputLen) ++ throws IllegalBlockSizeException, BadPaddingException { ++ return cipher.engineDoFinal(input, inputOffset, inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineDoFinal(byte[] input, int inputOffset, ++ int inputLen, byte[] output, int outputOffset) ++ throws ShortBufferException, IllegalBlockSizeException, ++ BadPaddingException { ++ return cipher.engineDoFinal(input, inputOffset, inputLen, output, ++ outputOffset); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetKeySize(Key key) ++ throws InvalidKeyException { ++ return cipher.engineGetKeySize(key); ++ } ++ ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +index 8d1b8ccb0ae..7ea9b4c5e7f 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.spec.*; + + import javax.crypto.*; ++import javax.crypto.interfaces.PBEKey; + import javax.crypto.spec.*; + + import static sun.security.pkcs11.TemplateManager.*; +@@ -194,6 +195,130 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + return p11Key; + } + ++ static P11Key derivePBEKey(Token token, PBEKeySpec keySpec, String algo) ++ throws InvalidKeySpecException { ++ token.ensureValid(); ++ if (keySpec == null) { ++ throw new InvalidKeySpecException("PBEKeySpec must not be null"); ++ } ++ Session session = null; ++ try { ++ session = token.getObjSession(); ++ P11Util.KDFData kdfData = P11Util.kdfDataMap.get(algo); ++ CK_MECHANISM ckMech; ++ char[] password = keySpec.getPassword(); ++ byte[] salt = keySpec.getSalt(); ++ int itCount = keySpec.getIterationCount(); ++ int keySize = keySpec.getKeyLength(); ++ if (kdfData.keyLen != -1) { ++ if (keySize == 0) { ++ keySize = kdfData.keyLen; ++ } else if (keySize != kdfData.keyLen) { ++ throw new InvalidKeySpecException( ++ "Key length is invalid for " + algo); ++ } ++ } ++ ++ if (kdfData.kdfMech == CKM_PKCS5_PBKD2) { ++ CK_INFO p11Info = token.p11.getInfo(); ++ CK_VERSION p11Ver = (p11Info != null ? p11Info.cryptokiVersion ++ : null); ++ if (P11Util.isNSS(token) || p11Ver != null && (p11Ver.major < ++ 2 || p11Ver.major == 2 && p11Ver.minor < 40)) { ++ // NSS keeps using the old structure beyond PKCS #11 v2.40 ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PKCS5_PBKD2_PARAMS(password, salt, ++ itCount, kdfData.prfMech)); ++ } else { ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PKCS5_PBKD2_PARAMS2(password, salt, ++ itCount, kdfData.prfMech)); ++ } ++ } else { ++ // PKCS #12 "General Method" PBKD (RFC 7292, Appendix B.2) ++ if (P11Util.isNSS(token)) { ++ // According to PKCS #11, "password" in CK_PBE_PARAMS has ++ // a CK_UTF8CHAR_PTR type. This suggests that it is encoded ++ // in UTF-8. However, NSS expects the password to be encoded ++ // as BMPString with a NULL terminator when C_GenerateKey ++ // is called for a PKCS #12 "General Method" derivation ++ // (see RFC 7292, Appendix B.1). ++ // ++ // The char size in Java is 2 bytes. When a char is ++ // converted to a CK_UTF8CHAR, the high-order byte is ++ // discarded (see jCharArrayToCKUTF8CharArray in ++ // p11_util.c). In order to have a BMPString passed to ++ // C_GenerateKey, we need to account for that and expand: ++ // the high and low parts of each char are split into 2 ++ // chars. As an example, this is the transformation for ++ // a NULL terminated password "a": ++ // char[] => [ 0x0061, 0x0000 ] ++ // / \ / \ ++ // Expansion => [0x0000, 0x0061, 0x0000, 0x0000] ++ // | | | | ++ // BMPString => [ 0x00, 0x61, 0x00, 0x00] ++ // ++ int inputLength = (password == null) ? 0 : password.length; ++ char[] expPassword = new char[inputLength * 2 + 2]; ++ for (int i = 0, j = 0; i < inputLength; i++, j += 2) { ++ expPassword[j] = (char) ((password[i] >>> 8) & 0xFF); ++ expPassword[j + 1] = (char) (password[i] & 0xFF); ++ } ++ password = expPassword; ++ } ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PBE_PARAMS(password, salt, itCount)); ++ } ++ ++ long keyType = getKeyType(kdfData.keyAlgo); ++ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[ ++ switch (kdfData.op) { ++ case ENCRYPTION, AUTHENTICATION -> 4; ++ case GENERIC -> 5; ++ }]; ++ attrs[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); ++ attrs[1] = new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3); ++ attrs[2] = new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType); ++ switch (kdfData.op) { ++ case ENCRYPTION -> attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; ++ case AUTHENTICATION -> attrs[3] = CK_ATTRIBUTE.SIGN_TRUE; ++ case GENERIC -> { ++ attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; ++ attrs[4] = CK_ATTRIBUTE.SIGN_TRUE; ++ } ++ } ++ CK_ATTRIBUTE[] attr = token.getAttributes( ++ O_GENERATE, CKO_SECRET_KEY, keyType, attrs); ++ long keyID = token.p11.C_GenerateKey(session.id(), ckMech, attr); ++ return (P11Key)P11Key.secretKey( ++ session, keyID, kdfData.keyAlgo, keySize, attr); ++ } catch (PKCS11Exception e) { ++ throw new InvalidKeySpecException("Could not create key", e); ++ } finally { ++ token.releaseSession(session); ++ } ++ } ++ ++ static P11Key derivePBEKey(Token token, PBEKey key, String algo) ++ throws InvalidKeyException { ++ token.ensureValid(); ++ if (key == null) { ++ throw new InvalidKeyException("PBEKey must not be null"); ++ } ++ P11Key p11Key = token.secretCache.get(key); ++ if (p11Key != null) { ++ return p11Key; ++ } ++ try { ++ p11Key = derivePBEKey(token, new PBEKeySpec(key.getPassword(), ++ key.getSalt(), key.getIterationCount()), algo); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ token.secretCache.put(key, p11Key); ++ return p11Key; ++ } ++ + static void fixDESParity(byte[] key, int offset) { + for (int i = 0; i < 8; i++) { + int b = key[offset] & 0xfe; +@@ -320,6 +445,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + keySpec = new SecretKeySpec(keyBytes, "DESede"); + return engineGenerateSecret(keySpec); + } ++ } else if (keySpec instanceof PBEKeySpec) { ++ return (SecretKey)derivePBEKey(token, ++ (PBEKeySpec)keySpec, algorithm); + } + throw new InvalidKeySpecException + ("Unsupported spec: " + keySpec.getClass().getName()); +@@ -373,6 +501,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + // see JCE spec + protected SecretKey engineTranslateKey(SecretKey key) + throws InvalidKeyException { ++ if (key instanceof PBEKey) { ++ return (SecretKey)derivePBEKey(token, (PBEKey)key, algorithm); ++ } + return (SecretKey)convertKey(token, key, algorithm); + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +index 262cfc062ad..72b64f72c0a 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +@@ -27,6 +27,10 @@ package sun.security.pkcs11; + + import java.math.BigInteger; + import java.security.*; ++import java.util.HashMap; ++import java.util.Map; ++ ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + /** + * Collection of static utility methods. +@@ -40,10 +44,106 @@ public final class P11Util { + + private static volatile Provider sun, sunRsaSign, sunJce; + ++ // Used by PBE ++ static final class KDFData { ++ public enum Operation {ENCRYPTION, AUTHENTICATION, GENERIC} ++ public long kdfMech; ++ public long prfMech; ++ public String keyAlgo; ++ public int keyLen; ++ public Operation op; ++ KDFData(long kdfMech, long prfMech, String keyAlgo, ++ int keyLen, Operation op) { ++ this.kdfMech = kdfMech; ++ this.prfMech = prfMech; ++ this.keyAlgo = keyAlgo; ++ this.keyLen = keyLen; ++ this.op = op; ++ } ++ ++ public static void addPbkdf2Data(String algo, long kdfMech, ++ long prfMech) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, ++ "Generic", -1, Operation.GENERIC)); ++ } ++ ++ public static void addPbkdf2AesData(String algo, long kdfMech, ++ long prfMech, int keyLen) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, ++ "AES", keyLen, Operation.ENCRYPTION)); ++ } ++ ++ public static void addPkcs12KDData(String algo, long kdfMech, ++ int keyLen) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, -1, ++ "Generic", keyLen, Operation.AUTHENTICATION)); ++ } ++ } ++ ++ static final Map kdfDataMap = new HashMap<>(); ++ ++ static { ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 256); ++ ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA1", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA224", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA384", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA512", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512); ++ ++ KDFData.addPkcs12KDData("HmacPBESHA1", ++ CKM_PBA_SHA1_WITH_SHA1_HMAC, 160); ++ KDFData.addPkcs12KDData("HmacPBESHA224", ++ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, 224); ++ KDFData.addPkcs12KDData("HmacPBESHA256", ++ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, 256); ++ KDFData.addPkcs12KDData("HmacPBESHA384", ++ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, 384); ++ KDFData.addPkcs12KDData("HmacPBESHA512", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ KDFData.addPkcs12KDData("HmacPBESHA512/224", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ KDFData.addPkcs12KDData("HmacPBESHA512/256", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ } ++ + private P11Util() { + // empty + } + ++ static boolean isNSS(Token token) { ++ char[] tokenLabel = token.tokenInfo.label; ++ if (tokenLabel != null && tokenLabel.length >= 3) { ++ return (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' ++ && tokenLabel[2] == 'S'); ++ } ++ return false; ++ } ++ + static Provider getSunProvider() { + Provider p = sun; + if (p == null) { +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index aa35e8fa668..1855e5631bd 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; ++import sun.security.util.SecurityProperties; + import static sun.security.util.SecurityProviderConstants.getAliases; + + import sun.security.pkcs11.Secmod.*; +@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ private static final MethodHandle fipsExportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ MethodHandle fipsExportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ fipsExportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "exportKey", ++ MethodType.methodType(void.class, SunPKCS11.class, ++ long.class, long.class, ++ long.class, long.class, Map.class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer-exporter" + ++ " initialization failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ fipsExportKey = fipsExportKeyTmp; ++ } ++ ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider { + return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { + @Override + public SunPKCS11 run() throws Exception { ++ if (systemFipsEnabled) { ++ /* ++ * The nssSecmodDirectory attribute in the SunPKCS11 ++ * NSS configuration file takes the value of the ++ * fips.nssdb.path System property after expansion. ++ * Security properties expansion is unsupported. ++ */ ++ String nssdbPath = ++ SecurityProperties.privilegedGetOverridable( ++ FIPS_NSSDB_PATH_PROP); ++ if (System.getSecurityManager() != null) { ++ AccessController.doPrivileged( ++ (PrivilegedAction) () -> { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, ++ nssdbPath); ++ return null; ++ }); ++ } else { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, nssdbPath); ++ } ++ } + return new SunPKCS11(new Config(newConfigName)); + } + }); +@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ MethodHandle fipsKeyExporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ fipsKeyExporter = MethodHandles.insertArguments( ++ fipsExportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } + p11 = tmpPKCS11; + +- CK_INFO p11Info = p11.C_GetInfo(); ++ CK_INFO p11Info = p11.getInfo(); + if (p11Info.cryptokiVersion.major < 2) { + throw new ProviderException("Only PKCS#11 v2.0 and later " + + "supported, library version is v" + p11Info.cryptokiVersion); +@@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider { + final String className; + final List aliases; + final int[] mechanisms; ++ final int[] requiredMechs; + ++ // mechanisms is a list of possible mechanisms that implement the ++ // algorithm, at least one of them must be available. requiredMechs ++ // is a list of auxiliary mechanisms, all of them must be available + private Descriptor(String type, String algorithm, String className, +- List aliases, int[] mechanisms) { ++ List aliases, int[] mechanisms, int[] requiredMechs) { + this.type = type; + this.algorithm = algorithm; + this.className = className; + this.aliases = aliases; + this.mechanisms = mechanisms; ++ this.requiredMechs = requiredMechs; + } + private P11Service service(Token token, int mechanism) { + return new P11Service +@@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider { + + private static void d(String type, String algorithm, String className, + int[] m) { +- register(new Descriptor(type, algorithm, className, null, m)); ++ register(new Descriptor(type, algorithm, className, null, m, null)); + } + + private static void d(String type, String algorithm, String className, + List aliases, int[] m) { +- register(new Descriptor(type, algorithm, className, aliases, m)); ++ register(new Descriptor(type, algorithm, className, aliases, m, null)); ++ } ++ ++ private static void d(String type, String algorithm, String className, ++ int[] m, int[] requiredMechs) { ++ register(new Descriptor(type, algorithm, className, null, m, ++ requiredMechs)); ++ } ++ private static void dA(String type, String algorithm, String className, ++ int[] m, int[] requiredMechs) { ++ register(new Descriptor(type, algorithm, className, ++ getAliases(algorithm), m, requiredMechs)); + } + + private static void dA(String type, String algorithm, String className, + int[] m) { + register(new Descriptor(type, algorithm, className, +- getAliases(algorithm), m)); ++ getAliases(algorithm), m, null)); + } + + private static void register(Descriptor d) { +@@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider { + String P11Cipher = "sun.security.pkcs11.P11Cipher"; + String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; + String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; ++ String P11PBECipher = "sun.security.pkcs11.P11PBECipher"; + String P11Signature = "sun.security.pkcs11.P11Signature"; + String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; + +@@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider { + d(MAC, "SslMacSHA1", P11Mac, + m(CKM_SSL3_SHA1_MAC)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBA HMacs ++ * ++ * KeyDerivationMech must be supported ++ * for these services to be available. ++ * ++ */ ++ d(MAC, "HmacPBESHA1", P11Mac, m(CKM_SHA_1_HMAC), ++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); ++ d(MAC, "HmacPBESHA224", P11Mac, m(CKM_SHA224_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA256", P11Mac, m(CKM_SHA256_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA384", P11Mac, m(CKM_SHA384_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512", P11Mac, m(CKM_SHA512_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512/224", P11Mac, m(CKM_SHA512_224_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512/256", P11Mac, m(CKM_SHA512_256_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ } ++ + d(KPG, "RSA", P11KeyPairGenerator, + getAliases("PKCS1"), + m(CKM_RSA_PKCS_KEY_PAIR_GEN)); +@@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider { + d(SKF, "ChaCha20", P11SecretKeyFactory, + m(CKM_CHACHA20_POLY1305)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBE Secret Key Factories ++ * ++ * KeyDerivationPrf must be supported for these services ++ * to be available. ++ * ++ */ ++ d(SKF, "PBEWithHmacSHA1AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBEWithHmacSHA224AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBEWithHmacSHA256AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBEWithHmacSHA384AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBEWithHmacSHA512AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ d(SKF, "PBEWithHmacSHA1AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBEWithHmacSHA224AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBEWithHmacSHA256AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBEWithHmacSHA384AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBEWithHmacSHA512AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ /* ++ * PBA Secret Key Factories ++ */ ++ d(SKF, "HmacPBESHA1", P11SecretKeyFactory, ++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); ++ d(SKF, "HmacPBESHA224", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA256", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA384", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512/224", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512/256", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ /* ++ * PBKDF2 Secret Key Factories ++ */ ++ dA(SKF, "PBKDF2WithHmacSHA1", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA224", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA256", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA384", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA512", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ } ++ + // XXX attributes for Ciphers (supported modes, padding) + dA(CIP, "ARCFOUR", P11Cipher, + m(CKM_RC4)); +@@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider { + d(CIP, "RSA/ECB/NoPadding", P11RSACipher, + m(CKM_RSA_X_509)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBE Ciphers ++ * ++ * KeyDerivationMech and KeyDerivationPrf must be supported ++ * for these services to be available. ++ * ++ */ ++ d(CIP, "PBEWithHmacSHA1AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); ++ d(CIP, "PBEWithHmacSHA224AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); ++ d(CIP, "PBEWithHmacSHA256AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); ++ d(CIP, "PBEWithHmacSHA384AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); ++ d(CIP, "PBEWithHmacSHA512AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); ++ d(CIP, "PBEWithHmacSHA1AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); ++ d(CIP, "PBEWithHmacSHA224AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); ++ d(CIP, "PBEWithHmacSHA256AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); ++ d(CIP, "PBEWithHmacSHA384AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); ++ d(CIP, "PBEWithHmacSHA512AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); ++ } ++ + d(SIG, "RawDSA", P11Signature, + List.of("NONEwithDSA"), + m(CKM_DSA)); +@@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider { + if (ds == null) { + continue; + } ++ descLoop: + for (Descriptor d : ds) { + Integer oldMech = supportedAlgs.get(d); + if (oldMech == null) { ++ if (d.requiredMechs != null) { ++ // Check that other mechanisms required for the ++ // service are supported before listing it as ++ // available for the first time. ++ for (int requiredMech : d.requiredMechs) { ++ if (token.getMechanismInfo( ++ requiredMech & 0xFFFFFFFFL) == null) { ++ continue descLoop; ++ } ++ } ++ } + supportedAlgs.put(d, integerMech); + continue; + } +@@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider { + } + + @Override ++ @SuppressWarnings("removal") + public Object newInstance(Object param) + throws NoSuchAlgorithmException { + if (token.isValid() == false) { + throw new NoSuchAlgorithmException("Token has been removed"); + } ++ if (systemFipsEnabled && !token.fipsLoggedIn && ++ !getType().equals("KeyStore")) { ++ /* ++ * The NSS Software Token in FIPS 140-2 mode requires a ++ * user login for most operations. See sftk_fipsCheck ++ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore ++ * service, let the caller perform the login with ++ * KeyStore::load. Keytool, for example, does this to pass a ++ * PIN from either the -srcstorepass or -deststorepass ++ * argument. In case of a non-KeyStore service, perform the ++ * login now with the PIN available in the fips.nssdb.pin ++ * property. ++ */ ++ try { ++ if (System.getSecurityManager() != null) { ++ try { ++ AccessController.doPrivileged( ++ (PrivilegedExceptionAction) () -> { ++ token.ensureLoggedIn(null); ++ return null; ++ }); ++ } catch (PrivilegedActionException pae) { ++ Exception e = pae.getException(); ++ if (e instanceof LoginException le) { ++ throw le; ++ } else if (e instanceof PKCS11Exception p11e) { ++ throw p11e; ++ } else { ++ throw new RuntimeException(e); ++ } ++ } ++ } else { ++ token.ensureLoggedIn(null); ++ } ++ } catch (PKCS11Exception | LoginException e) { ++ throw new ProviderException("FIPS: error during the Token" + ++ " login required for the " + getType() + ++ " service.", e); ++ } ++ } + try { + return newInstance0(param); + } catch (PKCS11Exception e) { +@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider { + } else if (algorithm.endsWith("GCM/NoPadding") || + algorithm.startsWith("ChaCha20-Poly1305")) { + return new P11AEADCipher(token, algorithm, mechanism); ++ } else if (algorithm.startsWith("PBE")) { ++ return new P11PBECipher(token, algorithm, mechanism); + } else { + return new P11Cipher(token, algorithm, mechanism); + } +@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider { + try { + session = token.getOpSession(); + p11.C_Logout(session.id()); ++ if (systemFipsEnabled) { ++ token.fipsLoggedIn = false; ++ } + if (debug != null) { + debug.println("logout succeeded"); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +index 1f94fe3e18a..99eec2114e4 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +@@ -33,6 +33,7 @@ import java.lang.ref.*; + import java.security.*; + import javax.security.auth.login.LoginException; + ++import jdk.internal.access.SharedSecrets; + import sun.security.jca.JCAUtil; + + import sun.security.pkcs11.wrapper.*; +@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + class Token implements Serializable { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + // need to be serializable to allow SecureRandom to be serialized + private static final long serialVersionUID = 2541527649100571747L; + +@@ -114,6 +118,10 @@ class Token implements Serializable { + // flag indicating whether we are logged in + private volatile boolean loggedIn; + ++ // Flag indicating the login status for the NSS Software Token in FIPS mode. ++ // This Token is never asynchronously removed. Used from SunPKCS11. ++ volatile boolean fipsLoggedIn; ++ + // time we last checked login status + private long lastLoginCheck; + +@@ -232,7 +240,12 @@ class Token implements Serializable { + // call provider.login() if not + void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { + if (isLoggedIn(session) == false) { +- provider.login(null, null); ++ if (systemFipsEnabled) { ++ provider.login(null, new FIPSTokenLoginHandler()); ++ fipsLoggedIn = true; ++ } else { ++ provider.login(null, null); ++ } + } + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java +index 88ff8a71fc3..47a2f97eddf 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java +@@ -100,9 +100,9 @@ public class CK_ECDH1_DERIVE_PARAMS { + } + + /** +- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. ++ * Returns the string representation of CK_ECDH1_DERIVE_PARAMS. + * +- * @return the string representation of CK_PKCS5_PBKD2_PARAMS ++ * @return the string representation of CK_ECDH1_DERIVE_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +index 0c9ebb289c1..b4b2448464d 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +@@ -160,6 +160,18 @@ public class CK_MECHANISM { + init(mechanism, params); + } + ++ public CK_MECHANISM(long mechanism, CK_PBE_PARAMS params) { ++ init(mechanism, params); ++ } ++ ++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS params) { ++ init(mechanism, params); ++ } ++ ++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS2 params) { ++ init(mechanism, params); ++ } ++ + // For PSS. the parameter may be set multiple times, use the + // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS) + // methods instead of creating yet another constructor +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java +index e8b048869c4..a25fa1c39e5 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java +@@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper; + + + /** +- * class CK_PBE_PARAMS provides all of the necessary information required byte ++ * class CK_PBE_PARAMS provides all the necessary information required by + * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.

+ * PKCS#11 structure: + * 

+  * typedef struct CK_PBE_PARAMS {
+- *   CK_CHAR_PTR pInitVector;
+- *   CK_CHAR_PTR pPassword;
++ *   CK_BYTE_PTR pInitVector;
++ *   CK_UTF8CHAR_PTR pPassword;
+  *   CK_ULONG ulPasswordLen;
+- *   CK_CHAR_PTR pSalt;
++ *   CK_BYTE_PTR pSalt;
+  *   CK_ULONG ulSaltLen;
+  *   CK_ULONG ulIteration;
+  * } CK_PBE_PARAMS;
+@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pInitVector;
++     *   CK_BYTE_PTR pInitVector;
+      * 

+      */
+-    public char[] pInitVector;
++    public byte[] pInitVector;
+ 
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pPassword;
++     *   CK_UTF8CHAR_PTR pPassword;
+      *   CK_ULONG ulPasswordLen;
+      * 

+      */
+@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pSalt
++     *   CK_BYTE_PTR pSalt
+      *   CK_ULONG ulSaltLen;
+      * 

+      */
+-    public char[] pSalt;
++    public byte[] pSalt;
+ 
+     /**
+      * PKCS#11:
+@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
+      */
+     public long ulIteration;
+ 
++    public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
++         this.pPassword = pPassword;
++         this.pSalt = pSalt;
++         this.ulIteration = ulIteration;
++     }
++
+     /**
+      * Returns the string representation of CK_PBE_PARAMS.
+      *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+index fb90bfced27..a01beb0753a 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+@@ -47,7 +47,7 @@
+ 
+ package sun.security.pkcs11.wrapper;
+ 
+-
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ 
+ /**
+  * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
+@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
+  * PKCS#11 structure:
+  * 
+  * typedef struct CK_PKCS5_PBKD2_PARAMS {
+- *   CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
++ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+  *   CK_VOID_PTR pSaltSourceData;
+  *   CK_ULONG ulSaltSourceDataLen;
+  *   CK_ULONG iterations;
+  *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+  *   CK_VOID_PTR pPrfData;
+  *   CK_ULONG ulPrfDataLen;
++ *   CK_UTF8CHAR_PTR pPassword;
++ *   CK_ULONG_PTR ulPasswordLen;
+  * } CK_PKCS5_PBKD2_PARAMS;
+  * 

+  *
+@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
+      */
+     public byte[] pPrfData;
+ 
++    /**
++     * PKCS#11:
++     * 
++     *   CK_UTF8CHAR_PTR pPassword
++     *   CK_ULONG_PTR ulPasswordLen;
++     * 

++     */
++    public char[] pPassword;
++
++    public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
++            long iterations, long prf) {
++        this.pPassword = pPassword;
++        this.pSaltSourceData = pSalt;
++        this.iterations = iterations;
++        this.prf = prf;
++        this.saltSource = CKZ_SALT_SPECIFIED;
++    }
++
+     /**
+      * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
+      *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+new file mode 100644
+index 00000000000..935db656639
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+@@ -0,0 +1,156 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11.wrapper;
++
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++
++/**
++ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
++ * mechanism.

++ * PKCS#11 structure:
++ * 
++ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
++ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ *   CK_VOID_PTR pSaltSourceData;
++ *   CK_ULONG ulSaltSourceDataLen;
++ *   CK_ULONG iterations;
++ *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ *   CK_VOID_PTR pPrfData;
++ *   CK_ULONG ulPrfDataLen;
++ *   CK_UTF8CHAR_PTR pPassword;
++ *   CK_ULONG ulPasswordLen;
++ * } CK_PKCS5_PBKD2_PARAMS2;
++ * 

++ *
++ */
++public class CK_PKCS5_PBKD2_PARAMS2 {
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++     * 

++     */
++    public long saltSource;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_VOID_PTR pSaltSourceData;
++     *   CK_ULONG ulSaltSourceDataLen;
++     * 

++     */
++    public byte[] pSaltSourceData;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_ULONG iterations;
++     * 

++     */
++    public long iterations;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++     * 

++     */
++    public long prf;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_VOID_PTR pPrfData;
++     *   CK_ULONG ulPrfDataLen;
++     * 

++     */
++    public byte[] pPrfData;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_UTF8CHAR_PTR pPassword
++     *   CK_ULONG ulPasswordLen;
++     * 

++     */
++    public char[] pPassword;
++
++    public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
++            long iterations, long prf) {
++        this.pPassword = pPassword;
++        this.pSaltSourceData = pSalt;
++        this.iterations = iterations;
++        this.prf = prf;
++        this.saltSource = CKZ_SALT_SPECIFIED;
++    }
++
++    /**
++     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
++     *
++     * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
++     */
++    public String toString() {
++        StringBuilder sb = new StringBuilder();
++
++        sb.append(Constants.INDENT);
++        sb.append("saltSource: ");
++        sb.append(saltSource);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("pSaltSourceData: ");
++        sb.append(Functions.toHexString(pSaltSourceData));
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("ulSaltSourceDataLen: ");
++        sb.append(pSaltSourceData.length);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("iterations: ");
++        sb.append(iterations);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("prf: ");
++        sb.append(prf);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("pPrfData: ");
++        sb.append(Functions.toHexString(pPrfData));
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("ulPrfDataLen: ");
++        sb.append(pPrfData.length);
++
++        return sb.toString();
++    }
++
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+index 1f9c4d39f57..5e3c1b9d29f 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
+     public byte[] pPublicData;
+ 
+     /**
+-     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
++     * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
+      *
+-     * @return the string representation of CK_PKCS5_PBKD2_PARAMS
++     * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
+      */
+     public String toString() {
+         StringBuilder sb = new StringBuilder();
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 5c0aacd1a67..d796aaa3075 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
+ 
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+ 
+ import java.security.AccessController;
+@@ -113,6 +116,8 @@ public class PKCS11 {
+ 
+     private long pNativeData;
+ 
++    private volatile CK_INFO pInfo;
++
+     /**
+      * This method does the initialization of the native library. It is called
+      * exactly once for this class.
+@@ -145,23 +150,48 @@ public class PKCS11 {
+      * @postconditions
+      */
+     PKCS11(String pkcs11ModulePath, String functionListName)
+-            throws IOException {
++            throws IOException, PKCS11Exception {
+         connect(pkcs11ModulePath, functionListName);
+         this.pkcs11ModulePath = pkcs11ModulePath;
+     }
+ 
++    /*
++     * Compatibility wrapper to allow this method to work as before
++     * when FIPS mode support is not active.
++     */
++    public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++           String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++           boolean omitInitialize) throws IOException, PKCS11Exception {
++        return getInstance(pkcs11ModulePath, functionList,
++                           pInitArgs, omitInitialize, null, null);
++    }
++
+     public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+             String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+-            boolean omitInitialize) throws IOException, PKCS11Exception {
++            boolean omitInitialize, MethodHandle fipsKeyImporter,
++            MethodHandle fipsKeyExporter)
++                    throws IOException, PKCS11Exception {
+         // we may only call C_Initialize once per native .so/.dll
+         // so keep a cache using the (non-canonicalized!) path
+         PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+         if (pkcs11 == null) {
++            boolean nssFipsMode = fipsKeyImporter != null &&
++                    fipsKeyExporter != null;
+             if ((pInitArgs != null)
+                     && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+-                pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++                if (nssFipsMode) {
++                    pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++                            fipsKeyImporter, fipsKeyExporter);
++                } else {
++                    pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++                }
+             } else {
+-                pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++                if (nssFipsMode) {
++                    pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++                            functionList, fipsKeyImporter, fipsKeyExporter);
++                } else {
++                    pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++                }
+             }
+             if (omitInitialize == false) {
+                 try {
+@@ -179,6 +209,28 @@ public class PKCS11 {
+         return pkcs11;
+     }
+ 
++    /**
++     * Returns the CK_INFO structure fetched at initialization with
++     * C_GetInfo. This structure represent Cryptoki library information.
++     */
++    public CK_INFO getInfo() {
++        CK_INFO lPInfo = pInfo;
++        if (lPInfo == null) {
++            synchronized (this) {
++                lPInfo = pInfo;
++                if (lPInfo == null) {
++                    try {
++                        lPInfo = C_GetInfo();
++                        pInfo = lPInfo;
++                    } catch (PKCS11Exception e) {
++                        // Some PKCS #11 tokens require initialization first.
++                    }
++                }
++            }
++        }
++        return lPInfo;
++    }
++
+     /**
+      * Connects this object to the specified PKCS#11 library. This method is for
+      * internal use only.
+@@ -1625,7 +1677,7 @@ public class PKCS11 {
+ static class SynchronizedPKCS11 extends PKCS11 {
+ 
+     SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
+-            throws IOException {
++            throws IOException, PKCS11Exception {
+         super(pkcs11ModulePath, functionListName);
+     }
+ 
+@@ -1911,4 +1963,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+         super.C_GenerateRandom(hSession, randomData);
+     }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++    private MethodHandle fipsKeyImporter;
++    private MethodHandle fipsKeyExporter;
++    private MethodHandle hC_GetAttributeValue;
++    FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++                    throws IOException, PKCS11Exception {
++        super(pkcs11ModulePath, functionListName);
++        this.fipsKeyImporter = fipsKeyImporter;
++        this.fipsKeyExporter = fipsKeyExporter;
++        try {
++            hC_GetAttributeValue = MethodHandles.insertArguments(
++                    MethodHandles.lookup().findSpecial(PKCS11.class,
++                            "C_GetAttributeValue", MethodType.methodType(
++                                    void.class, long.class, long.class,
++                                    CK_ATTRIBUTE[].class),
++                            FIPSPKCS11.class), 0, this);
++        } catch (Throwable t) {
++            throw new RuntimeException(
++                    "sun.security.pkcs11.wrapper.PKCS11" +
++                    "::C_GetAttributeValue method not found.", t);
++        }
++    }
++
++    public long C_CreateObject(long hSession,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        // Creating sensitive key objects from plain key material in a
++        // FIPS-configured NSS Software Token is not allowed. We apply
++        // a key-unwrapping scheme to achieve so.
++        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++            try {
++                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++                        .longValue();
++            } catch (Throwable t) {
++                if (t instanceof PKCS11Exception) {
++                    throw (PKCS11Exception)t;
++                }
++                throw new PKCS11Exception(CKR_GENERAL_ERROR,
++                        t.getMessage());
++            }
++        }
++        return super.C_CreateObject(hSession, pTemplate);
++    }
++
++    public void C_GetAttributeValue(long hSession, long hObject,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++                fipsKeyExporter, hSession, hObject, pTemplate);
++    }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++    private MethodHandle fipsKeyImporter;
++    private MethodHandle fipsKeyExporter;
++    private MethodHandle hC_GetAttributeValue;
++    SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++                    throws IOException, PKCS11Exception {
++        super(pkcs11ModulePath, functionListName);
++        this.fipsKeyImporter = fipsKeyImporter;
++        this.fipsKeyExporter = fipsKeyExporter;
++        try {
++            hC_GetAttributeValue = MethodHandles.insertArguments(
++                    MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
++                            "C_GetAttributeValue", MethodType.methodType(
++                                    void.class, long.class, long.class,
++                                    CK_ATTRIBUTE[].class),
++                            SynchronizedFIPSPKCS11.class), 0, this);
++        } catch (Throwable t) {
++            throw new RuntimeException(
++                    "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
++                    "::C_GetAttributeValue method not found.", t);
++        }
++    }
++
++    public synchronized long C_CreateObject(long hSession,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        // See FIPSPKCS11::C_CreateObject.
++        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++            try {
++                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++                        .longValue();
++            } catch (Throwable t) {
++                if (t instanceof PKCS11Exception) {
++                    throw (PKCS11Exception)t;
++                }
++                throw new PKCS11Exception(CKR_GENERAL_ERROR,
++                        t.getMessage());
++            }
++        }
++        return super.C_CreateObject(hSession, pTemplate);
++    }
++
++    public synchronized void C_GetAttributeValue(long hSession, long hObject,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++                fipsKeyExporter, hSession, hObject, pTemplate);
++    }
++}
++
++private static class FIPSPKCS11Helper {
++    static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++        for (CK_ATTRIBUTE attr : pTemplate) {
++            if (attr.type == CKA_CLASS &&
++                    (attr.getLong() == CKO_PRIVATE_KEY ||
++                    attr.getLong() == CKO_SECRET_KEY)) {
++                return true;
++            }
++        }
++        return false;
++    }
++    static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
++            MethodHandle fipsKeyExporter, long hSession, long hObject,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        Map sensitiveAttrs = new HashMap<>();
++        List nonSensitiveAttrs = new LinkedList<>();
++        FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
++                sensitiveAttrs, nonSensitiveAttrs);
++        try {
++            if (sensitiveAttrs.size() > 0) {
++                long keyClass = -1L;
++                long keyType = -1L;
++                try {
++                    // Secret and private keys have both class and type
++                    // attributes, so we can query them at once.
++                    CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
++                            new CK_ATTRIBUTE(CKA_CLASS),
++                            new CK_ATTRIBUTE(CKA_KEY_TYPE),
++                    };
++                    hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
++                    keyClass = queryAttrs[0].getLong();
++                    keyType = queryAttrs[1].getLong();
++                } catch (PKCS11Exception e) {
++                    // If the query fails, the object is neither a secret nor a
++                    // private key. As this case won't be handled with the FIPS
++                    // Key Exporter, we keep keyClass initialized to -1L.
++                }
++                if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
++                    fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
++                            sensitiveAttrs);
++                    if (nonSensitiveAttrs.size() > 0) {
++                        CK_ATTRIBUTE[] pNonSensitiveAttrs =
++                                new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
++                        int i = 0;
++                        for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++                            pNonSensitiveAttrs[i++] = nonSensAttr;
++                        }
++                        hC_GetAttributeValue.invoke(hSession, hObject,
++                                pNonSensitiveAttrs);
++                        // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
++                        // update the reference on the previous CK_ATTRIBUTEs
++                        i = 0;
++                        for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++                            nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
++                        }
++                    }
++                    return;
++                }
++            }
++            hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
++        } catch (Throwable t) {
++            if (t instanceof PKCS11Exception) {
++                throw (PKCS11Exception)t;
++            }
++            throw new PKCS11Exception(CKR_GENERAL_ERROR,
++                    t.getMessage());
++        }
++    }
++    private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
++            Map sensitiveAttrs,
++            List nonSensitiveAttrs) {
++        for (CK_ATTRIBUTE attr : pTemplate) {
++            long type = attr.type;
++            // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
++            if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
++                    type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
++                    type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
++                    type == CKA_COEFFICIENT) {
++                sensitiveAttrs.put(type, attr);
++            } else {
++                nonSensitiveAttrs.add(attr);
++            }
++        }
++    }
++}
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+index 0d65ee26805..38fd4aff1f3 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
+     public static final long  CKD_BLAKE2B_384_KDF      = 0x00000019L;
+     public static final long  CKD_BLAKE2B_512_KDF      = 0x0000001aL;
+ 
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
+-
+-    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
+-
+     public static final long  CK_OTP_VALUE            = 0x00000000L;
+     public static final long  CK_OTP_PIN              = 0x00000001L;
+     public static final long  CK_OTP_CHALLENGE        = 0x00000002L;
+@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
+     public static final long  CKF_HKDF_SALT_KEY    = 0x00000004L;
+     */
+ 
++    // PBKDF2 support, used in P11Util
++    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
++
+     // private NSS attribute (for DSA and DH private keys)
+     public static final long  CKA_NETSCAPE_DB         = 0xD5A0DB00L;
+ 
+     // base number of NSS private attributes
+     public static final long  CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
+-                                                      = 0xCE534350L;
++    /*          now known as CKM_NSS ^        */      = 0xCE534350L;
+ 
+     // object type for NSS trust
+     public static final long  CKO_NETSCAPE_TRUST      = 0xCE534353L;
+@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
+                                                              = 0xCE534355L;
+     public static final long  CKT_NETSCAPE_VALID             = 0xCE53435AL;
+     public static final long  CKT_NETSCAPE_VALID_DELEGATOR   = 0xCE53435BL;
++
++    // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
++    public static final long  CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 29) */ = 0xCE53436DL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 30) */ = 0xCE53436EL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 31) */ = 0xCE53436FL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 32) */ = 0xCE534370L;
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+index d941b574cc7..e2de13648be 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+         case CKM_PBE_SHA1_DES3_EDE_CBC:
+         case CKM_PBE_SHA1_DES2_EDE_CBC:
+         case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++        case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+             ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
+             break;
+         case CKM_PKCS5_PBKD2:
+@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+     // retrieve java values
+     jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
+     if (jPbeParamsClass == NULL) { return NULL; }
+-    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
++    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
+     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
+     if (fieldID == NULL) { return NULL; }
+     jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+-    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
++    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jSalt = (*env)->GetObjectField(env, jParam, fieldID);
+     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
+@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ 
+     // populate using java values
+     ckParamPtr->ulIteration = jLongToCKULong(jIteration);
+-    jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
++    jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
++    jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
++    jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
+     }
+ }
+ 
++#define PBKD2_PARAM_SET(member, value)                              \
++    do {                                                            \
++        if(ckParamPtr->version == PARAMS) {                         \
++            ckParamPtr->params.v1.member = value;                   \
++        } else {                                                    \
++            ckParamPtr->params.v2.member = value;                   \
++        }                                                           \
++    } while(0)
++
++#define PBKD2_PARAM_ADDR(member)                                    \
++    (                                                               \
++        (ckParamPtr->version == PARAMS) ?                           \
++        (void*) &ckParamPtr->params.v1.member :                     \
++        (void*) &ckParamPtr->params.v2.member                       \
++    )
++
+ /*
+- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
+  * pointer
+  *
+- * @param env - used to call JNI funktions to get the Java classes and objects
+- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
++ * @param env - used to call JNI functions to get the Java classes and objects
++ * @param jParam - the Java object to convert
+  * @param pLength - length of the allocated memory of the returned pointer
+- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
++ * @return pointer to the new structure
+  */
+-CK_PKCS5_PBKD2_PARAMS_PTR
++CK_VOID_PTR
+ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ {
+-    CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
++    VersionedPbkd2ParamsPtr ckParamPtr;
++    ParamVersion paramVersion;
++    CK_ULONG_PTR pUlPasswordLen;
+     jclass jPkcs5Pbkd2ParamsClass;
+     jfieldID fieldID;
+     jlong jSaltSource, jIteration, jPrf;
+-    jobject jSaltSourceData, jPrfData;
++    jobject jSaltSourceData, jPrfData, jPassword;
+ 
+     if (pLength != NULL) {
+         *pLength = 0L;
+     }
+ 
+     // retrieve java values
+-    jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
+-    if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
++    if ((jPkcs5Pbkd2ParamsClass =
++            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
++            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++        paramVersion = PARAMS;
++    } else if ((jPkcs5Pbkd2ParamsClass =
++            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
++            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++        paramVersion = PARAMS2;
++    } else {
++        return NULL;
++    }
+     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
+     if (fieldID == NULL) { return NULL; }
+     jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
+@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
+     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
++    fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
++    if (fieldID == NULL) { return NULL; }
++    jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+ 
+-    // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
+-    ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
++    // allocate memory for VersionedPbkd2Params and store the structure version
++    ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
+     if (ckParamPtr == NULL) {
+         throwOutOfMemoryError(env, 0);
+         return NULL;
+     }
++    ckParamPtr->version = paramVersion;
+ 
+     // populate using java values
+-    ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
+-    jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
+-            &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
++    PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
++    jByteArrayToCKByteArray(env, jSaltSourceData,
++            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
++            PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    ckParamPtr->iterations = jLongToCKULong(jIteration);
+-    ckParamPtr->prf = jLongToCKULong(jPrf);
+-    jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
+-            &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
++    PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
++    PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
++    jByteArrayToCKByteArray(env, jPrfData,
++            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
++            PBKD2_PARAM_ADDR(ulPrfDataLen));
++    if ((*env)->ExceptionCheck(env)) {
++        goto cleanup;
++    }
++    if (ckParamPtr->version == PARAMS) {
++        pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
++        if (pUlPasswordLen == NULL) {
++            throwOutOfMemoryError(env, 0);
++            goto cleanup;
++        }
++        ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
++    } else {
++        pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
++    }
++    jCharArrayToCKUTF8CharArray(env, jPassword,
++            (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
++            pUlPasswordLen);
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+ 
+     if (pLength != NULL) {
+-        *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
++        *pLength = (ckParamPtr->version == PARAMS ?
++            sizeof(ckParamPtr->params.v1) :
++            sizeof(ckParamPtr->params.v2));
+     }
++    // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
+     return ckParamPtr;
+ cleanup:
+-    free(ckParamPtr->pSaltSourceData);
+-    free(ckParamPtr->pPrfData);
++    FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
+     free(ckParamPtr);
+     return NULL;
+ 
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+index 520bd52a2cd..aa76945283d 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
+                  case CKM_CAMELLIA_CTR:
+                      // params do not contain pointers
+                      break;
++                 case CKM_PKCS5_PBKD2:
++                     // get the versioned structure from behind memory
++                     TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
++                             "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
++                             "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
++                     FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
++                     break;
++                 case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++                 case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
++                     break;
+                  default:
+                      // currently unsupported mechs by SunPKCS11 provider
+                      // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
+                      // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
+-                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
++                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
+                      // PBE mechs, WTLS mechs, CMS mechs,
+                      // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
+                      // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
+@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
+     jboolean* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
+     jbyte* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
+     jlong* jTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
+     if (jTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
+     jchar* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
+     jchar* jTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+     if (jTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+index eb6d01b9e47..450e4d27d62 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+@@ -68,6 +68,7 @@
+ /* extra PKCS#11 constants not in the standard include files */
+ 
+ #define CKA_NETSCAPE_BASE                       (0x80000000 + 0x4E534350)
++/*             ^ now known as CKM_NSS   (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
+ #define CKA_NETSCAPE_TRUST_BASE                 (CKA_NETSCAPE_BASE + 0x2000)
+ #define CKA_NETSCAPE_TRUST_SERVER_AUTH          (CKA_NETSCAPE_TRUST_BASE + 8)
+ #define CKA_NETSCAPE_TRUST_CLIENT_AUTH          (CKA_NETSCAPE_TRUST_BASE + 9)
+@@ -76,6 +77,12 @@
+ #define CKA_NETSCAPE_DB                         0xD5A0DB00
+ #define CKM_NSS_TLS_PRF_GENERAL                 0x80000373
+ 
++/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 29)
++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 30)
++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 31)
++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 32)
++
+ /*
+ 
+  Define the PKCS#11 functions to include and exclude. Reduces the size
+@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
+ #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
+ #define PBE_INIT_VECTOR_SIZE 8
+ #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
++#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
+ #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
+ 
+ #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
+@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
+ CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
+     jobject jParam, CK_ULONG* pLength);
+ CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+-CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
++CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
+@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
+ CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ 
++/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
++typedef enum {PARAMS=0, PARAMS2} ParamVersion;
++
++typedef struct {
++    union {
++        CK_PKCS5_PBKD2_PARAMS v1;
++        CK_PKCS5_PBKD2_PARAMS2 v2;
++    } params;
++    ParamVersion version;
++} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
++
++#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr)                  \
++    do {                                                            \
++        if ((verParamsPtr)->version == PARAMS) {                    \
++            free((verParamsPtr)->params.v1.pSaltSourceData);        \
++            free((verParamsPtr)->params.v1.pPrfData);               \
++            free((verParamsPtr)->params.v1.pPassword);              \
++            free((verParamsPtr)->params.v1.ulPasswordLen);          \
++        } else {                                                    \
++            free((verParamsPtr)->params.v2.pSaltSourceData);        \
++            free((verParamsPtr)->params.v2.pPrfData);               \
++            free((verParamsPtr)->params.v2.pPassword);              \
++        }                                                           \
++    } while(0)
++
+ /* functions to copy the returned values inside CK-mechanism back to Java object */
+ 
+ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
+diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+index 8c9e4f9dbe6..883dc04758e 100644
+--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -38,6 +38,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.List;
+ 
++import jdk.internal.access.SharedSecrets;
+ import sun.security.ec.ed.EdDSAAlgorithmParameters;
+ import sun.security.ec.ed.EdDSAKeyFactory;
+ import sun.security.ec.ed.EdDSAKeyPairGenerator;
+@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
+ 
+     private static final long serialVersionUID = -2279741672933606418L;
+ 
++    private static final boolean systemFipsEnabled =
++            SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++            .isSystemFipsEnabled();
++
+     private static class ProviderServiceA extends ProviderService {
+         ProviderServiceA(Provider p, String type, String algo, String cn,
+             HashMap attrs) {
+@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
+ 
+         putXDHEntries();
+         putEdDSAEntries();
+-
+-        /*
+-         * Signature engines
+-         */
+-        putService(new ProviderService(this, "Signature",
+-            "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+-            null, ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+-            ATTRS));
+-
+-        putService(new ProviderService(this, "Signature",
+-             "NONEwithECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$RawinP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-             "SHA1withECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-             "SHA224withECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-             "SHA256withECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-            "SHA384withECDSAinP1363Format",
+-            "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-            "SHA512withECDSAinP1363Format",
+-            "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+-
+-        putService(new ProviderService(this, "Signature",
+-             "SHA3-224withECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-             "SHA3-256withECDSAinP1363Format",
+-             "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-            "SHA3-384withECDSAinP1363Format",
+-            "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+-        putService(new ProviderService(this, "Signature",
+-            "SHA3-512withECDSAinP1363Format",
+-            "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+-
+-        /*
+-         *  Key Pair Generator engine
+-         */
+-        putService(new ProviderService(this, "KeyPairGenerator",
+-            "EC", "sun.security.ec.ECKeyPairGenerator",
+-            List.of("EllipticCurve"), ATTRS));
+-
+-        /*
+-         * Key Agreement engine
+-         */
+-        putService(new ProviderService(this, "KeyAgreement",
+-            "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++        if (!systemFipsEnabled) {
++            /*
++             * Signature engines
++             */
++            putService(new ProviderService(this, "Signature",
++                "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
++                null, ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
++                ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
++                ATTRS));
++
++            putService(new ProviderService(this, "Signature",
++                 "NONEwithECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$RawinP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                 "SHA1withECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                 "SHA224withECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                 "SHA256withECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                "SHA384withECDSAinP1363Format",
++                "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                "SHA512withECDSAinP1363Format",
++                "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
++
++            putService(new ProviderService(this, "Signature",
++                 "SHA3-224withECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                 "SHA3-256withECDSAinP1363Format",
++                 "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                "SHA3-384withECDSAinP1363Format",
++                "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
++            putService(new ProviderService(this, "Signature",
++                "SHA3-512withECDSAinP1363Format",
++                "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
++
++            /*
++             *  Key Pair Generator engine
++             */
++            putService(new ProviderService(this, "KeyPairGenerator",
++                "EC", "sun.security.ec.ECKeyPairGenerator",
++                List.of("EllipticCurve"), ATTRS));
++
++            /*
++             * Key Agreement engine
++             */
++            putService(new ProviderService(this, "KeyAgreement",
++                "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++        }
+     }
+ 
+     private void putXDHEntries() {
+@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
+             "X448", "sun.security.ec.XDHKeyFactory.X448",
+             ATTRS));
+ 
+-        putService(new ProviderService(this, "KeyPairGenerator",
+-            "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+-        putService(new ProviderServiceA(this, "KeyPairGenerator",
+-            "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "KeyPairGenerator",
+-            "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+-            ATTRS));
+-
+-        putService(new ProviderService(this, "KeyAgreement",
+-            "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+-        putService(new ProviderServiceA(this, "KeyAgreement",
+-            "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "KeyAgreement",
+-            "X448", "sun.security.ec.XDHKeyAgreement.X448",
+-            ATTRS));
++        if (!systemFipsEnabled) {
++            putService(new ProviderService(this, "KeyPairGenerator",
++                "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
++            putService(new ProviderServiceA(this, "KeyPairGenerator",
++                "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
++                ATTRS));
++            putService(new ProviderServiceA(this, "KeyPairGenerator",
++                "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
++                ATTRS));
++
++            putService(new ProviderService(this, "KeyAgreement",
++                "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
++            putService(new ProviderServiceA(this, "KeyAgreement",
++                "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
++                ATTRS));
++            putService(new ProviderServiceA(this, "KeyAgreement",
++                "X448", "sun.security.ec.XDHKeyAgreement.X448",
++                ATTRS));
++        }
+     }
+ 
+     private void putEdDSAEntries() {
+@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
+         putService(new ProviderServiceA(this, "KeyFactory",
+             "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
+ 
+-        putService(new ProviderService(this, "KeyPairGenerator",
+-            "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+-        putService(new ProviderServiceA(this, "KeyPairGenerator",
+-            "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+-            ATTRS));
+-        putService(new ProviderServiceA(this, "KeyPairGenerator",
+-            "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+-            ATTRS));
+-
+-        putService(new ProviderService(this, "Signature",
+-            "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+-        putService(new ProviderServiceA(this, "Signature",
+-            "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++        if (!systemFipsEnabled) {
++            putService(new ProviderService(this, "KeyPairGenerator",
++                "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
++            putService(new ProviderServiceA(this, "KeyPairGenerator",
++                "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
++                ATTRS));
++            putService(new ProviderServiceA(this, "KeyPairGenerator",
++                "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
++                ATTRS));
++
++            putService(new ProviderService(this, "Signature",
++                "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
++            putService(new ProviderServiceA(this, "Signature",
++                "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++        }
+ 
+     }
+ }
+diff --git a/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java
+new file mode 100644
+index 00000000000..a184a169732
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java
+@@ -0,0 +1,233 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.math.BigInteger;
++import java.security.AlgorithmParameters;
++import java.security.NoSuchAlgorithmException;
++import java.security.Provider;
++import java.security.SecureRandom;
++import java.security.Security;
++import java.util.Map;
++
++import javax.crypto.Cipher;
++import javax.crypto.SecretKey;
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.interfaces.PBEKey;
++import javax.crypto.spec.IvParameterSpec;
++import javax.crypto.spec.PBEKeySpec;
++import javax.crypto.spec.PBEParameterSpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test password based encryption on SunPKCS11's Cipher service
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @run main/othervm/timeout=30 PBECipher
++ */
++
++public final class PBECipher {
++    public static void main(String[] args) throws Exception {
++        java.security.Security.getProviders();
++        PBECipher2.main(args);
++    }
++}
++
++final class PBECipher2 extends PKCS11Test {
++    private static final char[] password = "123456".toCharArray();
++    private static final byte[] salt = "abcdefgh".getBytes();
++    private static final byte[] iv = new byte[16];
++    private static final int iterations = 1000;
++    private static final String plainText = "This is a know plain text!";
++    private static final String sep =
++    "=========================================================================";
++
++    private static enum Configuration {
++        // Provide salt and iterations through a PBEParameterSpec instance
++        PBEParameterSpec,
++
++        // Provide salt and iterations through a AlgorithmParameters instance
++        AlgorithmParameters,
++
++        // Provide salt and iterations through an anonymous class implementing
++        // the javax.crypto.interfaces.PBEKey interface
++        AnonymousPBEKey,
++    }
++
++    private static Provider sunJCE = Security.getProvider("SunJCE");
++
++    // Generated with SunJCE
++    private static final Map assertionData = Map.of(
++            "PBEWithHmacSHA1AndAES_128", new BigInteger("8eebe98a580fb09d026" +
++                    "dbfe60b3733b079e0de9ea7b0b1ccba011a1652d1e257", 16),
++            "PBEWithHmacSHA224AndAES_128", new BigInteger("1cbabdeb5d483af4a" +
++                    "841942f4b1095b7d6f60e46fabfd2609c015adc38cc227", 16),
++            "PBEWithHmacSHA256AndAES_128", new BigInteger("4d82f6591df3508d2" +
++                    "4531f06cdc4f90f4bdab7aeb07fbb57a3712e999d5b6f59", 16),
++            "PBEWithHmacSHA384AndAES_128", new BigInteger("3a0ed0959d51f40b9" +
++                    "ba9f506a5277f430521f2fbe1ba94bae368835f221b6cb9", 16),
++            "PBEWithHmacSHA512AndAES_128", new BigInteger("1388287a446009309" +
++                    "1418f4eca3ba1735b1fa025423d74ced36ce578d8ebf9da", 16),
++            "PBEWithHmacSHA1AndAES_256", new BigInteger("80f8208daab27ed02dd" +
++                    "8a354ef6f23ff7813c84dd1c8a1b081d6f4dee27182a2", 16),
++            "PBEWithHmacSHA224AndAES_256", new BigInteger("7e3b9ce20aec2e52f" +
++                    "f6c781602d4f79a55a88495b5217f1e22e1a068268e6247", 16),
++            "PBEWithHmacSHA256AndAES_256", new BigInteger("9d6a8b6a351dfd0dd" +
++                    "9e9f45924b2860dca7719c4c07e207a64ebc1acd16cc157", 16),
++            "PBEWithHmacSHA384AndAES_256", new BigInteger("6f1b386cee3a8e2d9" +
++                    "8c2e81828da0467dec8b989d22258efeab5932580d01d53", 16),
++            "PBEWithHmacSHA512AndAES_256", new BigInteger("30aaa346b2edd394f" +
++                    "50916187876ac32f1287b19d55c5eea6f7ef9b84aaf291e", 16)
++            );
++
++    private static final class NoRandom extends SecureRandom {
++        @Override
++        public void nextBytes(byte[] bytes) {
++            return;
++        }
++    }
++
++    public void main(Provider sunPKCS11) throws Exception {
++        System.out.println("SunPKCS11: " + sunPKCS11.getName());
++        for (Configuration conf : Configuration.values()) {
++            testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256", conf);
++        }
++        System.out.println("TEST PASS - OK");
++    }
++
++    private void testWith(Provider sunPKCS11, String algorithm,
++            Configuration conf) throws Exception {
++        System.out.println(sep + System.lineSeparator() + algorithm
++                + " (with " + conf.name() + ")");
++
++        Cipher pbeCipher = getCipher(sunPKCS11, algorithm, conf);
++        BigInteger cipherText = new BigInteger(1, pbeCipher.doFinal(
++                plainText.getBytes()));
++        printByteArray("Cipher Text", cipherText);
++
++        BigInteger expectedCipherText = null;
++        if (sunJCE != null) {
++            Cipher c = getCipher(sunJCE, algorithm, conf);
++            if (c != null) {
++                expectedCipherText = new BigInteger(1, c.doFinal(
++                        plainText.getBytes()));
++            } else {
++                // Move to assertionData as it's unlikely that any of
++                // the algorithms are available.
++                sunJCE = null;
++            }
++        }
++        if (expectedCipherText == null) {
++            // If SunJCE or the algorithm are not available, assertionData
++            // is used instead.
++            expectedCipherText = assertionData.get(algorithm);
++        }
++
++        if (!cipherText.equals(expectedCipherText)) {
++            printByteArray("Expected Cipher Text", expectedCipherText);
++            throw new Exception("Expected Cipher Text did not match");
++        }
++    }
++
++    private Cipher getCipher(Provider p, String algorithm,
++            Configuration conf) throws Exception {
++        Cipher pbeCipher = null;
++        try {
++            pbeCipher = Cipher.getInstance(algorithm, p);
++        } catch (NoSuchAlgorithmException e) {
++            return null;
++        }
++        switch (conf) {
++            case PBEParameterSpec, AlgorithmParameters -> {
++                SecretKey key = getPasswordOnlyPBEKey();
++                PBEParameterSpec paramSpec = new PBEParameterSpec(
++                        salt, iterations, new IvParameterSpec(iv));
++                switch (conf) {
++                    case PBEParameterSpec -> {
++                        pbeCipher.init(Cipher.ENCRYPT_MODE, key, paramSpec);
++                    }
++                    case AlgorithmParameters -> {
++                        AlgorithmParameters algoParams =
++                                AlgorithmParameters.getInstance("PBES2");
++                        algoParams.init(paramSpec);
++                        pbeCipher.init(Cipher.ENCRYPT_MODE, key, algoParams);
++                    }
++                }
++            }
++            case AnonymousPBEKey -> {
++                SecretKey key = getPasswordSaltIterationsPBEKey();
++                pbeCipher.init(Cipher.ENCRYPT_MODE, key, new NoRandom());
++            }
++        }
++        return pbeCipher;
++    }
++
++    private static SecretKey getPasswordOnlyPBEKey() throws Exception {
++        PBEKeySpec keySpec = new PBEKeySpec(password);
++        SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
++        SecretKey skey = skFac.generateSecret(keySpec);
++        keySpec.clearPassword();
++        return skey;
++    }
++
++    private static SecretKey getPasswordSaltIterationsPBEKey() {
++        return new PBEKey() {
++            public byte[] getSalt() { return salt.clone(); }
++            public int getIterationCount() { return iterations; }
++            public String getAlgorithm() { return "PBE"; }
++            public String getFormat() { return "RAW"; }
++            public char[] getPassword() { return null; } // unused in PBE Cipher
++            public byte[] getEncoded() {
++                byte[] passwdBytes = new byte[password.length];
++                for (int i = 0; i < password.length; i++)
++                    passwdBytes[i] = (byte) (password[i] & 0x7f);
++                return passwdBytes;
++            }
++        };
++    }
++
++    private static void printByteArray(String title, BigInteger b) {
++        String repr = (b == null) ? "buffer is null" : b.toString(16);
++        System.out.println(title + ": " + repr + System.lineSeparator());
++    }
++
++    public static void main(String[] args) throws Exception {
++        PBECipher2 test = new PBECipher2();
++        Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
++        if (p != null) {
++            test.main(p);
++        } else {
++            main(test);
++        }
++    }
++}
+diff --git a/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java
+new file mode 100644
+index 00000000000..360e11c339d
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java
+@@ -0,0 +1,137 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.io.ByteArrayInputStream;
++import java.io.ByteArrayOutputStream;
++import java.security.Key;
++import java.security.KeyStore;
++import java.security.KeyStoreException;
++import java.security.MessageDigest;
++import java.security.Provider;
++import java.security.Security;
++
++import javax.crypto.spec.SecretKeySpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test SunPKCS11's password based privacy and integrity
++ *          applied to PKCS#12 keystores
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @modules java.base/sun.security.util
++ * @run main/othervm/timeout=30 -Dcom.redhat.fips=false -DNO_DEFAULT=true ImportKeyToP12
++ */
++
++public final class ImportKeyToP12 {
++    public static void main(String[] args) throws Exception {
++        java.security.Security.getProviders();
++        ImportKeyToP122.main(args);
++    }
++}
++
++final class ImportKeyToP122 extends PKCS11Test {
++    private static final String alias = "alias";
++    private static final char[] password = "123456".toCharArray();
++    private static final Key key = new SecretKeySpec(new byte[] {
++            0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7,
++            0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf }, "AES");
++    private static final String[] pbeCipherAlgs = new String[] {
++            "PBEWithHmacSHA1AndAES_128", "PBEWithHmacSHA224AndAES_128",
++            "PBEWithHmacSHA256AndAES_128", "PBEWithHmacSHA384AndAES_128",
++            "PBEWithHmacSHA512AndAES_128", "PBEWithHmacSHA1AndAES_256",
++            "PBEWithHmacSHA224AndAES_256", "PBEWithHmacSHA256AndAES_256",
++            "PBEWithHmacSHA384AndAES_256", "PBEWithHmacSHA512AndAES_256"
++    };
++    private static final String[] pbeMacAlgs = new String[] {
++            "HmacPBESHA1", "HmacPBESHA224", "HmacPBESHA256",
++            "HmacPBESHA384", "HmacPBESHA512"
++    };
++    private static final KeyStore p12;
++    private static final String sep =
++    "=========================================================================";
++
++    static {
++        KeyStore tP12 = null;
++        try {
++            tP12 = KeyStore.getInstance("PKCS12");
++        } catch (KeyStoreException e) {}
++        p12 = tP12;
++    }
++
++    public void main(Provider sunPKCS11) throws Exception {
++        System.out.println("SunPKCS11: " + sunPKCS11.getName());
++        // Test all privacy PBE algorithms with an integrity algorithm fixed
++        for (String pbeCipherAlg : pbeCipherAlgs) {
++            testWith(sunPKCS11, pbeCipherAlg, pbeMacAlgs[0]);
++        }
++        // Test all integrity PBE algorithms with a privacy algorithm fixed
++        for (String pbeMacAlg : pbeMacAlgs) {
++            testWith(sunPKCS11, pbeCipherAlgs[0], pbeMacAlg);
++        }
++        System.out.println("TEST PASS - OK");
++    }
++
++    /*
++     * Consistency test: 1) store a secret key in a PKCS#12 keystore using
++     * PBE algorithms from SunPKCS11 and, 2) read the secret key from the
++     * PKCS#12 keystore using PBE algorithms from other security providers
++     * such as SunJCE.
++     */
++    private void testWith(Provider sunPKCS11, String pbeCipherAlg,
++            String pbeMacAlg) throws Exception {
++        System.out.println(sep + System.lineSeparator() +
++                "Cipher PBE: " + pbeCipherAlg + System.lineSeparator() +
++                "Mac PBE: " + pbeMacAlg);
++
++        System.setProperty("keystore.pkcs12.macAlgorithm", pbeMacAlg);
++        System.setProperty("keystore.pkcs12.keyProtectionAlgorithm",
++                pbeCipherAlg);
++
++        // Create an empty PKCS#12 keystore
++        ByteArrayOutputStream baos = new ByteArrayOutputStream();
++        p12.load(null, password);
++
++        // Use PBE privacy and integrity algorithms from SunPKCS11 to store
++        // the secret key
++        Security.insertProviderAt(sunPKCS11, 1);
++        p12.setKeyEntry(alias, key, password, null);
++        p12.store(baos, password);
++
++        // Use PBE privacy and integrity algorithms from other security
++        // providers, such as SunJCE, to read the secret key
++        Security.removeProvider(sunPKCS11.getName());
++        p12.load(new ByteArrayInputStream(baos.toByteArray()), password);
++        Key k = p12.getKey(alias, password);
++
++        if (!MessageDigest.isEqual(key.getEncoded(), k.getEncoded())) {
++            throw new Exception("Keys differ. Consistency check failed.");
++        }
++        System.out.println("Secret key import successful" + System.lineSeparator() + sep);
++    }
++
++    public static void main(String[] args) throws Exception {
++        main(new ImportKeyToP122());
++    }
++}
+diff --git a/test/jdk/sun/security/pkcs11/Mac/PBAMac.java b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java
+new file mode 100644
+index 00000000000..6b5662f6b4c
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java
+@@ -0,0 +1,187 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.math.BigInteger;
++import java.security.NoSuchAlgorithmException;
++import java.security.Provider;
++import java.security.Security;
++import java.util.Map;
++
++import javax.crypto.Mac;
++import javax.crypto.SecretKey;
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.interfaces.PBEKey;
++import javax.crypto.spec.PBEKeySpec;
++import javax.crypto.spec.PBEParameterSpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test password based authentication on SunPKCS11's Mac service
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @run main/othervm/timeout=30 PBAMac
++ */
++
++public final class PBAMac {
++    public static void main(String[] args) throws Exception {
++        java.security.Security.getProviders();
++        PBAMac2.main(args);
++    }
++}
++
++final class PBAMac2 extends PKCS11Test {
++    private static final char[] password = "123456".toCharArray();
++    private static final byte[] salt = "abcdefgh".getBytes();
++    private static final int iterations = 1000;
++    private static final String plainText = "This is a know plain text!";
++    private static final String sep =
++    "=========================================================================";
++
++    private static enum Configuration {
++        // Provide salt & iterations through a PBEParameterSpec instance
++        PBEParameterSpec,
++
++        // Provide salt & iterations through an anonymous class implementing
++        // the javax.crypto.interfaces.PBEKey interface
++        AnonymousPBEKey,
++    }
++
++    // Generated with SunJCE
++    private static final Map assertionData = Map.of(
++            "HmacPBESHA1", new BigInteger("febd26da5d63ce819770a2af1fc2857e" +
++                    "e2c9c41c", 16),
++            "HmacPBESHA224", new BigInteger("aa6a3a1c35a4b266fea62d1a871508" +
++                    "bd45f8ec326bcf16e09699063", 16),
++            "HmacPBESHA256", new BigInteger("af4d71121fd4e9d52eb42944d99b77" +
++                    "8ff64376fcf6af8d1dca3ec688dfada5c8", 16),
++            "HmacPBESHA384", new BigInteger("5d6d37764205985ffca7e4a6222752" +
++                    "a8bbd0520858da08ecafdc57e6246894675e375b9ba084f9ce7142" +
++                    "35f202cc3452", 16),
++            "HmacPBESHA512", new BigInteger("f586c2006cc2de73fd5743e5cca701" +
++                    "c942d3741a7a54a2a649ea36898996cf3c483f2d734179b47751db" +
++                    "e8373c980b4072136d2e2810f4e7276024a3e9081cc1", 16)
++            );
++
++    private static Provider sunJCE = Security.getProvider("SunJCE");
++
++    public void main(Provider sunPKCS11) throws Exception {
++        System.out.println("SunPKCS11: " + sunPKCS11.getName());
++        for (Configuration conf : Configuration.values()) {
++            testWith(sunPKCS11, "HmacPBESHA1", conf);
++            testWith(sunPKCS11, "HmacPBESHA224", conf);
++            testWith(sunPKCS11, "HmacPBESHA256", conf);
++            testWith(sunPKCS11, "HmacPBESHA384", conf);
++            testWith(sunPKCS11, "HmacPBESHA512", conf);
++        }
++        System.out.println("TEST PASS - OK");
++    }
++
++    private void testWith(Provider sunPKCS11, String algorithm,
++            Configuration conf) throws Exception {
++        System.out.println(sep + System.lineSeparator() + algorithm
++                + " (with " + conf.name() + ")");
++
++        BigInteger macResult = computeMac(sunPKCS11, algorithm, conf);
++        printByteArray("HMAC Result", macResult);
++
++        BigInteger expectedMacResult = computeExpectedMac(algorithm, conf);
++
++        if (!macResult.equals(expectedMacResult)) {
++            printByteArray("Expected HMAC Result", expectedMacResult);
++            throw new Exception("Expected HMAC Result did not match");
++        }
++    }
++
++    private BigInteger computeMac(Provider p, String algorithm,
++            Configuration conf) throws Exception {
++        Mac pbaMac;
++        try {
++            pbaMac = Mac.getInstance(algorithm, p);
++        } catch (NoSuchAlgorithmException e) {
++            return null;
++        }
++        switch (conf) {
++            case PBEParameterSpec -> {
++                SecretKey key = getPasswordOnlyPBEKey();
++                pbaMac.init(key, new PBEParameterSpec(salt, iterations));
++            }
++            case AnonymousPBEKey -> {
++                SecretKey key = getPasswordSaltIterationsPBEKey();
++                pbaMac.init(key);
++            }
++        }
++        return new BigInteger(1, pbaMac.doFinal(plainText.getBytes()));
++    }
++
++    private BigInteger computeExpectedMac(String algorithm, Configuration conf)
++            throws Exception {
++        if (sunJCE != null) {
++            BigInteger macResult = computeMac(sunJCE, algorithm, conf);
++            if (macResult != null) {
++                return macResult;
++            }
++            // Move to assertionData as it's unlikely that any of
++            // the algorithms are available.
++            sunJCE = null;
++        }
++        // If SunJCE or the algorithm are not available, assertionData
++        // is used instead.
++        return assertionData.get(algorithm);
++    }
++
++    private static SecretKey getPasswordOnlyPBEKey() throws Exception {
++        PBEKeySpec keySpec = new PBEKeySpec(password);
++        SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
++        SecretKey skey = skFac.generateSecret(keySpec);
++        keySpec.clearPassword();
++        return skey;
++    }
++
++    private static SecretKey getPasswordSaltIterationsPBEKey() {
++        return new PBEKey() {
++            public byte[] getSalt() { return salt.clone(); }
++            public int getIterationCount() { return iterations; }
++            public String getAlgorithm() { return "PBE"; }
++            public String getFormat() { return "RAW"; }
++            public char[] getPassword() { return password.clone(); }
++            public byte[] getEncoded() { return null; } // unused in PBA Mac
++        };
++    }
++
++    private static void printByteArray(String title, BigInteger b) {
++        String repr = (b == null) ? "buffer is null" : b.toString(16);
++        System.out.println(title + ": " + repr + System.lineSeparator());
++    }
++
++    public static void main(String[] args) throws Exception {
++        PBAMac2 test = new PBAMac2();
++        Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
++        if (p != null) {
++            test.main(p);
++        } else {
++            main(test);
++        }
++    }
++}
+diff --git a/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java
+new file mode 100644
+index 00000000000..67c3cee5970
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java
+@@ -0,0 +1,296 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.lang.reflect.Field;
++import java.lang.reflect.Method;
++import java.math.BigInteger;
++import java.security.NoSuchAlgorithmException;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.spec.PBEKeySpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test key derivation on SunPKCS11's SecretKeyFactory service
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @modules java.base/com.sun.crypto.provider:open
++ * @run main/othervm/timeout=30 TestPBKD
++ */
++
++public final class TestPBKD {
++    public static void main(String[] args) throws Exception {
++        java.security.Security.getProviders();
++        TestPBKD2.main(args);
++    }
++}
++
++final class TestPBKD2 extends PKCS11Test {
++    private static final char[] password = "123456".toCharArray();
++    private static final byte[] salt = "abcdefgh".getBytes();
++    private static final int iterations = 1000;
++    private static final String sep =
++    "=========================================================================";
++
++    private static Provider sunJCE = Security.getProvider("SunJCE");
++
++    // Generated with SunJCE
++    private static final Map assertionData =
++            new HashMap<>() {{
++                put("HmacPBESHA1", new BigInteger("5f7d1c360d1703cede76f47db" +
++                        "2fa3facc62e7694", 16));
++                put("HmacPBESHA224", new BigInteger("289563f799b708f522ab2a3" +
++                        "8d283d0afa8fc1d3d227fcb9236c3a035", 16));
++                put("HmacPBESHA256", new BigInteger("888defcf4ef37eb0647014a" +
++                        "d172dd6fa3b3e9d024b962dba47608eea9b9c4b79", 16));
++                put("HmacPBESHA384", new BigInteger("f5464b34253fadab8838d0d" +
++                        "b11980c1787a99bf6f6304f2d8c942e30bada523494f9d5a0f3" +
++                        "741e411de21add8b5718a8", 16));
++                put("HmacPBESHA512", new BigInteger("18ae94337b132c68c611bc2" +
++                        "e723ac24dcd44a46d900dae2dd6170380d4c34f90fef7bdeb5f" +
++                        "6fddeb0d2230003e329b7a7eefcd35810d364ba95d31b68bb61" +
++                        "e52", 16));
++                put("PBEWithHmacSHA1AndAES_128", new BigInteger("fdb3dcc2e81" +
++                        "244d4d56bf7ec8dd61dd7", 16));
++                put("PBEWithHmacSHA224AndAES_128", new BigInteger("5ef9e5c6f" +
++                        "df7c355f3b424233a9f24c2", 16));
++                put("PBEWithHmacSHA256AndAES_128", new BigInteger("c5af597b0" +
++                        "1b4f6baac8f62ff6f22bfb1", 16));
++                put("PBEWithHmacSHA384AndAES_128", new BigInteger("c3208ebc5" +
++                        "d6db88858988ec00153847d", 16));
++                put("PBEWithHmacSHA512AndAES_128", new BigInteger("b27e8f7fb" +
++                        "6a4bd5ebea892cd9a7f5043", 16));
++                put("PBEWithHmacSHA1AndAES_256", new BigInteger("fdb3dcc2e81" +
++                        "244d4d56bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2ccde" +
++                        "98", 16));
++                put("PBEWithHmacSHA224AndAES_256", new BigInteger("5ef9e5c6f" +
++                        "df7c355f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8d" +
++                        "f64d", 16));
++                put("PBEWithHmacSHA256AndAES_256", new BigInteger("c5af597b0" +
++                        "1b4f6baac8f62ff6f22bfb1f319c3278c8b31cc616294716d4e" +
++                        "ab08", 16));
++                put("PBEWithHmacSHA384AndAES_256", new BigInteger("c3208ebc5" +
++                        "d6db88858988ec00153847d5b1b7a8723640a022dc332bcaefe" +
++                        "b356", 16));
++                put("PBEWithHmacSHA512AndAES_256", new BigInteger("b27e8f7fb" +
++                        "6a4bd5ebea892cd9a7f5043cefff9c38b07e599721e8d116189" +
++                        "5482", 16));
++                put("PBKDF2WithHmacSHA1", new BigInteger("fdb3dcc2e81244d4d5" +
++                        "6bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2cc", 16));
++                put("PBKDF2WithHmacSHA224", new BigInteger("5ef9e5c6fdf7c355" +
++                        "f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8df64d1a0" +
++                        "736ec1c69eef1c7b2", 16));
++                put("PBKDF2WithHmacSHA256", new BigInteger("c5af597b01b4f6ba" +
++                        "ac8f62ff6f22bfb1f319c3278c8b31cc616294716d4eab080b9" +
++                        "add9db34a42ceb2fea8d27adc00f4", 16));
++                put("PBKDF2WithHmacSHA384", new BigInteger("c3208ebc5d6db888" +
++                        "58988ec00153847d5b1b7a8723640a022dc332bcaefeb356995" +
++                        "d076a949d35c42c7e1e1ca936c12f8dc918e497edf279a522b7" +
++                        "c99580e2613846b3919af637da", 16));
++                put("PBKDF2WithHmacSHA512", new BigInteger("b27e8f7fb6a4bd5e" +
++                        "bea892cd9a7f5043cefff9c38b07e599721e8d1161895482da2" +
++                        "55746844cc1030be37ba1969df10ff59554d1ac5468fa9b7297" +
++                        "7bb7fd52103a0a7b488cdb8957616c3e23a16bca92120982180" +
++                        "c6c11a4f14649b50d0ade3a", 16));
++                }};
++
++    static interface AssertData {
++        BigInteger derive(String pbAlgo, PBEKeySpec keySpec) throws Exception;
++    }
++
++    static final class P12PBKDAssertData implements AssertData {
++        private final int outLen;
++        private final String kdfAlgo;
++        private final int blockLen;
++
++        P12PBKDAssertData(int outLen, String kdfAlgo, int blockLen) {
++            this.outLen = outLen;
++            this.kdfAlgo = kdfAlgo;
++            this.blockLen = blockLen;
++        }
++
++        @Override
++        public BigInteger derive(String pbAlgo, PBEKeySpec keySpec)
++                throws Exception {
++            // Since we need to access an internal SunJCE API, we use reflection
++            Class PKCS12PBECipherCore = Class.forName(
++                    "com.sun.crypto.provider.PKCS12PBECipherCore");
++
++            Field macKeyField = PKCS12PBECipherCore.getDeclaredField("MAC_KEY");
++            macKeyField.setAccessible(true);
++            int MAC_KEY = (int) macKeyField.get(null);
++
++            Method deriveMethod = PKCS12PBECipherCore.getDeclaredMethod(
++                    "derive", char[].class, byte[].class, int.class,
++                    int.class, int.class, String.class, int.class);
++            deriveMethod.setAccessible(true);
++
++            return new BigInteger(1, (byte[]) deriveMethod.invoke(null,
++                    keySpec.getPassword(), keySpec.getSalt(),
++                    keySpec.getIterationCount(), this.outLen,
++                    MAC_KEY, this.kdfAlgo, this.blockLen));
++        }
++    }
++
++    static final class PBKD2AssertData implements AssertData {
++        private final String kdfAlgo;
++        private final int keyLen;
++
++        PBKD2AssertData(String kdfAlgo, int keyLen) {
++            // Key length is pinned by the algorithm name (not kdfAlgo,
++            // but the algorithm under test: PBEWithHmacSHA*AndAES_*)
++            this.kdfAlgo = kdfAlgo;
++            this.keyLen = keyLen;
++        }
++
++        PBKD2AssertData(String kdfAlgo) {
++            // Key length is variable for the algorithm under test
++            // (kdfAlgo is the algorithm under test: PBKDF2WithHmacSHA*)
++            this(kdfAlgo, -1);
++        }
++
++        @Override
++        public BigInteger derive(String pbAlgo, PBEKeySpec keySpec)
++                throws Exception {
++            if (this.keyLen != -1) {
++                keySpec = new PBEKeySpec(
++                        keySpec.getPassword(), keySpec.getSalt(),
++                        keySpec.getIterationCount(), this.keyLen);
++            }
++            if (sunJCE != null) {
++                try {
++                    return new BigInteger(1, SecretKeyFactory.getInstance(
++                            this.kdfAlgo, sunJCE).generateSecret(keySpec)
++                            .getEncoded());
++                } catch (NoSuchAlgorithmException e) {
++                    // Move to assertionData as it's unlikely that any of
++                    // the algorithms are available.
++                    sunJCE = null;
++                }
++            }
++            // If SunJCE or the algorithm are not available, assertionData
++            // is used instead.
++            return assertionData.get(pbAlgo);
++        }
++    }
++
++    public void main(Provider sunPKCS11) throws Exception {
++        System.out.println("SunPKCS11: " + sunPKCS11.getName());
++        testWith(sunPKCS11, "HmacPBESHA1",
++                new P12PBKDAssertData(20, "SHA-1", 64));
++        testWith(sunPKCS11, "HmacPBESHA224",
++                new P12PBKDAssertData(28, "SHA-224", 64));
++        testWith(sunPKCS11, "HmacPBESHA256",
++                new P12PBKDAssertData(32, "SHA-256", 64));
++        testWith(sunPKCS11, "HmacPBESHA384",
++                new P12PBKDAssertData(48, "SHA-384", 128));
++        testWith(sunPKCS11, "HmacPBESHA512",
++                new P12PBKDAssertData(64, "SHA-512", 128));
++
++        testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128",
++                new PBKD2AssertData("PBKDF2WithHmacSHA1", 128));
++        testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128",
++                new PBKD2AssertData("PBKDF2WithHmacSHA224", 128));
++        testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128",
++                new PBKD2AssertData("PBKDF2WithHmacSHA256", 128));
++        testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128",
++                new PBKD2AssertData("PBKDF2WithHmacSHA384", 128));
++        testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128",
++                new PBKD2AssertData("PBKDF2WithHmacSHA512", 128));
++        testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256",
++                new PBKD2AssertData("PBKDF2WithHmacSHA1", 256));
++        testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256",
++                new PBKD2AssertData("PBKDF2WithHmacSHA224", 256));
++        testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256",
++                new PBKD2AssertData("PBKDF2WithHmacSHA256", 256));
++        testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256",
++                new PBKD2AssertData("PBKDF2WithHmacSHA384", 256));
++        testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256",
++                new PBKD2AssertData("PBKDF2WithHmacSHA512", 256));
++
++        // Use 1,5 * digest size as the testing derived key length (in bits)
++        testWith(sunPKCS11, "PBKDF2WithHmacSHA1", 240,
++                new PBKD2AssertData("PBKDF2WithHmacSHA1"));
++        testWith(sunPKCS11, "PBKDF2WithHmacSHA224", 336,
++                new PBKD2AssertData("PBKDF2WithHmacSHA224"));
++        testWith(sunPKCS11, "PBKDF2WithHmacSHA256", 384,
++                new PBKD2AssertData("PBKDF2WithHmacSHA256"));
++        testWith(sunPKCS11, "PBKDF2WithHmacSHA384", 576,
++                new PBKD2AssertData("PBKDF2WithHmacSHA384"));
++        testWith(sunPKCS11, "PBKDF2WithHmacSHA512", 768,
++                new PBKD2AssertData("PBKDF2WithHmacSHA512"));
++
++        System.out.println("TEST PASS - OK");
++    }
++
++    private static void testWith(Provider sunPKCS11, String algorithm,
++            AssertData assertData) throws Exception {
++        PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations);
++        testWith(sunPKCS11, algorithm, keySpec, assertData);
++    }
++
++    private static void testWith(Provider sunPKCS11, String algorithm,
++            int keyLen, AssertData assertData) throws Exception {
++        PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations, keyLen);
++        testWith(sunPKCS11, algorithm, keySpec, assertData);
++    }
++
++    private static void testWith(Provider sunPKCS11, String algorithm,
++            PBEKeySpec keySpec, AssertData assertData) throws Exception {
++        System.out.println(sep + System.lineSeparator() + algorithm);
++
++        SecretKeyFactory skFac = SecretKeyFactory.getInstance(
++                algorithm, sunPKCS11);
++        BigInteger derivedKey = new BigInteger(1,
++                skFac.generateSecret(keySpec).getEncoded());
++        printByteArray("Derived Key", derivedKey);
++
++        BigInteger expectedDerivedKey = assertData.derive(algorithm, keySpec);
++
++        if (!derivedKey.equals(expectedDerivedKey)) {
++            printByteArray("Expected Derived Key", expectedDerivedKey);
++            throw new Exception("Expected Derived Key did not match");
++        }
++    }
++
++    private static void printByteArray(String title, BigInteger b) {
++        String repr = (b == null) ? "buffer is null" : b.toString(16);
++        System.out.println(title + ": " + repr + System.lineSeparator());
++    }
++
++    public static void main(String[] args) throws Exception {
++        TestPBKD2 test = new TestPBKD2();
++        Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
++        if (p != null) {
++            test.main(p);
++        } else {
++            main(test);
++        }
++    }
++}
+diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java
+new file mode 100644
+index 00000000000..ce01c655eb8
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java
+@@ -0,0 +1,349 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.lang.reflect.Method;
++import java.nio.charset.StandardCharsets;
++import java.nio.file.Files;
++import java.nio.file.Path;
++import java.security.KeyStore;
++import java.security.Provider;
++import java.security.Security;
++import java.util.Arrays;
++import java.util.function.Consumer;
++import java.util.List;
++import javax.crypto.Cipher;
++import javax.crypto.spec.SecretKeySpec;
++
++import jdk.test.lib.process.Proc;
++import jdk.test.lib.util.FileUtils;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary
++ *   Test that the fips.nssdb.path and fips.nssdb.pin properties can be used
++ *   for a successful login into an NSS DB. Some additional unitary testing
++ *   is then performed. This test depends on NSS modutil and must be run in
++ *   FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available).
++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open
++ * @library /test/lib
++ * @requires (jdk.version.major >= 8)
++ * @run main/othervm/timeout=600 NssdbPin
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++public final class NssdbPin {
++
++    // Public properties and names
++    private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
++    private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
++    private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS";
++    private static final String NSSDB_TOKEN_NAME =
++            "NSS FIPS 140-2 Certificate DB";
++
++    // Data to be tested
++    private static final String[] PINS_TO_TEST =
++            new String[] {
++                    "",
++                    "1234567890abcdef1234567890ABCDEF\uA4F7"
++            };
++    private static enum PropType { SYSTEM, SECURITY }
++    private static enum LoginType { IMPLICIT, EXPLICIT }
++
++    // Internal test fields
++    private static final boolean DEBUG = true;
++    private static class TestContext {
++        String pin;
++        PropType propType;
++        Path workspace;
++        String nssdbPath;
++        Path nssdbPinFile;
++        LoginType loginType;
++        TestContext(String pin, Path workspace) {
++            this.pin = pin;
++            this.workspace = workspace;
++            this.nssdbPath = "sql:" + workspace;
++            this.loginType = LoginType.IMPLICIT;
++        }
++    }
++
++    public static void main(String[] args) throws Throwable {
++        if (args.length == 3) {
++            // Executed by a child process.
++            mainChild(args[0], args[1], LoginType.valueOf(args[2]));
++        } else if (args.length == 0) {
++            // Executed by the parent process.
++            mainLauncher();
++            // Test defaults
++            mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT);
++            System.out.println("TEST PASS - OK");
++        } else {
++            throw new Exception("Unexpected number of arguments.");
++        }
++    }
++
++    private static void mainChild(String expectedPath, String expectedPin,
++            LoginType loginType) throws Throwable {
++        if (DEBUG) {
++            for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP,
++                    FIPS_NSSDB_PIN_PROP)) {
++                System.out.println(prop + " (System): " +
++                        System.getProperty(prop));
++                System.out.println(prop + " (Security): " +
++                        Security.getProperty(prop));
++            }
++        }
++
++        /*
++         * Functional cross-test against an NSS DB generated by modutil
++         * with the same PIN. Check that we can perform a crypto operation
++         * that requires a login. The login might be explicit or implicit.
++         */
++        Provider p = Security.getProvider(FIPS_PROVIDER_NAME);
++        if (DEBUG) {
++            System.out.println(FIPS_PROVIDER_NAME + ": " + p);
++        }
++        if (p == null) {
++            throw new Exception(FIPS_PROVIDER_NAME + " initialization failed.");
++        }
++        if (DEBUG) {
++            System.out.println("Login type: " + loginType);
++        }
++        if (loginType == LoginType.EXPLICIT) {
++            // Do the expansion to account for truncation, so C_Login in
++            // the NSS Software Token gets a UTF-8 encoded PIN.
++            byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8);
++            char[] pinChar = new char[pinUtf8.length];
++            for (int i = 0; i < pinChar.length; i++) {
++                pinChar[i] = (char)(pinUtf8[i] & 0xFF);
++            }
++            KeyStore.getInstance("PKCS11", p).load(null, pinChar);
++            if (DEBUG) {
++                System.out.println("Explicit login succeeded.");
++            }
++        }
++        if (DEBUG) {
++            System.out.println("Trying a crypto operation...");
++        }
++        final int blockSize = 16;
++        Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p);
++        cipher.init(Cipher.ENCRYPT_MODE,
++                new SecretKeySpec(new byte[blockSize], "AES"));
++        if (cipher.doFinal(new byte[blockSize]).length != blockSize) {
++            throw new Exception("Could not perform a crypto operation.");
++        }
++        if (DEBUG) {
++            if (loginType == LoginType.IMPLICIT) {
++                System.out.println("Implicit login succeeded.");
++            }
++            System.out.println("Crypto operation after login succeeded.");
++        }
++
++        if (loginType == LoginType.IMPLICIT) {
++            /*
++             * Additional unitary testing. Expected to succeed at this point.
++             */
++            if (DEBUG) {
++                System.out.println("Trying unitary test...");
++            }
++            String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP);
++            if (DEBUG) {
++                System.out.println("Path value (as a System property): " +
++                        sysPathProp);
++            }
++            if (!expectedPath.equals(sysPathProp)) {
++                throw new Exception("Path is different than expected: " +
++                        sysPathProp + " (actual) vs " + expectedPath +
++                        " (expected).");
++            }
++            Class c = Class
++                    .forName("sun.security.pkcs11.FIPSTokenLoginHandler");
++            Method m = c.getDeclaredMethod("getFipsNssdbPin");
++            m.setAccessible(true);
++            String pin = null;
++            char[] pinChar = (char[]) m.invoke(c);
++            if (pinChar != null) {
++                byte[] pinUtf8 = new byte[pinChar.length];
++                for (int i = 0; i < pinUtf8.length; i++) {
++                    pinUtf8[i] = (byte) pinChar[i];
++                }
++                pin = new String(pinUtf8, StandardCharsets.UTF_8);
++            }
++            if (!expectedPin.isEmpty() && !expectedPin.equals(pin) ||
++                    expectedPin.isEmpty() && pin != null) {
++                throw new Exception("PIN is different than expected: '" + pin +
++                         "' (actual) vs '" + expectedPin + "' (expected).");
++            }
++            if (DEBUG) {
++                System.out.println("PIN value: " + pin);
++                System.out.println("Unitary test succeeded.");
++            }
++        }
++    }
++
++    private static void mainLauncher() throws Throwable {
++        for (String pin : PINS_TO_TEST) {
++            Path workspace = Files.createTempDirectory(null);
++            try {
++                TestContext ctx = new TestContext(pin, workspace);
++                createNSSDB(ctx);
++                {
++                    ctx.loginType = LoginType.IMPLICIT;
++                    for (PropType propType : PropType.values()) {
++                        ctx.propType = propType;
++                        pinLauncher(ctx);
++                        envLauncher(ctx);
++                        fileLauncher(ctx);
++                    }
++                }
++                explicitLoginLauncher(ctx);
++            } finally {
++                FileUtils.deleteFileTreeWithRetry(workspace);
++            }
++        }
++    }
++
++    private static void pinLauncher(TestContext ctx) throws Throwable {
++        launchTest(p -> {}, "pin:" + ctx.pin, ctx);
++    }
++
++    private static void envLauncher(TestContext ctx) throws Throwable {
++        final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR";
++        launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin),
++                "env:" + NSSDB_PIN_ENV_VAR, ctx);
++    }
++
++    private static void fileLauncher(TestContext ctx) throws Throwable {
++        // The file containing the PIN (ctx.nssdbPinFile) was created by the
++        // generatePinFile method, called from createNSSDB.
++        launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx);
++    }
++
++    private static void explicitLoginLauncher(TestContext ctx)
++            throws Throwable {
++        ctx.loginType = LoginType.EXPLICIT;
++        ctx.propType = PropType.SYSTEM;
++        launchTest(p -> {}, "Invalid PIN, must be ignored", ctx);
++    }
++
++    private static void launchTest(Consumer procCb, String pinPropVal,
++            TestContext ctx) throws Throwable {
++        if (DEBUG) {
++            System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP +
++                    "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP +
++                    "=" + pinPropVal);
++        }
++        Proc p = Proc.create(NssdbPin.class.getName())
++                .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name());
++        if (ctx.propType == PropType.SYSTEM) {
++            p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath);
++            p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal);
++            // Make sure that Security properties defaults are not used.
++            p.secprop(FIPS_NSSDB_PATH_PROP, "");
++            p.secprop(FIPS_NSSDB_PIN_PROP, "");
++        } else if (ctx.propType == PropType.SECURITY) {
++            p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath);
++            pinPropVal = escapeForPropsFile(pinPropVal);
++            p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal);
++        } else {
++            throw new Exception("Unsupported property type.");
++        }
++        if (DEBUG) {
++            p.inheritIO();
++            p.prop("java.security.debug", "sunpkcs11");
++            p.debug(NssdbPin.class.getName());
++
++            // Need the launched process to connect to a debugger?
++            //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" +
++            //         "transport=dt_socket,address=localhost:8000,suspend=y");
++        } else {
++            p.nodump();
++        }
++        procCb.accept(p);
++        p.start().waitFor(0);
++    }
++
++    private static String escapeForPropsFile(String str) throws Throwable {
++        StringBuffer sb = new StringBuffer();
++        for (int i = 0; i < str.length(); i++) {
++            int cp = str.codePointAt(i);
++            if (Character.UnicodeBlock.of(cp)
++                    == Character.UnicodeBlock.BASIC_LATIN) {
++                sb.append(Character.toChars(cp));
++            } else {
++                sb.append("\\u").append(String.format("%04X", cp));
++            }
++        }
++        return sb.toString();
++    }
++
++    private static void createNSSDB(TestContext ctx) throws Throwable {
++        ProcessBuilder pb = getModutilPB(ctx, "-create");
++        if (DEBUG) {
++            System.out.println("Creating an NSS DB in " + ctx.workspace +
++                    "...");
++            System.out.println("cmd: " + String.join(" ", pb.command()));
++        }
++        if (pb.start().waitFor() != 0) {
++            throw new Exception("NSS DB creation failed.");
++        }
++        generatePinFile(ctx);
++        pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME,
++                "-newpwfile", ctx.nssdbPinFile.toString());
++        if (DEBUG) {
++            System.out.println("NSS DB created.");
++            System.out.println("Changing NSS DB PIN...");
++            System.out.println("cmd: " + String.join(" ", pb.command()));
++        }
++        if (pb.start().waitFor() != 0) {
++            throw new Exception("NSS DB PIN change failed.");
++        }
++        if (DEBUG) {
++            System.out.println("NSS DB PIN changed.");
++        }
++    }
++
++    private static ProcessBuilder getModutilPB(TestContext ctx, String... args)
++            throws Throwable {
++        ProcessBuilder pb = new ProcessBuilder("modutil", "-force");
++        List pbCommand = pb.command();
++        if (args != null) {
++            pbCommand.addAll(Arrays.asList(args));
++        }
++        pbCommand.add("-dbdir");
++        pbCommand.add(ctx.nssdbPath);
++        if (DEBUG) {
++            pb.inheritIO();
++        } else {
++            pb.redirectError(ProcessBuilder.Redirect.INHERIT);
++        }
++        return pb;
++    }
++
++    private static void generatePinFile(TestContext ctx) throws Throwable {
++        ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null);
++        Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() +
++                "2nd line with garbage");
++    }
++}
+diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java
+new file mode 100644
+index 00000000000..87f1ad04505
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java
+@@ -0,0 +1,77 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.security.Provider;
++import java.security.Security;
++
++/*
++ * @test
++ * @bug 9999999
++ * @requires (jdk.version.major >= 8)
++ * @run main/othervm/timeout=30 VerifyMissingAttributes
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++public final class VerifyMissingAttributes {
++
++    private static final String[] svcAlgImplementedIn = {
++            "AlgorithmParameterGenerator.DSA",
++            "AlgorithmParameters.DSA",
++            "CertificateFactory.X.509",
++            "KeyStore.JKS",
++            "KeyStore.CaseExactJKS",
++            "KeyStore.DKS",
++            "CertStore.Collection",
++            "CertStore.com.sun.security.IndexedCollection"
++    };
++
++    public static void main(String[] args) throws Throwable {
++        Provider sunProvider = Security.getProvider("SUN");
++        for (String svcAlg : svcAlgImplementedIn) {
++            String filter = svcAlg + " ImplementedIn:Software";
++            doQuery(sunProvider, filter);
++        }
++        if (Double.parseDouble(
++                System.getProperty("java.specification.version")) >= 17) {
++            String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" +
++                    "java.security.interfaces.RSAPublicKey" +
++                    "|java.security.interfaces.RSAPrivateKey";
++            doQuery(Security.getProvider("SunRsaSign"), filter);
++        }
++        System.out.println("TEST PASS - OK");
++    }
++
++    private static void doQuery(Provider expectedProvider, String filter)
++            throws Exception {
++        if (expectedProvider == null) {
++            throw new Exception("Provider not found.");
++        }
++        Provider[] providers = Security.getProviders(filter);
++        if (providers == null || providers.length != 1 ||
++                providers[0] != expectedProvider) {
++            throw new Exception("Failure retrieving the provider with this" +
++                    " query: " + filter);
++        }
++    }
++}
diff --git a/SPECS/java-17-openjdk-portable.spec b/SPECS/java-17-openjdk-portable.spec
new file mode 100644
index 0000000..25c6640
--- /dev/null
+++ b/SPECS/java-17-openjdk-portable.spec
@@ -0,0 +1,2123 @@
+# portable jdk 17 specific bug, _jvmdir being missing
+%define _jvmdir /usr/lib/jvm
+
+# debug_package %%{nil} is portable-jdks specific
+%define  debug_package %{nil}
+
+# RPM conditionals so as to be able to dynamically produce
+# slowdebug/release builds. See:
+# http://rpm.org/user_doc/conditional_builds.html
+#
+# Examples:
+#
+# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
+# $ rpmbuild -ba java-17-openjdk.spec
+#
+# Produce only release builds (no debug builds) on x86_64:
+# $ rpmbuild -ba java-17-openjdk.spec --without slowdebug --without fastdebug
+#
+# Only produce a release build on x86_64:
+# $ fedpkg mockbuild --without slowdebug --without fastdebug
+# Enable fastdebug builds by default on relevant arches.
+%bcond_without fastdebug
+# Enable slowdebug builds by default on relevant arches.
+%bcond_without slowdebug
+# Enable release builds by default on relevant arches.
+%bcond_without release
+# Enable static library builds by default.
+%bcond_without staticlibs
+# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
+%bcond_with fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
+
+# Workaround for stripping of debug symbols from static libraries
+%if %{with staticlibs}
+%define __brp_strip_static_archive %{nil}
+%global include_staticlibs 1
+%else
+%global include_staticlibs 0
+%endif
+
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+%if %{with fresh_libjvm}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
+
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# This fixes detailed NMT and other tools which need minimal debug info.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
+%global _find_debuginfo_opts -g
+
+# Disable LTO as this causes build failures at the moment.
+# See RHBZ#1861401
+%define _lto_cflags %{nil}
+
+# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
+# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
+# see the difference between global and define:
+# See https://github.com/rpm-software-management/rpm/issues/127 to comments at  "pmatilai commented on Aug 18, 2017"
+# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
+%global debug_suffix_unquoted -slowdebug
+%global fastdebug_suffix_unquoted -fastdebug
+%global main_suffix_unquoted -main
+%global staticlibs_suffix_unquoted -staticlibs
+# quoted one for shell operations
+%global debug_suffix "%{debug_suffix_unquoted}"
+%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
+%global normal_suffix ""
+%global main_suffix "%{main_suffix_unquoted}"
+%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
+
+%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
+%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
+%global debug_on unoptimised with full debugging on
+%global fastdebug_on optimised with full debugging on
+%global for_fastdebug for packages with debugging on and optimisation
+%global for_debug for packages with debugging on and no optimisation
+
+%if %{with release}
+%global include_normal_build 1
+%else
+%global include_normal_build 0
+%endif
+
+%if %{include_normal_build}
+%global normal_build %{normal_suffix}
+%else
+%global normal_build %{nil}
+%endif
+
+# We have hardcoded list of files, which  is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+#    rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm  | grep bin
+# == rpm -ql           java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm  | grep bin
+# != rpm -ql           java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm  | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
+
+# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
+# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+%global is_system_jdk 0
+
+%global aarch64         aarch64 arm64 armv8
+# we need to distinguish between big and little endian PPC64
+%global ppc64le         ppc64le
+%global ppc64be         ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
+%global multilib_arches %{power64} sparc64 x86_64
+# Set of architectures for which we build slowdebug builds
+%global debug_arches    %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
+# Set of architectures for which we build fastdebug builds
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches      %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
+# Set of architectures which use the Zero assembler port (!jit_arches)
+%global zero_arches ppc s390
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures with a Ahead-Of-Time (AOT) compiler
+%global aot_arches      x86_64 %{aarch64}
+# Set of architectures which support the serviceability agent
+%global sa_arches       %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
+# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific
+# However, it does segfault on the Zero assembler port, so currently JIT only
+%global share_arches    %{jit_arches}
+# Set of architectures for which we build the Shenandoah garbage collector
+%global shenandoah_arches x86_64 %{aarch64}
+# Set of architectures for which we build the Z garbage collector
+%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
+# Set of architectures for which java has short vector math library (libjsvml.so)
+%global svml_arches x86_64
+# Set of architectures where we verify backtraces with gdb
+# s390x fails on RHEL 7 so we exclude it there
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches}
+%else
+%global gdb_arches %{jit_arches} %{zero_arches}
+%endif
+
+# By default, we build a slowdebug build during main build on JIT architectures
+%if %{with slowdebug}
+%ifarch %{debug_arches}
+%global include_debug_build 1
+%else
+%global include_debug_build 0
+%endif
+%else
+%global include_debug_build 0
+%endif
+
+# On certain architectures, we compile the Shenandoah GC
+%ifarch %{shenandoah_arches}
+%global use_shenandoah_hotspot 1
+%else
+%global use_shenandoah_hotspot 0
+%endif
+
+# By default, we build a fastdebug build during main build only on fastdebug architectures
+%if %{with fastdebug}
+%ifarch %{fastdebug_arches}
+%global include_fastdebug_build 1
+%else
+%global include_fastdebug_build 0
+%endif
+%else
+%global include_fastdebug_build 0
+%endif
+
+%if %{include_debug_build}
+%global slowdebug_build %{debug_suffix}
+%else
+%global slowdebug_build %{nil}
+%endif
+
+%if %{include_fastdebug_build}
+%global fastdebug_build %{fastdebug_suffix}
+%else
+%global fastdebug_build %{nil}
+%endif
+
+# If you disable all builds, then the build fails
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+
+%if %{include_staticlibs}
+%global staticlibs_loop %{staticlibs_suffix}
+%else
+%global staticlibs_loop %{nil}
+%endif
+
+%ifarch %{bootstrap_arches}
+%global bootstrap_build true
+%else
+%global bootstrap_build false
+%endif
+
+%if %{include_staticlibs}
+# Extra target for producing the static-libraries. Separate from
+# other targets since this target is configured to use in-tree
+# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
+# and possibly others
+%global static_libs_target static-libs-image
+%else
+%global static_libs_target %{nil}
+%endif
+
+# The static libraries are produced under the same configuration as the main
+# build for portables, as we expect in-tree libraries to be used throughout.
+# If system libraries are enabled, the static libraries will also use them
+# which may cause issues.
+%global bootstrap_targets images %{static_libs_target} legacy-jre-image
+%global release_targets images docs-zip %{static_libs_target} legacy-jre-image
+# No docs nor bootcycle for debug builds
+%global debug_targets images %{static_libs_target} legacy-jre-image
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
+
+# JDK to use for bootstrapping
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
+
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
+
+# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
+# the initialization must be here. Later the pkg-config have buggy behavior
+# looks like openjdk RPM specific bug
+# Always set this so the nss.cfg file is not broken
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+
+# In some cases, the arch used by the JDK does
+# not match _arch.
+# Also, in some cases, the machine name used by SystemTap
+# does not match that given by _target_cpu
+%ifarch x86_64
+%global archinstall amd64
+%global stapinstall x86_64
+%endif
+%ifarch ppc
+%global archinstall ppc
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64be}
+%global archinstall ppc64
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64le}
+%global archinstall ppc64le
+%global stapinstall powerpc
+%endif
+%ifarch %{ix86}
+%global archinstall i686
+%global stapinstall i386
+%endif
+%ifarch ia64
+%global archinstall ia64
+%global stapinstall ia64
+%endif
+%ifarch s390
+%global archinstall s390
+%global stapinstall s390
+%endif
+%ifarch s390x
+%global archinstall s390x
+%global stapinstall s390
+%endif
+%ifarch %{arm}
+%global archinstall arm
+%global stapinstall arm
+%endif
+%ifarch %{aarch64}
+%global archinstall aarch64
+%global stapinstall arm64
+%endif
+# 32 bit sparc, optimized for v9
+%ifarch sparcv9
+%global archinstall sparc
+%global stapinstall %{_target_cpu}
+%endif
+# 64 bit sparc
+%ifarch sparc64
+%global archinstall sparcv9
+%global stapinstall %{_target_cpu}
+%endif
+# Need to support noarch for srpm build
+%ifarch noarch
+%global archinstall %{nil}
+%global stapinstall %{nil}
+%endif
+
+%ifarch %{systemtap_arches}
+%global with_systemtap 1
+%else
+%global with_systemtap 0
+%endif
+
+# New Version-String scheme-style defines
+%global featurever 17
+%global interimver 0
+%global updatever 10
+%global patchver 0
+# buildjdkver is usually same as %%{featurever},
+# but in time of bootstrap of next jdk, it is featurever-1,
+# and this it is better to change it here, on single place
+%global buildjdkver 17
+# We don't add any LTS designator for STS packages (Fedora and EPEL).
+# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
+%if 0%{?rhel} && !0%{?epel}
+  %global lts_designator "LTS"
+  %global lts_designator_zip -%{lts_designator}
+%else
+  %global lts_designator ""
+  %global lts_designator_zip ""
+%endif
+
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url https://access.redhat.com/support/cases/
+%else
+%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{rpmrelease})
+
+# Define IcedTea version used for SystemTap tapsets and desktop file
+%global icedteaver      6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver d63771ea660
+%global javaver         %{featurever}
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
+# Standard JPackage naming and versioning defines
+%global origin          openjdk
+%global origin_nice     OpenJDK
+%global top_level_dir_name   %{vcstag}
+%global top_level_dir_name_backup %{top_level_dir_name}-backup
+%global buildver        7
+%global rpmrelease      1
+#%%global tagsuffix     %%{nil}
+# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
+%if %is_system_jdk
+# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
+# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
+# This means 11.0.9.0+11 would have had a priority of 11000911 as before
+# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11
+%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
+%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
+%else
+# for techpreview, using 1, so slowdebugs can have 0
+%global priority %( printf '%08d' 1 )
+%endif
+
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga           1
+%if %{is_ga}
+%global build_type GA
+%global ea_designator ""
+%global ea_designator_zip %{nil}
+%global extraver %{nil}
+%global eaprefix %{nil}
+%else
+%global build_type EA
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
+%global eaprefix 0.
+%endif
+
+# parametrized macros are order-sensitive
+%global compatiblename  java-%{featurever}-%{origin}
+%global fullversion     %{compatiblename}-%{version}-%{release}
+# images directories from upstream build
+%global jdkimage                jdk
+%global static_libs_image       static-libs
+# output dir stub
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
+%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}}
+# we can copy the javadoc to not arched dir, or make it not noarch
+%define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
+# main id and dir of this jdk
+%define uniquesuffix()        %{expand:%{fullversion}.%{_arch}%{?1}}
+# portable only declarations
+%global jreimage                jre
+%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jre;g")
+%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jdk;g")
+%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.static-libs;g")
+%define jreportablearchive()  %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz}
+%define jdkportablearchive()  %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz}
+%define staticlibsportablearchive()  %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz}
+%define jreportablename()     %{expand:%{jreportablenameimpl -- %%{1}}}
+%define jdkportablename()     %{expand:%{jdkportablenameimpl -- %%{1}}}
+# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on
+# top of the JDK archive
+%define staticlibsportablename()     %{expand:%{jdkportablenameimpl -- %%{1}}}
+%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.docs;g")
+%define docportablearchive()  %{docportablename}.tar.xz
+%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g")
+%define miscportablearchive()  %{miscportablename}.tar.xz
+
+#################################################################
+# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
+#         https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
+#         https://bugzilla.redhat.com/show_bug.cgi?id=1655938
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
+%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
+%if %is_system_jdk
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+# Never generate lib-style provides/requires for slowdebug packages
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%else
+# Don't generate provides/requires for JDK provided shared libraries at all.
+%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%endif
+
+
+%global etcjavasubdir     %{_sysconfdir}/java/java-%{javaver}-%{origin}
+%define etcjavadir()      %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
+# Standard JPackage directories and symbolic links.
+%define sdkdir()        %{expand:%{uniquesuffix -- %{?1}}}
+%define jrelnk()        %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
+
+%define sdkbindir()     %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%define jrebindir()     %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+
+%global alt_java_name     alt-java
+
+%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
+
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
+%if 0%{?flatpak}
+%global alternatives_requires /usr/sbin/alternatives
+%else
+%global alternatives_requires %{_sbindir}/alternatives
+%endif
+
+# x86 is not supported by OpenJDK 17
+ExcludeArch: %{ix86}
+
+# Portables have no repo (requires/provides), but these are awesome for orientation in spec
+# Also scriptlets are happily missing and files are handled old fashion
+# not-duplicated requires/provides/obsoletes for normal/debug packages
+%define java_rpo() %{expand:
+}
+
+%define java_devel_rpo() %{expand:
+}
+
+%define java_static_libs_rpo() %{expand:
+}
+
+%define java_unstripped_rpo() %{expand:
+}
+
+%define java_docs_rpo() %{expand:
+}
+
+%define java_misc_rpo() %{expand:
+}
+
+# Prevent brp-java-repack-jars from being run
+%global __jar_repack 0
+
+# portables have grown out of its component, moving back to java-x-vendor
+# this expression, when declared as global, filled component with java-x-vendor portable
+%define component %(echo %{name} | sed "s;-portable;;g")
+
+Name:    java-%{javaver}-%{origin}-portable
+Version: %{newjavaver}.%{buildver}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
+# and this change was brought into RHEL-4. java-1.5.0-ibm packages
+# also included the epoch in their virtual provides. This created a
+# situation where in-the-wild java-1.5.0-ibm packages provided "java =
+# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
+# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
+# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
+# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
+# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
+
+Epoch:   1
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition
+# Groups are only used up to RHEL 8 and on Fedora versions prior to F30
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+# HotSpot code is licensed under GPLv2
+# JDK library code is licensed under GPLv2 with the Classpath exception
+# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
+# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
+# The JSR166 concurrency code is in the public domain
+# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
+# The OpenJDK source tree includes:
+# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
+# - freetype (FTL), jline (BSD) and LCMS (MIT)
+# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
+# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
+# The test code includes copies of NSS under the Mozilla Public License v2.0
+# The PCSClite headers are under a BSD with advertising license
+# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
+License:  ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
+URL:      http://openjdk.java.net/
+
+
+# The source tarball, generated using generate_source_tarball.sh
+Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz
+
+# Use 'icedtea_sync.sh' to update the following
+# They are based on code contained in the IcedTea project (6.x).
+# Systemtap tapsets. Zipped up to keep it small.
+Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
+
+# Desktop files. Adapted from IcedTea
+# Disabled in portables
+#Source9: jconsole.desktop.in
+
+# Release notes
+Source10: NEWS
+
+# nss configuration file
+Source11: nss.cfg.in
+
+# Removed libraries that we link instead
+Source12: remove-intree-libraries.sh
+
+# Ensure we aren't using the limited crypto policy
+Source13: TestCryptoLevel.java
+
+# Ensure ECDSA is working
+Source14: TestECDSA.java
+
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
+############################################
+#
+# RPM/distribution specific patches
+#
+############################################
+
+# Ignore AWTError when assistive technologies are loaded
+Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+# NSS via SunPKCS11 Provider (disabled due to memory leak).
+Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
+Patch600: rh1750419-redhat_alt_java.patch
+# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
+Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
+# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# The following list is generated by:
+# git log %%{vcstag}.. --no-merges --format=%s --reverse:
+# Fixes currently included:
+# PR3183, RH1340845: Support Fedora & RHEL system crypto policy
+# PR3695: Allow system crypto policy enforcement to be toggled on/off
+# RH1655466: Support global RHEL crypto policy
+# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode
+# RH1860986: Disable TLSv1.3 in FIPS mode
+# RH1915071: Always initialise configurator access.patch
+# RH1929465: Improve system FIPS detection
+# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers
+# RH1996182: Login to the NSS Software Token in FIPS Mode
+# RH1929465: Don't define unused throwIOException function when using NSS detection
+# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
+# RH1991003: Enable the import of plain keys into the NSS software token.
+# RH2021263: Return in C code after having generated Java exception
+# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+# RH2051605: Detect NSS at Runtime for FIPS detection
+# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+# RH2023467: Enable FIPS keys export (#1)
+# Run workflows on pull request, as we are not using SKARA.
+# RH2094027: SunEC runtime permission for FIPS (#5)
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8)
+# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4)
+# Use encoded space rather than quoting for JTReg JAVA_OPTIONS
+# RH2104724: Avoid import/export of DH private keys (#14)
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16)
+# Build the systemconf library on all platforms (#7)
+# RH2048582: Support PKCS#12 keystores (#2)
+# RH2020290: Support TLS 1.3 in FIPS mode (#13)
+# Add nss.fips.cfg support to OpenJDK tree (#22)
+# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17)
+# Remove forgotten dead code from #13 and #14 (#21)
+# Fix issue on FIPS with a SecurityManager in place (#25)
+# RH2134669: Add missing attributes when registering services in FIPS mode. (#19)
+# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27)
+# RH1940064: Enable XML Signature provider in FIPS mode (#24)
+# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26)
+Patch1001: fips-17u-%{fipsver}.patch
+
+#############################################
+#
+# OpenJDK patches in need of upstreaming
+#
+#############################################
+
+# Currently empty
+
+#############################################
+#
+# OpenJDK patches appearing in 17.0.10
+#
+#############################################
+
+# Currently empty
+
+#############################################
+#
+# Portable build specific patches
+#
+#############################################
+
+#############################################
+#
+# OpenJDK patches targetted for 17.0.6
+#
+#############################################
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
+BuildRequires: desktop-file-utils
+# elfutils only are OK for build without AOT
+BuildRequires: elfutils-devel
+BuildRequires: file
+BuildRequires: fontconfig-devel
+BuildRequires: gcc-c++
+BuildRequires: gdb
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirement for setting up nss.cfg
+BuildRequires: nss-devel
+# Requirement for system security property test
+# N/A for portable. RHEL7 doesn't provide them
+#BuildRequires: crypto-policies
+BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
+BuildRequires: zip
+# to pack portable tarballs
+BuildRequires: tar
+BuildRequires: unzip
+# No javapackages-filesystem on el7,nor is needed for portables
+# BuildRequires: javapackages-filesystem
+BuildRequires: java-%{buildjdkver}-openjdk-devel
+# Zero-assembler build requirement
+%ifarch %{zero_arches}
+BuildRequires: libffi-devel
+%endif
+# Full documentation build requirements
+BuildRequires: graphviz
+BuildRequires: pandoc
+# 2023c required as of JDK-8305113
+BuildRequires: tzdata-java >= 2023c
+# cacerts build requirement in portable mode
+BuildRequires: ca-certificates
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
+
+%if %{with_systemtap}
+BuildRequires: systemtap-sdt-devel
+%endif
+BuildRequires: make
+
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
+Provides: bundled(freetype) = 2.13.0
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 7.2.0
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.15.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.39
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
+# this is always built, also during debug-only build
+# when it is built in debug-only this package is just placeholder
+%{java_rpo %{nil}}
+
+%description
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+
+%if %{include_debug_build}
+%package slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_rpo -- %{debug_suffix_unquoted}}
+%description slowdebug
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_rpo -- %{fastdebug_suffix_unquoted}}
+%description fastdebug
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package devel
+Summary: %{origin_nice} %{featurever} Development Environment portable edition
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_devel_rpo %{nil}}
+
+%description devel
+The %{origin_nice} %{featurever} development tools - portable edition.
+%endif
+
+%if %{include_debug_build}
+%package devel-slowdebug
+Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%{java_devel_rpo -- %{debug_suffix_unquoted}}
+
+%description devel-slowdebug
+The %{origin_nice} %{featurever} development tools - portable edition.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package devel-fastdebug
+Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Tools
+%endif
+
+%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description devel-fastdebug
+The %{origin_nice} %{featurever} runtime environment and development tools - portable edition
+%{fastdebug_warning}
+%endif
+
+%if %{include_staticlibs}
+
+%if %{include_normal_build}
+%package static-libs
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition
+
+%{java_static_libs_rpo %{nil}}
+
+%description static-libs
+The %{origin_nice} %{featurever} libraries for static linking - portable edition.
+%endif
+
+%if %{include_debug_build}
+%package static-libs-slowdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_on}
+
+%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
+
+%description static-libs-slowdebug
+The %{origin_nice} %{featurever} libraries for static linking - portable edition
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package static-libs-fastdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_on}
+
+%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description static-libs-fastdebug
+The %{origin_nice} %{featurever} libraries for static linking - portable edition
+%{fastdebug_warning}
+%endif
+
+# staticlibs
+%endif
+
+%if %{include_normal_build}
+%package unstripped
+Summary: The %{origin_nice} %{featurever} runtime environment.
+
+%{java_unstripped_rpo %{nil}}
+
+%description unstripped
+The %{origin_nice} %{featurever} runtime environment.
+
+%endif
+
+%package docs
+Summary: %{origin_nice} %{featurever} API documentation
+
+%{java_docs_rpo %{nil}}
+
+%description docs
+The %{origin_nice} %{featurever} API documentation.
+
+%package misc
+Summary: %{origin_nice} %{featurever} miscellany
+
+%{java_misc_rpo %{nil}}
+
+%description misc
+The %{origin_nice} %{featurever} miscellany.
+
+%prep
+
+echo "Preparing %{oj_vendor_version}"
+
+# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
+%if 0%{?stapinstall:1}
+  echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
+%else
+  %{error:Unrecognised architecture %{_target_cpu}}
+%endif
+
+if [ %{include_normal_build} -eq 0 -o  %{include_normal_build} -eq 1 ] ; then
+  echo "include_normal_build is %{include_normal_build}"
+else
+  echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
+  exit 11
+fi
+if [ %{include_debug_build} -eq 0 -o  %{include_debug_build} -eq 1 ] ; then
+  echo "include_debug_build is %{include_debug_build}"
+else
+  echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
+  exit 12
+fi
+if [ %{include_fastdebug_build} -eq 0 -o  %{include_fastdebug_build} -eq 1 ] ; then
+  echo "include_fastdebug_build is %{include_fastdebug_build}"
+else
+  echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
+  exit 13
+fi
+if [ %{include_debug_build} -eq 0 -a  %{include_normal_build} -eq 0 -a  %{include_fastdebug_build} -eq 0 ] ; then
+  echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
+  exit 14
+fi
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
+# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
+prioritylength=`expr length %{priority}`
+if [ $prioritylength -ne 8 ] ; then
+ echo "priority must be 8 digits in total, violated"
+ exit 14
+fi
+
+# OpenJDK patches
+
+%if %{system_libs}
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
+%endif
+
+# Patch the JDK
+# -P N: apply patch number N, same as passing N as a positional argument on rpm >= 4.18
+# -p N: strip N leading slashes from paths
+pushd %{top_level_dir_name}
+%patch -P1 -p1
+%patch -P3 -p1
+%patch -P6 -p1
+# Add crypto policy and FIPS support
+%patch -P1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch -P1000 -p1
+# alt-java support
+%patch -P600 -p1
+popd # openjdk
+
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+    UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+    echo "Could not find OpenJDK version file.";
+    exit 16
+fi
+if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
+    echo "WARNING: Designator mismatch";
+    echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
+    echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
+    exit 17
+fi
+
+# Extract systemtap tapsets
+%if %{with_systemtap}
+tar --strip-components=1 -x -I xz -f %{SOURCE8}
+%if %{include_debug_build}
+cp -r tapset tapset%{debug_suffix}
+%endif
+%if %{include_fastdebug_build}
+cp -r tapset tapset%{fastdebug_suffix}
+%endif
+
+for suffix in %{build_loop} ; do
+  for file in "tapset"$suffix/*.in; do
+    sed -i -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file
+    sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file
+  done
+done
+# systemtap tapsets ends
+%endif
+
+# Prepare desktop files
+# Portables do not have desktop integration
+
+# Setup nss.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
+
+%build
+# How many CPU's do we have?
+export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
+export NUM_PROC=${NUM_PROC:-1}
+%if 0%{?_smp_ncpus_max}
+# Honor %%_smp_ncpus_max
+[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
+%endif
+
+%ifarch s390x sparc64 alpha %{power64} %{aarch64}
+export ARCH_DATA_MODEL=64
+%endif
+%ifarch alpha
+export CFLAGS="$CFLAGS -mieee"
+%endif
+
+# We use ourcppflags because the OpenJDK build seems to
+# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
+# Explicitly set the C++ standard as the default has changed on GCC >= 6
+EXTRA_CFLAGS="%ourcppflags"
+EXTRA_CPP_FLAGS="%ourcppflags"
+
+%ifarch %{power64} ppc
+# fix rpmlint warnings
+EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
+%endif
+%ifarch %{ix86}
+# Align stack boundary on x86_32
+EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+%endif
+export EXTRA_CFLAGS EXTRA_CPP_FLAGS
+
+echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
+function buildjdk() {
+    local outputdir=${1}
+    local buildjdk=${2}
+    local maketargets="${3}"
+    local debuglevel=${4}
+    local link_opt=${5}
+    local debug_symbols=${6}
+
+    local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
+    local top_dir_abs_build_path=$(pwd)/${outputdir}
+
+    # This must be set using the global, so that the
+    # static libraries still use a dynamic stdc++lib
+    if [ "x%{link_type}" = "xbundled" ] ; then
+        libc_link_opt="static";
+    else
+        libc_link_opt="dynamic";
+    fi
+
+    echo "Using output directory: ${outputdir}";
+    echo "Checking build JDK ${buildjdk} is operational..."
+    ${buildjdk}/bin/java -version
+    echo "Using make targets: ${maketargets}"
+    echo "Using debuglevel: ${debuglevel}"
+    echo "Using link_opt: ${link_opt}"
+    echo "Using debug_symbols: ${debug_symbols}"
+    echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
+    mkdir -p ${outputdir}
+    pushd ${outputdir}
+
+    # Note: zlib and freetype use %{link_type}
+    # rather than ${link_opt} as the system versions
+    # are always used in a system_libs build, even
+    # for the static library build
+    bash ${top_dir_abs_src_path}/configure \
+%ifarch %{zero_arches}
+    --with-jvm-variants=zero \
+%endif
+%ifarch %{ppc64le}
+    --with-jobs=1 \
+%endif
+    --with-cacerts-file=$(readlink -f %{_sysconfdir}/pki/java/cacerts)  \
+    --with-version-build=%{buildver} \
+    --with-version-pre="%{ea_designator}" \
+    --with-version-opt="%{lts_designator}" \
+    --with-vendor-version-string="%{oj_vendor_version}" \
+    --with-vendor-name="%{oj_vendor}" \
+    --with-vendor-url="%{oj_vendor_url}" \
+    --with-vendor-bug-url="%{oj_vendor_bug_url}" \
+    --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
+    --with-boot-jdk=${buildjdk} \
+    --with-debug-level=${debuglevel} \
+    --with-native-debug-symbols="${debug_symbols}" \
+    --disable-sysconf-nss \
+    --enable-unlimited-crypto \
+    --with-zlib=%{link_type} \
+    --with-freetype=%{link_type} \
+    --with-libjpeg=${link_opt} \
+    --with-giflib=${link_opt} \
+    --with-libpng=${link_opt} \
+    --with-lcms=${link_opt} \
+    --with-harfbuzz=${link_opt} \
+    --with-stdc++lib=${libc_link_opt} \
+    --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
+    --with-extra-cflags="$EXTRA_CFLAGS" \
+    --with-extra-ldflags="%{ourldflags}" \
+    --with-num-cores="$NUM_PROC" \
+    --with-source-date="${SOURCE_DATE_EPOCH}" \
+    --disable-javac-server \
+%ifarch %{zgc_arches}
+    --with-jvm-features=zgc \
+%endif
+    --disable-warnings-as-errors
+
+    cat spec.gmk
+    make LOG=trace $maketargets || \
+        ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name \"hs_err_pid*.log\" | xargs cat && false )
+
+    popd
+}
+
+function stripjdk() {
+    local outputdir=${1}
+    local jdkimagepath=${outputdir}/images/%{jdkimage}
+    local jreimagepath=${outputdir}/images/%{jreimage}
+    local jmodimagepath=${outputdir}/images/jmods
+    local supportdir=${outputdir}/support
+
+    if [ "x$suffix" = "x" ] ; then
+        # Keep the unstripped version for consumption by RHEL RPMs
+        cp -a ${jdkimagepath}{,.unstripped}
+
+        # Strip the files
+        for file in $(find ${jdkimagepath} ${jreimagepath} ${supportdir} -type f) ; do
+            if file ${file} | grep -q 'ELF'; then
+                noextfile=${file/.so/};
+                objcopy --only-keep-debug ${file} ${noextfile}.debuginfo;
+                objcopy --add-gnu-debuglink=${noextfile}.debuginfo ${file};
+                strip -g ${file};
+            fi
+        done
+
+        # Rebuild jmod files against the stripped binaries
+        if [ ! -d ${supportdir} ] ; then
+            echo "Support directory missing.";
+            exit 15
+        fi
+        for cmd in $(find ${supportdir} -name '*.jmod_exec.cmdline') ; do
+            pre=${cmd/_exec/_pre};
+            post=${cmd/_exec/_post};
+            jmod=$(echo ${cmd}|sed 's#.*_create_##'|sed 's#_exec.cmdline##')
+            echo "Rebuilding ${jmod} against stripped binaries...";
+            if [ -e ${pre} ] ; then
+                echo "Executing ${pre}...";
+                cat ${pre} | sh -s ;
+            fi
+            echo "Executing ${cmd}...";
+            cat ${cmd} | sh -s ;
+            if [ -e ${post} ] ; then
+                echo "Executing ${post}...";
+                cat ${post} | sh -s ;
+            fi
+        done
+        rm -rf ${jdkimagepath}/jmods
+        cp -a ${jmodimagepath} ${jdkimagepath}
+    fi
+}
+
+function installjdk() {
+    local outputdir=${1}
+    local installdir=${2}
+    local jdkimagepath=${installdir}/images/%{jdkimage}
+    local jreimagepath=${installdir}/images/%{jreimage}
+    local unstripped=${jdkimagepath}.unstripped
+
+    echo "Installing build from ${outputdir} to ${installdir}..."
+    mkdir -p ${installdir}
+    echo "Installing images..."
+    mv ${outputdir}/images ${installdir}
+    if [ -d ${outputdir}/bundles ] ; then
+        echo "Installing bundles...";
+        mv ${outputdir}/bundles ${installdir} ;
+    fi
+
+%if !%{with artifacts}
+    echo "Removing output directory...";
+    rm -rf ${outputdir}
+%endif
+
+    # legacy-jre-image target does not install any man pages for the JRE
+    # We copy the jdk man directory and then remove pages for binaries that
+    # don't exist in the JRE
+    cp -a ${jdkimagepath}/man ${jreimagepath}
+    for manpage in $(find ${jreimagepath}/man -name '*.1'); do
+        filename=$(basename ${manpage});
+        binary=${filename/.1/};
+        if [ ! -f ${jreimagepath}/bin/${binary} ] ; then
+            echo "Removing ${manpage} from JRE for which no binary ${binary} exists";
+            rm -f ${manpage};
+        fi;
+    done
+
+    for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do
+
+        if [ -d ${imagepath} ] ; then
+            # the build (erroneously) removes read permissions from some jars
+            # this is a regression in OpenJDK 7 (our compiler):
+            # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+            find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+
+            # Build screws up permissions on binaries
+            # https://bugs.openjdk.java.net/browse/JDK-8173610
+            find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+            find ${imagepath}/bin/ -exec chmod +x {} \;
+
+            # Install local files which are distributed with the JDK
+            install -m 644 %{SOURCE10} ${imagepath}
+            install -m 644 nss.cfg ${imagepath}/conf/security/
+
+            # Create fake alt-java as a placeholder for future alt-java
+            pushd ${imagepath}
+            # add alt-java man page
+            echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+            cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+            popd
+
+            # Print release information
+            cat ${imagepath}/release
+        fi
+    done
+}
+
+function genchecksum() {
+    local checkedfile=${1}
+
+    checkdir=$(dirname ${1})
+    checkfile=$(basename ${1})
+
+    echo "Generating checksum for ${checkfile} in ${checkdir}..."
+    pushd ${checkdir}
+    sha256sum ${checkfile} > ${checkfile}.sha256sum
+    sha256sum --check ${checkfile}.sha256sum
+    popd
+}
+
+function packagejdk() {
+    local imagesdir=$(pwd)/${1}/images
+    local docdir=$(pwd)/${1}/images/docs
+    local bundledir=$(pwd)/${1}/bundles
+    local packagesdir=$(pwd)/${2}
+    local srcdir=$(pwd)/%{top_level_dir_name}
+    local tapsetdir=$(pwd)/tapset
+
+    echo "Packaging build from ${imagesdir} to ${packagesdir}..."
+    mkdir -p ${packagesdir}
+    pushd ${imagesdir}
+
+    if [ "x$suffix" = "x" ] ; then
+        nameSuffix=""
+    else
+        nameSuffix=`echo "$suffix"| sed s/-/./`
+    fi
+
+    jdkname=%{jdkportablename -- "$nameSuffix"}
+    jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"}
+    jrename=%{jreportablename -- "$nameSuffix"}
+    jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"}
+    staticname=%{staticlibsportablename -- "$nameSuffix"}
+    staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"}
+    debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"}
+    unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"}
+    # We only use docs for the release build
+    docname=%{docportablename}
+    docarchive=${packagesdir}/%{docportablearchive}
+    built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
+    # These are from the source tree so no debug variants
+    miscname=%{miscportablename}
+    miscarchive=${packagesdir}/%{miscportablearchive}
+
+    if [ "x$suffix" = "x" ] ; then
+        # Keep the unstripped version for consumption by RHEL RPMs
+        mv %{jdkimage}.unstripped ${jdkname}
+        tar -cJf ${unstrippedarchive} ${jdkname}
+        genchecksum ${unstrippedarchive}
+        mv ${jdkname} %{jdkimage}.unstripped
+    fi
+
+    # Rename directories for packaging
+    mv %{jdkimage} ${jdkname}
+    mv %{jreimage} ${jrename}
+
+    # Release images have external debug symbols
+    if [ "x$suffix" = "x" ] ; then
+        tar -cJf ${debugarchive} $(find ${jdkname} -name \*.debuginfo)
+        genchecksum ${debugarchive}
+
+        mkdir ${docname}
+        mv ${docdir} ${docname}
+        mv ${bundledir}/${built_doc_archive} ${docname}
+        tar -cJf ${docarchive} ${docname}
+        genchecksum ${docarchive}
+
+        mkdir ${miscname}
+        for s in 16 24 32 48 ; do
+            cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname}
+        done
+        cp -a ${srcdir}/src/sample ${miscname}
+%if %{with_systemtap}
+        cp -a ${tapsetdir}* ${miscname}
+%endif
+        tar -cJf ${miscarchive} ${miscname}
+        genchecksum ${miscarchive}
+    fi
+
+    tar -cJf ${jdkarchive} --exclude='**.debuginfo' ${jdkname}
+    genchecksum ${jdkarchive}
+
+    tar -cJf ${jrearchive}  --exclude='**.debuginfo' ${jrename}
+    genchecksum ${jrearchive}
+
+%if %{include_staticlibs}
+    # Static libraries (needed for building graal vm with native image)
+    # Tar as overlay. Transform to the JDK name, since we just want to "add"
+    # static libraries to that folder
+    tar -cJf ${staticarchive} \
+        --transform "s|^%{static_libs_image}/lib/*|${staticname}/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
+    genchecksum ${staticarchive}
+%endif
+
+    # Revert directory renaming so testing will run
+    # TODO: testing should run on the packaged JDK
+    mv ${jdkname} %{jdkimage}
+    mv ${jrename} %{jreimage}
+
+    popd #images
+
+}
+
+%if %{build_hotspot_first}
+  # Build a fresh libjvm.so first and use it to bootstrap
+  cp -LR --preserve=mode,timestamps %{bootjdk} newboot
+  systemjdk=$(pwd)/newboot
+  buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal"
+  mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
+%else
+  systemjdk=%{bootjdk}
+%endif
+
+for suffix in %{build_loop} ; do
+
+  if [ "x$suffix" = "x" ] ; then
+      debugbuild=release
+  else
+      # change --something to something
+      debugbuild=`echo $suffix  | sed "s/-//g"`
+  fi
+  # We build with internal debug symbols and do
+  # our own stripping for one version of the
+  # release build
+  debug_symbols=internal
+
+  builddir=%{buildoutputdir -- ${suffix}}
+  bootbuilddir=boot${builddir}
+  installdir=%{installoutputdir -- ${suffix}}
+  bootinstalldir=boot${installdir}
+  packagesdir=%{packageoutputdir -- ${suffix}}
+
+  link_opt="%{link_type}"
+%if %{system_libs}
+  # Copy the source tree so we can remove all in-tree libraries
+  cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
+  # Remove all libraries that are linked
+  sh %{SOURCE12} %{top_level_dir_name} full
+%endif
+  # Debug builds don't need same targets as release for
+  # build speed-up. We also avoid bootstrapping these
+  # slower builds.
+  if echo $debugbuild | grep -q "debug" ; then
+      maketargets="%{debug_targets}"
+      run_bootstrap=false
+  else
+      maketargets="%{release_targets}"
+      run_bootstrap=%{bootstrap_build}
+  fi
+  if ${run_bootstrap} ; then
+      buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols}
+      installjdk ${bootbuilddir} ${bootinstalldir}
+      buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols}
+      stripjdk ${builddir}
+      installjdk ${builddir} ${installdir}
+      %{!?with_artifacts:rm -rf ${bootinstalldir}}
+  else
+      buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols}
+      stripjdk ${builddir}
+      installjdk ${builddir} ${installdir}
+  fi
+  packagejdk ${installdir} ${packagesdir}
+
+%if %{system_libs}
+  # Restore original source tree we modified by removing full in-tree sources
+  rm -rf %{top_level_dir_name}
+  mv %{top_level_dir_name_backup} %{top_level_dir_name}
+%endif
+
+# build cycles
+done # end of release / debug cycle loop
+
+%check
+
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+
+# portable builds have static_libs embedded, thus top_dir_abs_main_build_path is same as  top_dir_abs_staticlibs_build_path
+top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=${top_dir_abs_main_build_path}
+%endif
+
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+# Pre-test setup
+
+# System security properties are disabled by default on portable.
+# Turn on system security properties
+#sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+#${JAVA_HOME}/conf/security/java.security
+
+
+#check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+# Specific to portable:System security properties to be off by default
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
+%if ! 0%{?flatpak}
+# Check translations are available for new timezones (during flatpak builds, the
+# tzdb.dat used by this test is not where the test expects it, so this is
+# disabled for flatpak builds)
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+%endif
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+ls -l $STATIC_LIBS_HOME
+ls -l $STATIC_LIBS_HOME/lib
+# they are here, but grep do not find the remainders
+#readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
+#readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
+%endif
+
+# Release builds strip the debug symbols into external .debuginfo files
+if [ "x$suffix" = "x" ] ; then
+  so_suffix="debuginfo"
+else
+  so_suffix="so"
+fi
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+do
+  if [ -f "$lib" ] ; then
+    echo "Testing $lib for debug symbols"
+    # All these tests rely on RPM failing the build if the exit code of any set
+    # of piped commands is non-zero.
+
+    # Test for .debug_* sections in the shared object. This is the main test
+    # Stripped objects will not contain these
+    eu-readelf -S "$lib" | grep "] .debug_"
+    test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+    # Test FILE symbols. These will most likely be removed by anything that
+    # manipulates symbol tables because it's generally useless. So a nice test
+    # that nothing has messed with symbols
+    old_IFS="$IFS"
+    IFS=$'\n'
+    for line in $(eu-readelf -s "$lib" | grep "00000000      0 FILE    LOCAL  DEFAULT")
+    do
+     # We expect to see .cpp and .S files, except for architectures like aarch64 and
+     # s390 where we expect .o and .oS files
+      echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
+    done
+    IFS="$old_IFS"
+
+    # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+    if [ "`basename $lib`" = "libjvm.so" ]; then
+      eu-readelf -s "$lib" | \
+        grep -E "00000000      0 FILE    LOCAL  DEFAULT      ABS javaCalls.(cpp|o)$"
+    fi
+
+    # Test that there are no .gnu_debuglink sections pointing to another
+    # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+    # no sense either
+    eu-readelf -S "$lib" | grep 'gnu'
+    if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+      echo "bad .gnu_debuglink section."
+      eu-readelf -x .gnu_debuglink "$lib"
+      false
+    fi
+  fi
+done
+
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" < - 1:17.0.10.0.7-1
+- Rebuilt for MSVSphere 9.3
+
+* Thu Jan 11 2024 Andrew Hughes  - 1:17.0.10.0.7-1
+- Update to jdk-17.0.10+7 (GA)
+- Update release notes to 17.0.10+7
+- Move to -P usage for patch macro which works on all RPM versions
+- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release
+- Switch to GA mode for release
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+
+* Thu Jan 11 2024 Thomas Fitzsimmons  - 1:17.0.10.0.6-0.1.ea
+- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST
+- generate_source_tarball.sh: Remove unneeded FIXME
+
+* Thu Jan 11 2024 Andrew Hughes  - 1:17.0.10.0.6-0.1.ea
+- Update release notes to 17.0.10+6
+- Revert change to patch macro due to failure on RHEL 8
+- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility
+
+* Tue Jan  9 2024 Thomas Fitzsimmons  - 1:17.0.10.0.6-0.1.ea
+- Update to jdk-17.0.10+6 (EA)
+- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch
+- generate_source_tarball.sh: Add WITH_TEMP environment variable
+- generate_source_tarball.sh: Multithread xz on all available cores
+- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable
+- generate_source_tarball.sh: Update comment about tarball naming
+- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT
+- generate_source_tarball.sh: Set compile-command in Emacs
+- generate_source_tarball.sh: Reformat comment header
+- generate_source_tarball.sh: Reformat and update help output
+- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks
+- generate_source_tarball.sh: Do a shallow clone, for speed
+- generate_source_tarball.sh: Append -ea designator when required
+- generate_source_tarball.sh: Eliminate some removal prompting
+- generate_source_tarball.sh: Make tarball reproducible
+- generate_source_tarball.sh: Prefix temporary directory with temp-
+- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash
+- generate_source_tarball.sh: shellcheck: Double-quote variable references
+- generate_source_tarball.sh: shellcheck: Do not use -a
+- generate_source_tarball.sh: shellcheck: Do not use $ in expression
+- generate_source_tarball.sh: Remove temporary directory exit conditions
+
+* Sat Oct 28 2023 Andrew Hughes  - 1:17.0.9.0.9-2
+- Add missing CVE and release note to sync local NEWS with upstream release announcements
+
+* Thu Oct 12 2023 Andrew Hughes  - 1:17.0.9.0.9-1
+- Update to jdk-17.0.9+9 (GA)
+- Update release notes to 17.0.9+9
+- Re-generate FIPS patch against 17.0.9+1 following backport of JDK-8209398
+- Bump libpng version to 1.6.39 following JDK-8305815
+- Bump HarfBuzz version to 7.2.0 following JDK-8307301
+- Bump freetype version to 2.13.0 following JDK-8306881
+- Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal
+- Sync generate_tarball.sh with 11u version
+- Update bug URL for RHEL to point to the Red Hat customer portal
+- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
+- Use upstream release URL for OpenJDK source
+- Apply all patches using -p1
+- Temporarily turn off 'fresh_libjvm' due to removal of JVM_IsThreadAlive (JDK-8305425)
+- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. **
+
+* Sat Sep 02 2023 Andrew Hughes  - 1:17.0.8.1.1-1
+- Update to jdk-17.0.8.1+1 (GA)
+- Update release notes to 17.0.8.1+1
+- Add backport of JDK-8312489 already upstream in 17.0.10 (see OPENJDK-2095)
+- Update openjdk_news script to specify subdirectory last
+- Add missing discover_trees script required by openjdk_news
+
+* Fri Jul 14 2023 Andrew Hughes  - 1:17.0.8.0.7-1
+- Update to jdk-17.0.8+7 (GA)
+- Update release notes to 17.0.8+7
+- Switch to GA mode for final release.
+- * This tarball is embargoed until 2023-07-18 @ 1pm PT. *
+
+* Thu Jul 13 2023 Andrew Hughes  - 1:17.0.8.0.6-0.1.ea
+- Update to jdk-17.0.8+6 (EA)
+- Update release notes to 17.0.8+6
+
+* Thu Jul 13 2023 Andrew Hughes  - 1:17.0.8.0.1-0.3.ea
+- Make sure the unstripped JDK is customised by the installjdk function
+
+* Wed Jul 12 2023 Andrew Hughes  - 1:17.0.8.0.1-0.2.ea
+- Rebuild jmods using the stripped binaries in release builds
+- Resolves: OPENJDK-1974
+
+* Tue Jul 04 2023 Andrew Hughes  - 1:17.0.8.0.1-0.1.ea
+- Use absolute path to tapset directory
+- Drop unused globals for tapset installation
+
+* Tue Jul 04 2023 Andrew Hughes  - 1:17.0.8.0.1-0.1.ea
+- Re-enable SystemTap support and perform only substitutions possible without final NVR available
+- Depend on graphviz & pandoc for full documentation support
+- Fix typo which stops the EA designator being included in the build
+- Include tapsets in the miscellaneous tarball
+
+* Mon Jul 03 2023 Andrew Hughes  - 1:17.0.8.0.1-0.1.ea
+- Update to jdk-17.0.8+1 (EA)
+- Update release notes to 17.0.8+1
+- Switch to EA mode
+- Drop local inclusion of JDK-8274864 & JDK-8305113 as they are included in 17.0.8+1
+- Bump bundled LCMS version to 2.15 as in jdk-17.0.8+1.
+- Bump bundled HarfBuzz version to 7.0.1 as in jdk-17.0.8+1
+
+* Tue Apr 25 2023 Andrew Hughes  - 1:17.0.7.0.7-2
+- Update to jdk-17.0.7.0+7
+- Update release notes to 17.0.7.0+7
+- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113
+- Reintroduce generate_source_tarball.sh from RHEL 9
+- Update generate_tarball.sh to add support for passing a boot JDK to the configure run
+- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
+- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
+- Update FIPS support against 17.0.7+6 and bring in latest changes:
+- * RH2134669: Add missing attributes when registering services in FIPS mode.
+- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+- * RH1940064: Enable XML Signature provider in FIPS mode
+- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
+- Fix trailing '.' in tarball name
+- Use rpmrelease in vendor version to avoid inclusion of dist tag
+- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. **
+- Resolves: rhbz#2185182
+- Resolves: rhbz#2134669
+- Resolves: rhbz#1940064
+- Resolves: rhbz#2173781
+
+* Thu Apr 20 2023 Andrew Hughes  - 1:17.0.6.0.10-7
+- Sync with existing RHEL 8 build, in order to start building portables on RHEL 8
+- Restore system bootstrap JDK (RHEL 8 has java-17-openjdk)
+- Remove use of devtoolset (RHEL 8 native compilers should be sufficient)
+- Explicitly exclude x86, as on RHEL RPMs
+
+* Tue Feb 21 2023 Andrew Hughes  - 1:17.0.6.0.10-6
+- Add docs, icons and samples to the portable output
+- Make sure generated checksums work and don't include full path
+- The docs directory is a subdirectory of images, so remove confusing separate copying
+
+* Wed Feb 15 2023 Andrew Hughes  - 1:17.0.6.0.10-5
+- Build with internal debuginfo as in RHEL and then create a stripped variant ourselves for the portable release build
+- Restore compiler flags to those used in RHEL
+- Drop unused static library patch
+- Drop syslookup workaround which was fixed by JDK-8276572 over a year ago
+
+* Tue Feb 14 2023 Andrew Hughes  - 1:17.0.6.0.10-4
+- Separate JDK packaging into a separate function
+- Use variables to make it clearer what is going on
+- Use a package output directory as we do for building and installing
+- Workaround missing manpage directory in the JRE image
+
+* Sun Feb 12 2023 Andrew Hughes  - 1:17.0.6.0.10-3
+- Adapt the portable build to use the same system library handling as RHEL builds
+
+* Sat Jan 14 2023 Andrew Hughes  - 1:17.0.6.0.10-3
+- Add missing release note for JDK-8295687
+- Resolves: rhbz#2160111
+
+* Fri Jan 13 2023 Andrew Hughes  - 1:17.0.6.0.10-2
+- Update FIPS support to bring in latest changes
+- * Add nss.fips.cfg support to OpenJDK tree
+- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+- * Remove forgotten dead code from RH2020290 and RH2104724
+- * OJ1357: Fix issue on FIPS with a SecurityManager in place
+- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
+- Resolves: rhbz#2118493
+
+* Fri Jan 13 2023 Stephan Bergmann  - 1:17.0.6.0.10-2
+- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat
+- Related: rhbz#2160111
+
+* Wed Jan 11 2023 Andrew Hughes  - 1:17.0.6.0.10-1
+- Update to jdk-17.0.6.0+10
+- Update release notes to 17.0.6.0+10
+- Re-enable EA upstream status check now it is being actively maintained.
+- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
+- Drop JDK-8275535 local patch now this has been accepted and backported upstream
+- Drop local copy of JDK-8293834 now this is upstream
+- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
+- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
+- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. **
+- Resolves: rhbz#2160111
+
+* Sat Oct 15 2022 Andrew Hughes  - 1:17.0.5.0.8-2
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Update CLDR data with Europe/Kyiv (JDK-8293834)
+- Drop JDK-8292223 patch which we found to be unnecessary
+- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
+- Related: rhbz#2160111
+
+* Thu Oct 13 2022 Andrew Hughes  - 1:17.0.5.0.8-1
+- Update to jdk-17.0.5+8 (GA)
+- Update release notes to 17.0.5+8 (GA)
+- Switch to GA mode for final release.
+- * This tarball is embargoed until 2022-10-18 @ 1pm PT. *
+- Resolves: rhbz#2133695
+
+* Fri Sep 02 2022 Andrew Hughes  - 1:17.0.4.1.1-2
+- Update FIPS support to bring in latest changes
+- * RH2023467: Enable FIPS keys export
+- * RH2104724: Avoid import/export of DH private keys
+- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+- * Build the systemconf library on all platforms
+- * RH2048582: Support PKCS#12 keystores
+- * RH2020290: Support TLS 1.3 in FIPS mode
+- Resolves: rhbz#2123579
+- Resolves: rhbz#2123580
+- Resolves: rhbz#2123581
+- Resolves: rhbz#2123583
+- Resolves: rhbz#2123584
+
+* Sun Aug 21 2022 Jayashree Huttanagoudar  - 1:17.0.4.1.1-1
+- Added a missing change to portable NEWS file from upstream.
+
+* Sun Aug 21 2022 Andrew Hughes  - 1:17.0.4.1.1-1
+- Update to jdk-17.0.4.1+1
+- Update release notes to 17.0.4.1+1
+- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
+- Add test to ensure timezones can be translated
+- Resolves: rhbz#2119532
+
+* Mon Jul 18 2022 Jayashree Huttanagoudar  - 1:17.0.4.0.8-1
+- Commented out: fipsver f8142a23d0a which was from rhel-9-main
+- Picked 17.0.4+8 GA tag from rhel-9.0.0
+- For Jul 2022 CPU fipsver is 765f970aef1 on rhel-9.0.0
+
+* Mon Jul 18 2022 Andrew Hughes  - 1:17.0.4.0.8-1
+- Update to jdk-17.0.4.0+8 (GA)
+- Update release notes to 17.0.4.0+8
+- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
+- Switch to GA mode for release
+- ** This tarball is embargoed until 2022-07-19 @ 1pm PT. **
+
+* Thu Jul 14 2022 Jayashree Huttanagoudar  - 1:17.0.4.0.1-0.2.ea
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+- Related: rhbz#2084779
+
+* Tue Jul 12 2022 Jayashree Huttanagoudar  - 1:17.0.4.0.1-0.1.ea
+- Tweaked line to print release information for portable
+
+* Tue Jul 12 2022 Andrew Hughes  - 1:17.0.4.0.1-0.1.ea
+- Update to jdk-17.0.4.0+1
+- Update release notes to 17.0.4.0+1
+- Switch to EA mode for 17.0.4 pre-release builds.
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Move EA designator check to prep so failures can be caught earlier
+- Make EA designator check non-fatal while upstream is not maintaining it
+- Related: rhbz#2084218
+
+* Thu Jun 30 2022 Jayashree Huttanagoudar  - 1:17.0.3.0.7-8
+- Comment line for portable: System security properties to be off by default
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet  - 1:17.0.3.0.7-8
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2102433
+
+* Wed Jun 29 2022 Jayashree Huttanagoudar  - 1:17.0.3.0.7-7
+- System security properties are disabled by default on portable.
+- Commented out lines which are not applicable for portable.
+
+* Wed Jun 29 2022 Andrew Hughes  - 1:17.0.3.0.7-7
+- Update FIPS support to bring in latest changes
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Resolves: rhbz#2099844
+- Resolves: rhbz#2100677
+
+* Tue Jun 28 2022 Jayashree Huttanagoudar  - 1:17.0.3.0.7-6
+- Removed upstreamed patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch
+
+* Sun Jun 12 2022 Andrew Hughes  - 1:17.0.3.0.7-6
+- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- RH2023467: Enable FIPS keys export
+- RH2094027: SunEC runtime permission for FIPS
+- Resolves: rhbz#2029657
+- Resolves: rhbz#2096117
+
+* Wed May 25 2022 Andrew Hughes  - 1:17.0.3.0.7-5
+- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build
+
+* Tue May 24 2022 Jiri Vanek  - 1:17.0.3.0.7-4
+- to pass aqa, fixing genuie failure in :
+- java/lang/SecurityManager/CheckAccessClassInPackagePermissions.java#CheckAccessClassInPackagePermissions
+- javax/xml/crypto/dsig/FileSocketPermissions.java#FileSocketPermissions
+- added and applied patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch
+- this, properly named, patch must go to all our jdk17 builds, and to the fips repo
+
+* Thu May 19 2022 Jiri Vanek  - 1:17.0.3.0.7-3
+- to pass aqa:
+- removed copy system tzdb in favour of in-tree
+- removed Patch2: rh1648644-java_access_bridge_privileged_security.patch
+- This is not intended to release untill we decide proper steps
+
+* Thu May 19 2022 Jayashree Huttanagoudar  - 1:17.0.3.0.7-2
+- Include BOOT_JDK for s390x for portable
+- BOOT_JDK downlaoded form hydra as
+  java-17-temurin-17.0.3.7-0.private.ojdk17~upstream.hotspot.release.sdk.el7.s390x.tarxz
+  and renamed
+- Added cosmetic changes to bypass a failure for s390x
+
+* Wed Apr 20 2022 Andrew Hughes  - 1:17.0.3.0.7-1
+- April 2022 security update to jdk 17.0.3+7
+- Remove JDK-8284548 and JDK-8284920 they are upstreamed now
+- Resolves: rhbz#2073579
+
+* Sat Apr 16 2022 Andrew Hughes  - 1:17.0.3.0.6-3
+- Add JDK-8284920 fix for XPath regression
+- Related: rhbz#2073575
+
+* Fri Apr 15 2022 Andrew Hughes  - 1:17.0.3.0.6-2
+- Remove the patch jdk8283911-default_promoted_version_pre.patch which missed in previous commit
+- JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476
+- Related: rhbz#2073575
+
+* Mon Apr 11 2022 Andrew Hughes  - 1:17.0.3.0.6-1
+- April 2022 security update to jdk 17.0.3+6
+- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408)
+- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga
+- Update release notes to 17.0.3.0+6
+- Add missing README.md and generate_source_tarball.sh
+- Introduce tests/tests.yml, based on the one in java-11-openjdk
+- JDK-8283911 patch no longer needed now we're GA...
+- Switch to GA mode for release
+- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. **
+- Resolves: rhbz#2073575
+
+* Wed Apr 06 2022 Andrew Hughes  - 1:17.0.3.0.5-0.1.ea
+- Update to jdk-17.0.3.0+5
+- Update release notes to 17.0.3.0+5
+- Resolves: rhbz#2050460
+
+* Tue Mar 29 2022 Andrew Hughes  - 1:17.0.3.0.1-0.1.ea
+- Update to jdk-17.0.3.0+1
+- Update release notes to 17.0.3.0+1
+- Switch to EA mode for 17.0.3 pre-release builds.
+- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
+- Related: rhbz#2050456
+
+* Mon Feb 28 2022 Jayashree Huttanagoudar  - 1:17.0.2.0.8-10
+- Update icedtea_sync.sh with suitable message for portable
+
+* Mon Feb 28 2022 Andrew Hughes  - 1:17.0.2.0.8-10
+- Restructure the build so a minimal initial build is then used for the final build (with docs)
+- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
+- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
+- Handle Fedora in distro conditionals that currently only pertain to RHEL.
+- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace
+- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
+- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
+- Need to support noarch for creating source RPMs for non-scratch builds.
+- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
+- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
+- Explicitly list JIT architectures rather than relying on those with slowdebug builds
+- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
+- Resolves: rhbz#2022822
+
+* Mon Feb 28 2022 Andrew Hughes  - 1:17.0.2.0.8-9
+- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+- Correction to previous changelog entry
+- Resolves: rhbz#2052070
+
+* Sun Feb 27 2022 Andrew Hughes  - 1:17.0.2.0.8-8
+- Detect NSS at runtime for FIPS detection
+- Resolves: rhbz#2051605
+
+* Wed Feb 23 2022 Andrew Hughes  - 1:17.0.2.0.8-7
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053521
+
+* Tue Feb 08 2022 Andrew Hughes  - 1:17.0.2.0.8-6
+- Minor cosmetic improvements to make spec more comparable between variants
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Andrew Hughes  - 1:17.0.2.0.8-5
+- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Andrew Hughes  - 1:17.0.2.0.8-4
+- Extend LTS check to exclude EPEL.
+- Related: rhbz#2022822
+
+* Tue Jan 18 2022 Andrew Hughes  - 1:17.0.2.0.8-3
+- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
+
+* Mon Jan 17 2022 Andrew Hughes  - 1:17.0.2.0.8-2
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Related: rhbz#2039366
+
+* Wed Jan 12 2022 Andrew Hughes  - 1:17.0.2.0.8-1
+- January 2022 security update to jdk 17.0.2+8
+- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
+- Resolves: rhbz#2039366
+- Minor change to the OUTPUT_FILE value to separate the name from the version with '-'
+
+* Mon Nov 29 2021 Severin Gehwolf  - 1:17.0.1.0.12-3
+- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
+  secmod.db file as part of nss
+- Resolves: rhbz#2023537
+
+* Tue Oct 26 2021 Andrew Hughes  - 1:17.0.1.0.12-2
+- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1
+- October CPU update to jdk 17.0.1+12
+- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
+- Add patch to allow plain key import.
+
+* Mon Oct 25 2021 Jiri Vanek  - 1:17.0.0.0.35-5
+- cacerts symlink is resolved before passed to configure
+- https://issues.redhat.com/browse/OPENJDK-487
+- Disable FIPS mode detection using NSS in favour of using /proc/sys/crypto/fips_enabled for now, so we don't link against NSS
+-- effectively disabled Patch1008: rh1929465-improve_system_FIPS_detection.patch by settng --enable-sysconf-nss to --disable-sysconf-nss
+-- the enable-sysconf-nss was bringing in hard depndence on nss. Without nss, even in non fips, jvm had not even started
+
+* Thu Sep 30 2021 Jiri Vanek  - 1:17.0.0.0.35-4
+- initial import, based on jdk11 portbale, merged with jdk17 rpms and java-latest-openjdk for epel7
diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec
deleted file mode 120000
index 50eeed6..0000000
--- a/SPECS/java-17-openjdk.spec
+++ /dev/null
@@ -1 +0,0 @@
-../SOURCES/java-17-openjdk-portable.specfile
\ No newline at end of file
diff --git a/SPECS/java-17-openjdk.spec~c8 b/SPECS/java-17-openjdk.spec~c8
deleted file mode 100644
index c13a0cc..0000000
--- a/SPECS/java-17-openjdk.spec~c8
+++ /dev/null
@@ -1,3512 +0,0 @@
-# To rebuild this RPM, you must first rebuild the portable
-# RPM using the java-17-openjdk-portable.specfile, install
-# it and then adjust portablerelease and portablesuffix
-# to match the new portable.
-
-# RPM conditionals so as to be able to dynamically produce
-# slowdebug/release builds. See:
-# http://rpm.org/user_doc/conditional_builds.html
-#
-# Examples:
-#
-# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
-# $ rpmbuild -ba java-17-openjdk.spec
-#
-# Produce only release builds (no debug builds) on x86_64:
-# $ rpmbuild -ba java-17-openjdk.spec --without slowdebug --without fastdebug
-#
-# Only produce a release build on x86_64:
-# $ fedpkg mockbuild --without slowdebug --without fastdebug
-
-# Enable fastdebug builds by default on relevant arches.
-%bcond_without fastdebug
-# Enable slowdebug builds by default on relevant arches.
-%bcond_without slowdebug
-# Enable release builds by default on relevant arches.
-%bcond_without release
-# Enable static library builds by default.
-%bcond_without staticlibs
-# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
-%bcond_without fresh_libjvm
-# Build with system libraries
-%bcond_with system_libs
-
-# Workaround for stripping of debug symbols from static libraries
-%if %{with staticlibs}
-%define __brp_strip_static_archive %{nil}
-%global include_staticlibs 1
-%else
-%global include_staticlibs 0
-%endif
-
-# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
-%if %{with fresh_libjvm}
-%global build_hotspot_first 1
-%else
-%global build_hotspot_first 0
-%endif
-
-%if %{with system_libs}
-%global system_libs 1
-%global link_type system
-%global freetype_lib %{nil}
-%else
-%global system_libs 0
-%global link_type bundled
-%global freetype_lib |libfreetype[.]so.*
-%endif
-
-# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
-# This fixes detailed NMT and other tools which need minimal debug info.
-# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
-%global _find_debuginfo_opts -g
-
-# With LTO flags enabled, debuginfo checks fail for some reason. Disable
-# LTO for a passing build. This really needs to be looked at.
-%define _lto_cflags %{nil}
-
-# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
-# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
-# see the difference between global and define:
-# See https://github.com/rpm-software-management/rpm/issues/127 to comments at  "pmatilai commented on Aug 18, 2017"
-# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
-%global debug_suffix_unquoted -slowdebug
-%global fastdebug_suffix_unquoted -fastdebug
-# quoted one for shell operations
-%global debug_suffix "%{debug_suffix_unquoted}"
-%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
-%global normal_suffix ""
-
-%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
-%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
-%global debug_on unoptimised with full debugging on
-%global fastdebug_on optimised with full debugging on
-%global for_fastdebug for packages with debugging on and optimisation
-%global for_debug for packages with debugging on and no optimisation
-
-%if %{with release}
-%global include_normal_build 1
-%else
-%global include_normal_build 0
-%endif
-
-%if %{include_normal_build}
-%global normal_build %{normal_suffix}
-%else
-%global normal_build %{nil}
-%endif
-
-# We have hardcoded list of files, which  is appearing in alternatives, and in files
-# in alternatives those are slaves and master, very often triplicated by man pages
-# in files all masters and slaves are ghosted
-# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
-# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
-# TODO - fix those hardcoded lists via single list
-# Those files must *NOT* be ghosted for *slowdebug* packages
-# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
-# you can check via headless and devels:
-#    rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm  | grep bin
-# == rpm -ql           java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm  | grep bin
-# != rpm -ql           java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm  | grep bin
-# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
-%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
-
-# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
-# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
-%global is_system_jdk 0
-
-%global aarch64         aarch64 arm64 armv8
-# we need to distinguish between big and little endian PPC64
-%global ppc64le         ppc64le
-%global ppc64be         ppc64 ppc64p7
-# Set of architectures which support multiple ABIs
-%global multilib_arches %{power64} sparc64 x86_64
-# Set of architectures for which we build slowdebug builds
-%global debug_arches    %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
-# Set of architectures for which we build fastdebug builds
-%global fastdebug_arches x86_64 ppc64le aarch64
-# Set of architectures with a Just-In-Time (JIT) compiler
-%global jit_arches      %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
-# Set of architectures which use the Zero assembler port (!jit_arches)
-%global zero_arches ppc s390
-# Set of architectures which run a full bootstrap cycle
-%global bootstrap_arches %{jit_arches}
-# Set of architectures which support SystemTap tapsets
-%global systemtap_arches %{jit_arches}
-# Set of architectures with a Ahead-Of-Time (AOT) compiler
-%global aot_arches      x86_64 %{aarch64}
-# Set of architectures which support the serviceability agent
-%global sa_arches       %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
-# Set of architectures which support class data sharing
-# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific
-# However, it does segfault on the Zero assembler port, so currently JIT only
-%global share_arches    %{jit_arches}
-# Set of architectures for which we build the Shenandoah garbage collector
-%global shenandoah_arches x86_64 %{aarch64}
-# Set of architectures for which we build the Z garbage collector
-%global zgc_arches x86_64
-# Set of architectures for which alt-java has SSB mitigation
-%global ssbd_arches x86_64
-# Set of architectures for which java has short vector math library (libjsvml.so)
-%global svml_arches x86_64
-# Set of architectures where we verify backtraces with gdb
-%global gdb_arches %{jit_arches} %{zero_arches}
-
-# By default, we build a debug build during main build on JIT architectures
-%if %{with slowdebug}
-%ifarch %{debug_arches}
-%global include_debug_build 1
-%else
-%global include_debug_build 0
-%endif
-%else
-%global include_debug_build 0
-%endif
-
-# On certain architectures, we compile the Shenandoah GC
-%ifarch %{shenandoah_arches}
-%global use_shenandoah_hotspot 1
-%else
-%global use_shenandoah_hotspot 0
-%endif
-
-# By default, we build a fastdebug build during main build only on fastdebug architectures
-%if %{with fastdebug}
-%ifarch %{fastdebug_arches}
-%global include_fastdebug_build 1
-%else
-%global include_fastdebug_build 0
-%endif
-%else
-%global include_fastdebug_build 0
-%endif
-
-%if %{include_debug_build}
-%global slowdebug_build %{debug_suffix}
-%else
-%global slowdebug_build %{nil}
-%endif
-
-%if %{include_fastdebug_build}
-%global fastdebug_build %{fastdebug_suffix}
-%else
-%global fastdebug_build %{nil}
-%endif
-
-# If you disable all builds, then the build fails
-# Build and test slowdebug first as it provides the best diagnostics
-%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
-
-%if 0%{?flatpak}
-%global bootstrap_build false
-%else
-%ifarch %{bootstrap_arches}
-%global bootstrap_build true
-%else
-%global bootstrap_build false
-%endif
-%endif
-
-%if %{include_staticlibs}
-# Extra target for producing the static-libraries. Separate from
-# other targets since this target is configured to use in-tree
-# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
-# and possibly others
-%global static_libs_target static-libs-image
-%else
-%global static_libs_target %{nil}
-%endif
-
-# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
-%global debug_symbols internal
-
-# unlike portables,the rpms have to use static_libs_target very dynamically
-%global bootstrap_targets images
-%global release_targets images docs-zip
-# No docs nor bootcycle for debug builds
-%global debug_targets images
-# Target to use to just build HotSpot
-%global hotspot_target hotspot
-
-# JDK to use for bootstrapping
-%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
-
-# VM variant being built
-# This is always 'server' on 17u which doesn't have JDK-8273494
-%global vm_variant server
-
-# debugedit tool for rewriting ELF file paths
-%global debugedit %{_rpmconfigdir}/debugedit
-
-# Filter out flags from the optflags macro that cause problems with the OpenJDK build
-# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
-# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
-# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
-# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
-%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
-%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
-%global ourldflags %{__global_ldflags}
-
-# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
-# the initialization must be here. Later the pkg-config have buggy behavior
-# looks like openjdk RPM specific bug
-# Always set this so the nss.cfg file is not broken
-%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
-
-# In some cases, the arch used by the JDK does
-# not match _arch.
-# Also, in some cases, the machine name used by SystemTap
-# does not match that given by _target_cpu
-%ifarch x86_64
-%global archinstall amd64
-%global stapinstall x86_64
-%endif
-%ifarch ppc
-%global archinstall ppc
-%global stapinstall powerpc
-%endif
-%ifarch %{ppc64be}
-%global archinstall ppc64
-%global stapinstall powerpc
-%endif
-%ifarch %{ppc64le}
-%global archinstall ppc64le
-%global stapinstall powerpc
-%endif
-%ifarch %{ix86}
-%global archinstall i686
-%global stapinstall i386
-%endif
-%ifarch ia64
-%global archinstall ia64
-%global stapinstall ia64
-%endif
-%ifarch s390
-%global archinstall s390
-%global stapinstall s390
-%endif
-%ifarch s390x
-%global archinstall s390x
-%global stapinstall s390
-%endif
-%ifarch %{arm}
-%global archinstall arm
-%global stapinstall arm
-%endif
-%ifarch %{aarch64}
-%global archinstall aarch64
-%global stapinstall arm64
-%endif
-# 32 bit sparc, optimized for v9
-%ifarch sparcv9
-%global archinstall sparc
-%global stapinstall %{_target_cpu}
-%endif
-# 64 bit sparc
-%ifarch sparc64
-%global archinstall sparcv9
-%global stapinstall %{_target_cpu}
-%endif
-# Need to support noarch for srpm build
-%ifarch noarch
-%global archinstall %{nil}
-%global stapinstall %{nil}
-%endif
-
-%ifarch %{systemtap_arches}
-%global with_systemtap 1
-%else
-%global with_systemtap 0
-%endif
-
-# New Version-String scheme-style defines
-%global featurever 17
-%global interimver 0
-%global updatever 8
-%global patchver 0
-# buildjdkver is usually same as %%{featurever},
-# but in time of bootstrap of next jdk, it is featurever-1,
-# and this it is better to change it here, on single place
-%global buildjdkver 17
-# We don't add any LTS designator for STS packages (Fedora and EPEL).
-# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
-%if 0%{?rhel} && !0%{?epel}
-  %global lts_designator "LTS"
-  %global lts_designator_zip -%{lts_designator}
-%else
- %global lts_designator ""
- %global lts_designator_zip ""
-%endif
-
-# Define vendor information used by OpenJDK
-%global oj_vendor Red Hat, Inc.
-%global oj_vendor_url https://www.redhat.com/
-# Define what url should JVM offer in case of a crash report
-# order may be important, epel may have rhel declared
-%if 0%{?epel}
-%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
-%else
-%if 0%{?fedora}
-# Does not work for rawhide, keeps the version field empty
-%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
-%else
-%if 0%{?rhel}
-%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
-%else
-%global oj_vendor_bug_url  https://bugzilla.redhat.com/enter_bug.cgi
-%endif
-%endif
-%endif
-%global oj_vendor_version (Red_Hat-%{version}-%{portablerelease})
-
-# Define IcedTea version used for SystemTap tapsets and desktop file
-%global icedteaver      6.0.0pre00-c848b93a8598
-# Define current Git revision for the FIPS support patches
-%global fipsver bf363eecce3
-
-# Standard JPackage naming and versioning defines
-%global origin          openjdk
-%global origin_nice     OpenJDK
-%global top_level_dir_name   %{origin}
-%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        7
-%global rpmrelease      2
-# Settings used by the portable build
-%global portablerelease 1
-%global portablesuffix el8
-%global portablebuilddir /builddir/build/BUILD
-
-# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
-%if %is_system_jdk
-# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
-# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
-# This means 11.0.9.0+11 would have had a priority of 11000911 as before
-# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11
-%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
-%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
-%else
-# for techpreview, using 1, so slowdebugs can have 0
-%global priority %( printf '%08d' 1 )
-%endif
-%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-%global javaver         %{featurever}
-
-# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
-%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
-
-# The tag used to create the OpenJDK tarball
-%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
-
-# Define milestone (EA for pre-releases, GA for releases)
-# Release will be (where N is usually a number starting at 1):
-# - 0.N%%{?extraver}%%{?dist} for EA releases,
-# - N%%{?extraver}{?dist} for GA releases
-%global is_ga           1
-%if %{is_ga}
-%global build_type GA
-%global ea_designator ""
-%global ea_designator_zip ""
-%global extraver %{nil}
-%global eaprefix %{nil}
-%else
-%global build_type EA
-%global ea_designator ea
-%global ea_designator_zip -%{ea_designator}
-%global extraver .%{ea_designator}
-%global eaprefix 0.
-%endif
-
-# parametrized macros are order-sensitive
-%global compatiblename  java-%{featurever}-%{origin}
-%global fullversion     %{compatiblename}-%{version}-%{release}
-# images directories from upstream build
-%global jdkimage                jdk
-%global static_libs_image       static-libs
-# output dir stub
-%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
-# we can copy the javadoc to not arched dir, or make it not noarch
-%define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
-# main id and dir of this jdk
-%define uniquesuffix()        %{expand:%{fullversion}.%{_arch}%{?1}}
-
-#################################################################
-# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
-#         https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
-#         https://bugzilla.redhat.com/show_bug.cgi?id=1655938
-%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
-%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
-%if %is_system_jdk
-%global __provides_exclude ^(%{_privatelibs})$
-%global __requires_exclude ^(%{_privatelibs})$
-# Never generate lib-style provides/requires for any debug packages
-%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
-%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
-%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
-%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
-%else
-# Don't generate provides/requires for JDK provided shared libraries at all.
-%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
-%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
-%endif
-
-
-%global etcjavasubdir     %{_sysconfdir}/java/java-%{javaver}-%{origin}
-%define etcjavadir()      %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
-# Standard JPackage directories and symbolic links.
-%define sdkdir()        %{expand:%{uniquesuffix -- %{?1}}}
-%define jrelnk()        %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
-
-%define sdkbindir()     %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
-%define jrebindir()     %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
-
-%global alt_java_name     alt-java
-
-%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
-
-# For flatpack builds hard-code /usr/sbin/alternatives,
-# otherwise use %%{_sbindir} relative path.
-%if 0%{?flatpak}
-%global alternatives_requires /usr/sbin/alternatives
-%else
-%global alternatives_requires %{_sbindir}/alternatives
-%endif
-
-%global family %{name}.%{_arch}
-%global family_noarch  %{name}
-
-%if %{with_systemtap}
-# Where to install systemtap tapset (links)
-# We would like these to be in a package specific sub-dir,
-# but currently systemtap doesn't support that, so we have to
-# use the root tapset dir for now. To distinguish between 64
-# and 32 bit architectures we place the tapsets under the arch
-# specific dir (note that systemtap will only pickup the tapset
-# for the primary arch for now). Systemtap uses the machine name
-# aka target_cpu as architecture specific directory name.
-%global tapsetroot /usr/share/systemtap
-%global tapsetdirttapset %{tapsetroot}/tapset/
-%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
-%endif
-
-# not-duplicated scriptlets for normal/debug packages
-%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
-
-%define save_alternatives() %{expand:
-  # warning! alternatives are localised!
-  # LANG=cs_CZ.UTF-8  alternatives --display java | head
-  # LANG=en_US.UTF-8  alternatives --display java | head
-  function nonLocalisedAlternativesDisplayOfMaster() {
-    LANG=en_US.UTF-8 alternatives --display "$MASTER"
-  }
-  function headOfAbove() {
-    nonLocalisedAlternativesDisplayOfMaster | head -n $1
-  }
-  MASTER="%{?1}"
-  LOCAL_LINK="%{?2}"
-  FAMILY="%{?3}"
-  rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
-  if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
-      if headOfAbove 1 | grep -q manual ; then
-        if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
-           headOfAbove 2  > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
-        fi
-      fi
-  fi
-}
-
-%define save_and_remove_alternatives() %{expand:
-  if [ "x$debug"  == "xtrue" ] ; then
-    set -x
-  fi
-  upgrade1_uninstal0=%{?3}
-  if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
-    %{save_alternatives %{?1} %{?2} %{?4}}
-  fi
-  alternatives --remove  "%{?1}" "%{?2}"
-}
-
-%define set_if_needed_alternatives() %{expand:
-  MASTER="%{?1}"
-  FAMILY="%{?2}"
-  ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
-  if [ -e  "$ALTERNATIVES_FILE" ] ; then
-    rm "$ALTERNATIVES_FILE"
-    alternatives --set $MASTER $FAMILY
-  fi
-}
-
-
-%define post_script() %{expand:
-update-desktop-database %{_datadir}/applications &> /dev/null || :
-/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
-exit 0
-}
-
-%define alternatives_java_install() %{expand:
-if [ "x$debug"  == "xtrue" ] ; then
-  set -x
-fi
-PRIORITY=%{priority}
-if [ "%{?1}" == %{debug_suffix} ]; then
-  let PRIORITY=PRIORITY-1
-fi
-
-ext=.gz
-key=java
-alternatives \\
-  --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY  --family %{family} \\
-  --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
-  --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
-  --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
-  --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
-  --slave %{_mandir}/man1/java.1$ext java.1$ext \\
-  %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
-  %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
-  %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
-  %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
-
-%{set_if_needed_alternatives $key %{family}}
-
-for X in %{origin} %{javaver} ; do
-  key=jre_"$X"
-  alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
-  %{set_if_needed_alternatives $key %{family}}
-done
-
-key=jre_%{javaver}_%{origin}
-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY  --family %{family}
-%{set_if_needed_alternatives $key %{family}}
-}
-
-%define post_headless() %{expand:
-update-desktop-database %{_datadir}/applications &> /dev/null || :
-/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
-
-# see pretrans where this file is declared
-# also see that pretrans is only for non-debug
-if [ ! "%{?1}" == %{debug_suffix} ]; then
-  if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then
-    sh  %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch}  %{_jvmdir}/%{sdkdir -- %{?1}}
-  fi
-fi
-
-exit 0
-}
-
-%define postun_script() %{expand:
-update-desktop-database %{_datadir}/applications &> /dev/null || :
-if [ $1 -eq 0 ] ; then
-    /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
-    %{update_desktop_icons}
-fi
-exit 0
-}
-
-
-%define postun_headless() %{expand:
-  if [ "x$debug"  == "xtrue" ] ; then
-    set -x
-  fi
-  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-  %{save_and_remove_alternatives  java  %{jrebindir -- %{?1}}/java $post_state %{family}}
-  %{save_and_remove_alternatives  jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
-  %{save_and_remove_alternatives  jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
-  %{save_and_remove_alternatives  jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
-}
-
-%define posttrans_script() %{expand:
-%{update_desktop_icons}
-}
-
-
-%define alternatives_javac_install() %{expand:
-if [ "x$debug"  == "xtrue" ] ; then
-  set -x
-fi
-PRIORITY=%{priority}
-if [ "%{?1}" == %{debug_suffix} ]; then
-  let PRIORITY=PRIORITY-1
-fi
-
-ext=.gz
-key=javac
-alternatives \\
-  --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY  --family %{family} \\
-  --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
-  --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
-  --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
-%ifarch %{sa_arches}
-%ifnarch %{zero_arches}
-  --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
-%endif
-%endif
-  --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
-  --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
-  --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
-  --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
-  --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
-  --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
-  --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
-  --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
-  --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\
-  --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\
-  --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\
-  --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\
-  --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\
-  --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\
-  --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\
-  --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\
-  --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\
-  --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\
-  --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\
-  --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\
-  --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\
-  --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\
-  %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\
-  %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\
-  %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\
-  %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
-  %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
-  %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
-  %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
-  %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\
-  %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\
-  %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\
-  %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\
-  %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\
-  %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\
-  %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\
-  %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\
-  %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\
-  %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
-  %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
-
-%{set_if_needed_alternatives  $key %{family}}
-
-for X in %{origin} %{javaver} ; do
-  key=java_sdk_"$X"
-  alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{family}
-  %{set_if_needed_alternatives  $key %{family}}
-done
-
-key=java_sdk_%{javaver}_%{origin}
-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{family}
-%{set_if_needed_alternatives  $key %{family}}
-}
-
-%define post_devel() %{expand:
-update-desktop-database %{_datadir}/applications &> /dev/null || :
-/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
-
-exit 0
-}
-
-%define postun_devel() %{expand:
-  if [ "x$debug"  == "xtrue" ] ; then
-    set -x
-  fi
-  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-  %{save_and_remove_alternatives  javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
-  %{save_and_remove_alternatives  java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
-  %{save_and_remove_alternatives  java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
-  %{save_and_remove_alternatives  java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
-
-update-desktop-database %{_datadir}/applications &> /dev/null || :
-
-if [ $1 -eq 0 ] ; then
-    /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
-    %{update_desktop_icons}
-fi
-exit 0
-}
-
-%define posttrans_devel() %{expand:
-%{alternatives_javac_install --  %{?1}}
-%{update_desktop_icons}
-}
-
-%define alternatives_javadoc_install() %{expand:
-if [ "x$debug"  == "xtrue" ] ; then
-  set -x
-fi
-PRIORITY=%{priority}
-if [ "%{?1}" == %{debug_suffix} ]; then
-  let PRIORITY=PRIORITY-1
-fi
-
-key=javadocdir
-alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY  --family %{family_noarch}
-%{set_if_needed_alternatives  $key %{family_noarch}}
-exit 0
-}
-
-%define postun_javadoc() %{expand:
-if [ "x$debug"  == "xtrue" ] ; then
-  set -x
-fi
-  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-  %{save_and_remove_alternatives  javadocdir  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
-exit 0
-}
-
-%define alternatives_javadoczip_install() %{expand:
-if [ "x$debug"  == "xtrue" ] ; then
-  set -x
-fi
-PRIORITY=%{priority}
-if [ "%{?1}" == %{debug_suffix} ]; then
-  let PRIORITY=PRIORITY-1
-fi
-key=javadoczip
-alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY  --family %{family_noarch}
-%{set_if_needed_alternatives  $key %{family_noarch}}
-exit 0
-}
-
-%define postun_javadoc_zip() %{expand:
-  if [ "x$debug"  == "xtrue" ] ; then
-    set -x
-  fi
-  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-  %{save_and_remove_alternatives  javadoczip  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
-exit 0
-}
-
-%define files_jre() %{expand:
-%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
-}
-
-
-%define files_jre_headless() %{expand:
-%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
-%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
-%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md
-%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile
-%dir %{_sysconfdir}/.java/.systemPrefs
-%dir %{_sysconfdir}/.java
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}
-%{_jvmdir}/%{sdkdir -- %{?1}}/release
-%{_jvmdir}/%{jrelnk -- %{?1}}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
-%ifarch %{jit_arches}
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist
-%endif
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
-%if ! %{system_libs}
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
-%endif
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
-# Some architectures don't have the serviceability agent
-%ifarch %{sa_arches}
-%ifnarch %{zero_arches}
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
-%endif
-%endif
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
-%ifarch %{svml_arches}
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsvml.so
-%endif
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
-%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/
-%ifarch %{share_arches}
-%attr(444, root, root) %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/classes.jsa
-%ifnarch %{ix86} %{arm32}
-%attr(444, root, root) %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/classes_nocoops.jsa
-%endif
-%endif
-%dir %{etcjavasubdir}
-%dir %{etcjavadir -- %{?1}}
-%dir %{etcjavadir -- %{?1}}/lib
-%dir %{etcjavadir -- %{?1}}/lib/security
-%{etcjavadir -- %{?1}}/lib/security/cacerts
-%dir %{etcjavadir -- %{?1}}/conf
-%dir %{etcjavadir -- %{?1}}/conf/sdp
-%dir %{etcjavadir -- %{?1}}/conf/management
-%dir %{etcjavadir -- %{?1}}/conf/security
-%dir %{etcjavadir -- %{?1}}/conf/security/policy
-%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited
-%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited
-%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs
-%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy
- %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
-# This is a config template, thus not config-noreplace
-%config  %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
-%config  %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties
-%{_jvmdir}/%{sdkdir -- %{?1}}/conf
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security
-%if %is_system_jdk
-%if %{is_release_build -- %{?1}}
-%ghost %{_bindir}/java
-%ghost %{_bindir}/%{alt_java_name}
-%ghost %{_jvmdir}/jre
-%ghost %{_bindir}/keytool
-%ghost %{_bindir}/pack200
-%ghost %{_bindir}/rmid
-%ghost %{_bindir}/rmiregistry
-%ghost %{_bindir}/unpack200
-%ghost %{_jvmdir}/jre-%{origin}
-%ghost %{_jvmdir}/jre-%{javaver}
-%ghost %{_jvmdir}/jre-%{javaver}-%{origin}
-%endif
-%endif
-# https://bugzilla.redhat.com/show_bug.cgi?id=1820172
-# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
-%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
-%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
-}
-
-%define files_devel() %{expand:
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
-# Some architectures don't have the serviceability agent
-%ifarch %{sa_arches}
-%ifnarch %{zero_arches}
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
-%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
-%endif
-%endif
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver
-%{_jvmdir}/%{sdkdir -- %{?1}}/include
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym
-%if %{with_systemtap}
-%{_jvmdir}/%{sdkdir -- %{?1}}/tapset
-%endif
-%{_datadir}/applications/*jconsole%{?1}.desktop
-%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
-
-%if %{with_systemtap}
-%dir %{tapsetroot}
-%dir %{tapsetdirttapset}
-%dir %{tapsetdir}
-%{tapsetdir}/*%{_arch}%{?1}.stp
-%endif
-%if %is_system_jdk
-%if %{is_release_build -- %{?1}}
-%ghost %{_bindir}/javac
-%ghost %{_jvmdir}/java
-%ghost %{_jvmdir}/%{alt_java_name}
-%ghost %{_bindir}/jlink
-%ghost %{_bindir}/jmod
-%ghost %{_bindir}/jhsdb
-%ghost %{_bindir}/jar
-%ghost %{_bindir}/jarsigner
-%ghost %{_bindir}/javadoc
-%ghost %{_bindir}/javap
-%ghost %{_bindir}/jcmd
-%ghost %{_bindir}/jconsole
-%ghost %{_bindir}/jdb
-%ghost %{_bindir}/jdeps
-%ghost %{_bindir}/jdeprscan
-%ghost %{_bindir}/jimage
-%ghost %{_bindir}/jinfo
-%ghost %{_bindir}/jmap
-%ghost %{_bindir}/jps
-%ghost %{_bindir}/jrunscript
-%ghost %{_bindir}/jshell
-%ghost %{_bindir}/jstack
-%ghost %{_bindir}/jstat
-%ghost %{_bindir}/jstatd
-%ghost %{_bindir}/serialver
-%ghost %{_jvmdir}/java-%{origin}
-%ghost %{_jvmdir}/java-%{javaver}
-%ghost %{_jvmdir}/java-%{javaver}-%{origin}
-%endif
-%endif
-}
-
-%define files_jmods() %{expand:
-%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
-}
-
-%define files_demo() %{expand:
-%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
-%{_jvmdir}/%{sdkdir -- %{?1}}/demo
-%{_jvmdir}/%{sdkdir -- %{?1}}/sample
-}
-
-%define files_src() %{expand:
-%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
-}
-
-%define files_static_libs() %{expand:
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
-}
-
-%define files_javadoc() %{expand:
-%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
-%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
-%if %is_system_jdk
-%if %{is_release_build -- %{?1}}
-%ghost %{_javadocdir}/java
-%endif
-%endif
-}
-
-%define files_javadoc_zip() %{expand:
-%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
-%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
-%if %is_system_jdk
-%if %{is_release_build -- %{?1}}
-%ghost %{_javadocdir}/java-zip
-%endif
-%endif
-}
-
-# x86 is not supported by OpenJDK 17
-ExcludeArch: %{ix86}
-
-# not-duplicated requires/provides/obsoletes for normal/debug packages
-%define java_rpo() %{expand:
-Requires: fontconfig%{?_isa}
-Requires: xorg-x11-fonts-Type1
-# Require libXcomposite explicitly since it's only dynamically loaded
-# at runtime. Fixes screenshot issues. See JDK-8150954.
-Requires: libXcomposite%{?_isa}
-# Requires rest of java
-Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-# for java-X-openjdk package's desktop binding
-# Where recommendations are available, recommend Gtk+ for the Swing look and feel
-%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
-Recommends: gtk3%{?_isa}
-%endif
-
-Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-
-# Standard JPackage base provides
-Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre%{?1} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-%define java_headless_rpo() %{expand:
-# Require /etc/pki/java/cacerts
-Requires: ca-certificates
-# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
-Requires: javapackages-filesystem
-# Require zone-info data provided by tzdata-java sub-package
-# 2022g required as of JDK-8297804
-Requires: tzdata-java >= 2022g
-# for support of kernel stream control
-# libsctp.so.1 is being `dlopen`ed on demand
-Requires: lksctp-tools%{?_isa}
-%if ! 0%{?flatpak}
-# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
-# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
-# considered as regression
-Requires: copy-jdk-configs >= 3.3
-OrderWithRequires: copy-jdk-configs
-%endif
-# for printing support
-Requires: cups-libs
-# for system security properties
-Requires: crypto-policies
-# for FIPS PKCS11 provider
-Requires: nss
-# Post requires alternatives to install tool alternatives
-Requires(post):   %{alternatives_requires}
-# Postun requires alternatives to uninstall tool alternatives
-Requires(postun): %{alternatives_requires}
-# Where suggestions are available, recommend the sctp and pcsc libraries
-# for optional support of kernel stream control and card reader
-%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
-Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa}
-%endif
-
-# Standard JPackage base provides
-Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-headless%{?1} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-%define java_devel_rpo() %{expand:
-# Requires base package
-Requires:         %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-# Post requires alternatives to install tool alternatives
-Requires(post):   %{alternatives_requires}
-# Postun requires alternatives to uninstall tool alternatives
-Requires(postun): %{alternatives_requires}
-
-# Standard JPackage devel provides
-Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-devel%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-%define java_static_libs_rpo() %{expand:
-Requires:         %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-}
-
-%define java_jmods_rpo() %{expand:
-# Requires devel package
-# as jmods are bytecode, they should be OK without any _isa
-Requires:         %{name}-devel%{?1} = %{epoch}:%{version}-%{release}
-OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release}
-
-Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-%define java_demo_rpo() %{expand:
-Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-
-Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-%define java_javadoc_rpo() %{expand:
-OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-# Post requires alternatives to install javadoc alternative
-Requires(post):   %{alternatives_requires}
-# Postun requires alternatives to uninstall javadoc alternative
-Requires(postun): %{alternatives_requires}
-
-# Standard JPackage javadoc provides
-Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-%define java_src_rpo() %{expand:
-Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-
-# Standard JPackage sources provides
-Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-# Prevent brp-java-repack-jars from being run
-%global __jar_repack 0
-
-Name:    java-%{javaver}-%{origin}
-Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
-# Equivalent for the portable build
-%global prelease %{?eaprefix}%{portablerelease}%{?extraver}
-# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
-# and this change was brought into RHEL-4. java-1.5.0-ibm packages
-# also included the epoch in their virtual provides. This created a
-# situation where in-the-wild java-1.5.0-ibm packages provided "java =
-# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
-# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
-# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
-# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
-# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
-
-Epoch:   1
-Summary: %{origin_nice} %{featurever} Runtime Environment
-# Groups are only used up to RHEL 8 and on Fedora versions prior to F30
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-# HotSpot code is licensed under GPLv2
-# JDK library code is licensed under GPLv2 with the Classpath exception
-# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
-# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
-# The JSR166 concurrency code is in the public domain
-# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
-# The OpenJDK source tree includes:
-# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
-# - freetype (FTL), jline (BSD) and LCMS (MIT)
-# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
-# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
-# The test code includes copies of NSS under the Mozilla Public License v2.0
-# The PCSClite headers are under a BSD with advertising license
-# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
-License:  ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
-URL:      http://openjdk.java.net/
-
-
-# The source tarball, generated using generate_source_tarball.sh
-Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
-
-# Use 'icedtea_sync.sh' to update the following
-# They are based on code contained in the IcedTea project (6.x).
-# Systemtap tapsets. Zipped up to keep it small.
-Source8: tapsets-icedtea-%{icedteaver}.tar.xz
-
-# Desktop files. Adapted from IcedTea
-Source9: jconsole.desktop.in
-
-# nss configuration file
-Source11: nss.cfg.in
-
-# Removed libraries that we link instead
-Source12: remove-intree-libraries.sh
-
-# Ensure we aren't using the limited crypto policy
-Source13: TestCryptoLevel.java
-
-# Ensure ECDSA is working
-Source14: TestECDSA.java
-
-# Verify system crypto (policy) can be disabled via a property
-Source15: TestSecurityProperties.java
-
-# Ensure vendor settings are correct
-Source16: CheckVendor.java
-
-# Ensure translations are available for new timezones
-Source18: TestTranslations.java
-
-# Include portable spec and instructions on how to rebuild
-Source19: README.md
-Source20: java-%{featurever}-openjdk-portable.specfile
-
-# Setup variables to reference correct sources
-%global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz
-%global staticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.static-libs.%{_arch}.tar.xz
-%global docszip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.docs.%{_arch}.tar.xz
-%global misczip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.misc.%{_arch}.tar.xz
-%global slowdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.jdk.%{_arch}.tar.xz
-%global slowdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.static-libs.%{_arch}.tar.xz
-%global fastdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.jdk.%{_arch}.tar.xz
-%global fastdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.static-libs.%{_arch}.tar.xz
-
-############################################
-#
-# RPM/distribution specific patches
-#
-############################################
-
-# NSS via SunPKCS11 Provider (disabled comment
-# due to memory leak).
-Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
-# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
-Patch600: rh1750419-redhat_alt_java.patch
-
-# Ignore AWTError when assistive technologies are loaded
-Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
-# Restrict access to java-atk-wrapper classes
-Patch2:    rh1648644-java_access_bridge_privileged_security.patch
-Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
-Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
-
-# Crypto policy and FIPS support patches
-# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
-# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
-# Diff is limited to src and make subdirectories to exclude .github changes
-# Fixes currently included:
-# PR3183, RH1340845: Follow system wide crypto policy
-# PR3695: Allow use of system crypto policy to be disabled by the user
-# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
-# RH1929465: Improve system FIPS detection
-# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
-# RH1996182: Login to the NSS software token in FIPS mode
-# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-# RH2021263: Resolve outstanding FIPS issues
-# RH2052819: Fix FIPS reliance on crypto policies
-# RH2052829: Detect NSS at Runtime for FIPS detection
-# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
-# RH2023467: Enable FIPS keys export
-# RH2094027: SunEC runtime permission for FIPS
-# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
-# RH2090378: Revert to disabling system security properties and FIPS mode support together
-# RH2104724: Avoid import/export of DH private keys
-# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
-# Build the systemconf library on all platforms
-# RH2048582: Support PKCS#12 keystores
-# RH2020290: Support TLS 1.3 in FIPS mode
-# Add nss.fips.cfg support to OpenJDK tree
-# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
-# Remove forgotten dead code from RH2020290 and RH2104724
-# OJ1357: Fix issue on FIPS with a SecurityManager in place
-# RH2134669: Add missing attributes when registering services in FIPS mode.
-# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
-# RH1940064: Enable XML Signature provider in FIPS mode
-# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
-Patch1001: fips-17u-%{fipsver}.patch
-
-#############################################
-#
-# OpenJDK patches in need of upstreaming
-#
-#############################################
-
-#############################################
-#
-# OpenJDK patches appearing in 17.0.8
-#
-#############################################
-
-#############################################
-#
-# Portable build specific patches
-#
-#############################################
-
-#############################################
-#
-# OpenJDK patches targetted for 17.0.6
-#
-#############################################
-
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: alsa-lib-devel
-BuildRequires: binutils
-BuildRequires: cups-devel
-BuildRequires: desktop-file-utils
-# elfutils only are OK for build without AOT
-BuildRequires: elfutils-devel
-BuildRequires: fontconfig-devel
-BuildRequires: gcc-c++
-BuildRequires: gdb
-BuildRequires: libxslt
-BuildRequires: libX11-devel
-BuildRequires: libXi-devel
-BuildRequires: libXinerama-devel
-BuildRequires: libXrandr-devel
-BuildRequires: libXrender-devel
-BuildRequires: libXt-devel
-BuildRequires: libXtst-devel
-# Requirement for setting up nss.cfg and nss.fips.cfg
-BuildRequires: nss-devel
-# Requirement for system security property test
-BuildRequires: crypto-policies
-BuildRequires: pkgconfig
-BuildRequires: xorg-x11-proto-devel
-BuildRequires: zip
-BuildRequires: javapackages-filesystem
-%if %{include_normal_build}
-BuildRequires: java-%{featurever}-openjdk-portable-unstripped = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
-BuildRequires: java-%{featurever}-openjdk-portable-static-libs = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
-%endif
-%if %{include_fastdebug_build}
-BuildRequires: java-%{featurever}-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
-BuildRequires: java-%{featurever}-openjdk-portable-static-libs-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
-%endif
-%if %{include_debug_build}
-BuildRequires: java-%{featurever}-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
-BuildRequires: java-%{featurever}-openjdk-portable-static-libs-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
-%endif
-BuildRequires: java-%{featurever}-openjdk-portable-docs = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
-BuildRequires: java-%{featurever}-openjdk-portable-misc = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
-# Zero-assembler build requirement
-%ifarch %{zero_arches}
-BuildRequires: libffi-devel
-%endif
-# 2023c required as of JDK-8305113
-BuildRequires: tzdata-java >= 2023c
-# Earlier versions have a bug in tree vectorization on PPC
-BuildRequires: gcc >= 4.8.3-8
-
-%if %{with_systemtap}
-BuildRequires: systemtap-sdt-devel
-%endif
-BuildRequires: make
-
-%if %{system_libs}
-BuildRequires: freetype-devel
-BuildRequires: giflib-devel
-BuildRequires: harfbuzz-devel
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
-%else
-# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.12.1
-# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
-Provides: bundled(giflib) = 5.2.1
-# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 7.0.1
-# Version in src/java.desktop/share/native/liblcms/lcms2.h
-Provides: bundled(lcms2) = 2.15.0
-# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
-Provides: bundled(libjpeg) = 6b
-# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.37
-%endif
-
-# this is always built, also during debug-only build
-# when it is built in debug-only this package is just placeholder
-%{java_rpo %{nil}}
-
-%description
-The %{origin_nice} %{featurever} runtime environment.
-
-%if %{include_debug_build}
-%package slowdebug
-Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_rpo -- %{debug_suffix_unquoted}}
-%description slowdebug
-The %{origin_nice} %{featurever} runtime environment.
-%{debug_warning}
-%endif
-
-%if %{include_fastdebug_build}
-%package fastdebug
-Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_rpo -- %{fastdebug_suffix_unquoted}}
-%description fastdebug
-The %{origin_nice} %{featurever} runtime environment.
-%{fastdebug_warning}
-%endif
-
-%if %{include_normal_build}
-%package headless
-Summary: %{origin_nice} %{featurever} Headless Runtime Environment
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_headless_rpo %{nil}}
-
-%description headless
-The %{origin_nice} %{featurever} runtime environment without audio and video support.
-%endif
-
-%if %{include_debug_build}
-%package headless-slowdebug
-Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_headless_rpo -- %{debug_suffix_unquoted}}
-
-%description headless-slowdebug
-The %{origin_nice} %{featurever} runtime environment without audio and video support.
-%{debug_warning}
-%endif
-
-%if %{include_fastdebug_build}
-%package headless-fastdebug
-Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_headless_rpo -- %{fastdebug_suffix_unquoted}}
-
-%description headless-fastdebug
-The %{origin_nice} %{featurever} runtime environment without audio and video support.
-%{fastdebug_warning}
-%endif
-
-%if %{include_normal_build}
-%package devel
-Summary: %{origin_nice} %{featurever} Development Environment
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_devel_rpo %{nil}}
-
-%description devel
-The %{origin_nice} %{featurever} development tools.
-%endif
-
-%if %{include_debug_build}
-%package devel-slowdebug
-Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_devel_rpo -- %{debug_suffix_unquoted}}
-
-%description devel-slowdebug
-The %{origin_nice} %{featurever} development tools.
-%{debug_warning}
-%endif
-
-%if %{include_fastdebug_build}
-%package devel-fastdebug
-Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Tools
-%endif
-
-%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
-
-%description devel-fastdebug
-The %{origin_nice} %{featurever} development tools              .
-%{fastdebug_warning}
-%endif
-
-%if %{include_staticlibs}
-
-%if %{include_normal_build}
-%package static-libs
-Summary: %{origin_nice} %{featurever} libraries for static linking
-
-%{java_static_libs_rpo %{nil}}
-
-%description static-libs
-The %{origin_nice} %{featurever} libraries for static linking.
-%endif
-
-%if %{include_debug_build}
-%package static-libs-slowdebug
-Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on}
-
-%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
-
-%description static-libs-slowdebug
-The %{origin_nice} %{featurever} libraries for static linking.
-%{debug_warning}
-%endif
-
-%if %{include_fastdebug_build}
-%package static-libs-fastdebug
-Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on}
-
-%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
-
-%description static-libs-fastdebug
-The %{origin_nice} %{featurever} libraries for static linking.
-%{fastdebug_warning}
-%endif
-
-# staticlibs
-%endif
-
-%if %{include_normal_build}
-%package jmods
-Summary: JMods for %{origin_nice} %{featurever}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_jmods_rpo %{nil}}
-
-%description jmods
-The JMods for %{origin_nice} %{featurever}.
-%endif
-
-%if %{include_debug_build}
-%package jmods-slowdebug
-Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_jmods_rpo -- %{debug_suffix_unquoted}}
-
-%description jmods-slowdebug
-The JMods for %{origin_nice} %{featurever}.
-%{debug_warning}
-%endif
-
-%if %{include_fastdebug_build}
-%package jmods-fastdebug
-Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Tools
-%endif
-
-%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}}
-
-%description jmods-fastdebug
-The JMods for %{origin_nice} %{featurever}.
-%{fastdebug_warning}
-%endif
-
-%if %{include_normal_build}
-%package demo
-Summary: %{origin_nice} %{featurever} Demos
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_demo_rpo %{nil}}
-
-%description demo
-The %{origin_nice} %{featurever} demos.
-%endif
-
-%if %{include_debug_build}
-%package demo-slowdebug
-Summary: %{origin_nice} %{featurever} Demos %{debug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_demo_rpo -- %{debug_suffix_unquoted}}
-
-%description demo-slowdebug
-The %{origin_nice} %{featurever} demos.
-%{debug_warning}
-%endif
-
-%if %{include_fastdebug_build}
-%package demo-fastdebug
-Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_demo_rpo -- %{fastdebug_suffix_unquoted}}
-
-%description demo-fastdebug
-The %{origin_nice} %{featurever} demos.
-%{fastdebug_warning}
-%endif
-
-%if %{include_normal_build}
-%package src
-Summary: %{origin_nice} %{featurever} Source Bundle
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_src_rpo %{nil}}
-
-%description src
-The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever}
-class library source code for use by IDE indexers and debuggers.
-%endif
-
-%if %{include_debug_build}
-%package src-slowdebug
-Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_src_rpo -- %{debug_suffix_unquoted}}
-
-%description src-slowdebug
-The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever}
- class library source code for use by IDE indexers and debuggers, %{for_debug}.
-%endif
-
-%if %{include_fastdebug_build}
-%package src-fastdebug
-Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_src_rpo -- %{fastdebug_suffix_unquoted}}
-
-%description src-fastdebug
-The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever}
- class library source code for use by IDE indexers and debuggers, %{for_fastdebug}.
-%endif
-
-%if %{include_normal_build}
-%package javadoc
-Summary: %{origin_nice} %{featurever} API documentation
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Documentation
-%endif
-Requires: javapackages-filesystem
-Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling
-
-%{java_javadoc_rpo -- %{nil} %{nil}}
-
-%description javadoc
-The %{origin_nice} %{featurever} API documentation.
-%endif
-
-%if %{include_normal_build}
-%package javadoc-zip
-Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Documentation
-%endif
-Requires: javapackages-filesystem
-Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling
-
-%{java_javadoc_rpo -- %{nil} -zip}
-%{java_javadoc_rpo -- %{nil} %{nil}}
-
-%description javadoc-zip
-The %{origin_nice} %{featurever} API documentation compressed in a single archive.
-%endif
-
-%prep
-
-echo "Preparing %{oj_vendor_version}"
-
-# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
-%if 0%{?stapinstall:1}
-  echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
-%else
-  %{error:Unrecognised architecture %{_target_cpu}}
-%endif
-
-if [ %{include_normal_build} -eq 0 -o  %{include_normal_build} -eq 1 ] ; then
-  echo "include_normal_build is %{include_normal_build}"
-else
-  echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
-  exit 11
-fi
-if [ %{include_debug_build} -eq 0 -o  %{include_debug_build} -eq 1 ] ; then
-  echo "include_debug_build is %{include_debug_build}"
-else
-  echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
-  exit 12
-fi
-if [ %{include_fastdebug_build} -eq 0 -o  %{include_fastdebug_build} -eq 1 ] ; then
-  echo "include_fastdebug_build is %{include_fastdebug_build}"
-else
-  echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
-  exit 13
-fi
-if [ %{include_debug_build} -eq 0 -a  %{include_normal_build} -eq 0 -a  %{include_fastdebug_build} -eq 0 ] ; then
-  echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
-  exit 14
-fi
-%setup -q -c -n %{uniquesuffix ""} -T -a 0
-# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
-prioritylength=`expr length %{priority}`
-if [ $prioritylength -ne 8 ] ; then
- echo "priority must be 8 digits in total, violated"
- exit 14
-fi
-
-# OpenJDK patches
-
-%if %{system_libs}
-# Remove libraries that are linked by both static and dynamic builds
-sh %{SOURCE12} %{top_level_dir_name}
-%endif
-
-# Patch the JDK
-pushd %{top_level_dir_name}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch6 -p1
-# Add crypto policy and FIPS support
-%patch1001 -p1
-# nss.cfg PKCS11 support; must come last as it also alters java.security
-%patch1000 -p1
-popd # openjdk
-
-%patch600
-
-# The OpenJDK version file includes the current
-# upstream version information. For some reason,
-# configure does not automatically use the
-# default pre-version supplied there (despite
-# what the file claims), so we pass it manually
-# to configure
-VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
-if [ -f ${VERSION_FILE} ] ; then
-    UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
-else
-    echo "Could not find OpenJDK version file.";
-    exit 16
-fi
-if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
-    echo "WARNING: Designator mismatch";
-    echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
-    echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
-    # Temporarily commented out as local copy of jdk-17.0.8+7 has the wrong setting
-    # This is fixed in the final upstream version
-    # exit 17
-fi
-
-# Prepare desktop files
-# The _X_ syntax indicates variables that are replaced by make upstream
-# The @X@ syntax indicates variables that are replaced by configure upstream
-for suffix in %{build_loop} ; do
-for file in %{SOURCE9}; do
-    FILE=`basename $file | sed -e s:\.in$::g`
-    EXT="${FILE##*.}"
-    NAME="${FILE%.*}"
-    OUTPUT_FILE=$NAME$suffix.$EXT
-    sed    -e  "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE
-    sed -i -e  "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE
-    sed -i -e  "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE
-    sed -i -e  "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE
-    sed -i -e  "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE
-done
-done
-
-# Setup nss.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
-
-%build
-
-function customisejdk() {
-    local imagepath=${1}
-
-    if [ -d ${imagepath} ] ; then
-        # Turn on system security properties
-        sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
-            ${imagepath}/conf/security/java.security
-
-        # Use system-wide tzdata
-        rm ${imagepath}/lib/tzdb.dat
-        ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
-    fi
-}
-
-mkdir -p $(dirname %{installoutputdir})
-
-docdir=%{installoutputdir -- "-docs"}
-tar -xJf %{docszip}
-mv java-%{featurever}-openjdk*.docs.* ${docdir}
-
-miscdir=%{installoutputdir -- "-misc"}
-tar -xJf %{misczip}
-mv java-%{featurever}-openjdk*.misc.* ${miscdir}
-
-for suffix in %{build_loop} ; do
-
-  if [ "x$suffix" = "x" ] ; then
-      jdkzip=%{releasezip}
-      staticlibzip=%{staticlibzip}
-  elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then
-      jdkzip=%{fastdebugzip}
-      staticlibzip=%{fastdebugstaticlibzip}
-  else # slowdebug
-      jdkzip=%{slowdebugzip}
-      staticlibzip=%{slowdebugstaticlibzip}
-  fi
-
-  installdir=%{installoutputdir -- ${suffix}}
-
-  # TODO: should verify checksums when using packages from buildroot
-  tar -xJf ${jdkzip}
-  tar -xJf ${staticlibzip}
-  mv java-%{featurever}-openjdk* ${installdir}
-
-  # Fix build paths in ELF files so it looks like we built them
-  portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}"
-  for file in $(find ${installdir} -type f) ; do
-      if file ${file} | grep -q 'ELF'; then
-	  %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file}
-      fi
-  done
-
-  # Set tapset variables to match this build
-%if %{with_systemtap}
-  for file in ${miscdir}/tapset${suffix}/*.in; do
-    OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
-    sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > ${OUTPUT_FILE}
-# TODO find out which architectures other than i686 have a client vm
-%ifarch %{ix86}
-    sed -i -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" ${OUTPUT_FILE}
-%else
-    sed -i -e "/@ABS_CLIENT_LIBJVM_SO@/d" ${OUTPUT_FILE}
-%endif
-    sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
-    sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
-  done
-%endif
-
-  # Final setup on the main image
-  customisejdk ${installdir}
-
-  # Print release information
-  cat ${installdir}/release
-
-# build cycles
-done # end of release / debug cycle loop
-
-%check
-
-# We test debug first as it will give better diagnostics on a crash
-for suffix in %{build_loop} ; do
-
-export JAVA_HOME=$(pwd)/%{installoutputdir -- ${suffix}}
-
-# Pre-test setup
-
-# Check Shenandoah is enabled
-%if %{use_shenandoah_hotspot}
-$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
-%endif
-
-# Check unlimited policy has been used
-$JAVA_HOME/bin/javac -d . %{SOURCE13}
-$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
-
-# Check ECC is working
-$JAVA_HOME/bin/javac -d . %{SOURCE14}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-
-# Check system crypto (policy) is active and can be disabled
-# Test takes a single argument - true or false - to state whether system
-# security properties are enabled or not.
-$JAVA_HOME/bin/javac -d . %{SOURCE15}
-export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
-export SEC_DEBUG="-Djava.security.debug=properties"
-$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
-$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
-
-# Check java launcher has no SSB mitigation
-if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
-
-# Check alt-java launcher has SSB mitigation on supported architectures
-%ifarch %{ssbd_arches}
-nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
-%else
-if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
-%endif
-
-%if ! 0%{?flatpak}
-# Check translations are available for new timezones (during flatpak builds, the
-# tzdb.dat used by this test is not where the test expects it, so this is
-# disabled for flatpak builds)
-$JAVA_HOME/bin/javac -d . %{SOURCE18}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
-$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
-%endif
-
-%if %{include_staticlibs}
-# Check debug symbols in static libraries (smoke test)
-export STATIC_LIBS_HOME=${JAVA_HOME}/lib/static/linux-%{archinstall}/glibc
-readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
-readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
-%endif
-
-so_suffix="so"
-# Check debug symbols are present and can identify code
-find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
-do
-  if [ -f "$lib" ] ; then
-    echo "Testing $lib for debug symbols"
-    # All these tests rely on RPM failing the build if the exit code of any set
-    # of piped commands is non-zero.
-
-    # Test for .debug_* sections in the shared object. This is the main test
-    # Stripped objects will not contain these
-    eu-readelf -S "$lib" | grep "] .debug_"
-    test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
-
-    # Test FILE symbols. These will most likely be removed by anything that
-    # manipulates symbol tables because it's generally useless. So a nice test
-    # that nothing has messed with symbols
-    old_IFS="$IFS"
-    IFS=$'\n'
-    for line in $(eu-readelf -s "$lib" | grep "00000000      0 FILE    LOCAL  DEFAULT")
-    do
-     # We expect to see .cpp files, except for architectures like aarch64 and
-     # s390 where we expect .o and .oS files
-      echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
-    done
-    IFS="$old_IFS"
-
-    # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
-    if [ "`basename $lib`" = "libjvm.so" ]; then
-      eu-readelf -s "$lib" | \
-        grep -E "00000000      0 FILE    LOCAL  DEFAULT      ABS javaCalls.(cpp|o)$"
-    fi
-
-    # Test that there are no .gnu_debuglink sections pointing to another
-    # debuginfo file. There shouldn't be any debuginfo files, so the link makes
-    # no sense either
-    eu-readelf -S "$lib" | grep 'gnu'
-    if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
-      echo "bad .gnu_debuglink section."
-      eu-readelf -x .gnu_debuglink "$lib"
-      false
-    fi
-  fi
-done
-
-# Make sure gdb can do a backtrace based on line numbers on libjvm.so
-# javaCalls.cpp:58 should map to:
-# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
-# Using line number 1 might cause build problems. See:
-# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
-# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
-gdb -q "$JAVA_HOME/bin/java" <
--- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
--- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre
--- if copy-jdk-configs is in transaction, it installs in pretrans to temp
--- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction  and so is
--- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends
--- whether copy-jdk-configs is installed or not. If so, then configs are copied
--- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
-local posix = require "posix"
-
-if (os.getenv("debug") == "true") then
-  debug = true;
-  print("cjc: in spec debug is on")
-else
-  debug = false;
-end
-
-SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
-SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
-
-local stat1 = posix.stat(SOURCE1, "type");
-local stat2 = posix.stat(SOURCE2, "type");
-
-  if (stat1 ~= nil) then
-  if (debug) then
-    print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.")
-  end;
-  package.path = package.path .. ";" .. SOURCE1
-else
-  if (stat2 ~= nil) then
-  if (debug) then
-    print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.")
-  end;
-  package.path = package.path .. ";" .. SOURCE2
-  else
-    if (debug) then
-      print(SOURCE1 .." does NOT exists")
-      print(SOURCE2 .." does NOT exists")
-      print("No config files will be copied")
-    end
-  return
-  end
-end
--- run content of included file with fake args
-arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
-require "copy_jdk_configs.lua"
-
-%post
-%{post_script %{nil}}
-
-%post headless
-%{post_headless %{nil}}
-
-%postun
-%{postun_script %{nil}}
-
-%postun headless
-%{postun_headless %{nil}}
-
-%posttrans
-%{posttrans_script %{nil}}
-
-%posttrans headless
-%{alternatives_java_install %{nil}}
-
-%post devel
-%{post_devel %{nil}}
-
-%postun devel
-%{postun_devel %{nil}}
-
-%posttrans  devel
-%{posttrans_devel %{nil}}
-
-%posttrans javadoc
-%{alternatives_javadoc_install %{nil}}
-
-%postun javadoc
-%{postun_javadoc %{nil}}
-
-%posttrans javadoc-zip
-%{alternatives_javadoczip_install %{nil}}
-
-%postun javadoc-zip
-%{postun_javadoc_zip %{nil}}
-%endif
-
-%if %{include_debug_build}
-%post slowdebug
-%{post_script -- %{debug_suffix_unquoted}}
-
-%post headless-slowdebug
-%{post_headless -- %{debug_suffix_unquoted}}
-
-%posttrans headless-slowdebug
-%{alternatives_java_install -- %{debug_suffix_unquoted}}
-
-%postun slowdebug
-%{postun_script -- %{debug_suffix_unquoted}}
-
-%postun headless-slowdebug
-%{postun_headless -- %{debug_suffix_unquoted}}
-
-%posttrans slowdebug
-%{posttrans_script -- %{debug_suffix_unquoted}}
-
-%post devel-slowdebug
-%{post_devel -- %{debug_suffix_unquoted}}
-
-%postun devel-slowdebug
-%{postun_devel -- %{debug_suffix_unquoted}}
-
-%posttrans  devel-slowdebug
-%{posttrans_devel -- %{debug_suffix_unquoted}}
-%endif
-
-%if %{include_fastdebug_build}
-%post fastdebug
-%{post_script -- %{fastdebug_suffix_unquoted}}
-
-%post headless-fastdebug
-%{post_headless -- %{fastdebug_suffix_unquoted}}
-
-%postun fastdebug
-%{postun_script -- %{fastdebug_suffix_unquoted}}
-
-%postun headless-fastdebug
-%{postun_headless -- %{fastdebug_suffix_unquoted}}
-
-%posttrans fastdebug
-%{posttrans_script -- %{fastdebug_suffix_unquoted}}
-
-%posttrans headless-fastdebug
-%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
-
-%post devel-fastdebug
-%{post_devel -- %{fastdebug_suffix_unquoted}}
-
-%postun devel-fastdebug
-%{postun_devel -- %{fastdebug_suffix_unquoted}}
-
-%posttrans  devel-fastdebug
-%{posttrans_devel -- %{fastdebug_suffix_unquoted}}
-
-%endif
-
-%if %{include_normal_build}
-%files
-# main package builds always
-%{files_jre %{nil}}
-%else
-%files
-# placeholder
-%endif
-
-
-%if %{include_normal_build}
-%files headless
-# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
-# all config/noreplace files (and more) have to be declared in pretrans. See pretrans
-%{files_jre_headless %{nil}}
-
-%files devel
-%{files_devel %{nil}}
-
-%if %{include_staticlibs}
-%files static-libs
-%{files_static_libs %{nil}}
-%endif
-
-%files jmods
-%{files_jmods %{nil}}
-
-%files demo
-%{files_demo %{nil}}
-
-%files src
-%{files_src %{nil}}
-
-%files javadoc
-%{files_javadoc %{nil}}
-
-# This puts a huge documentation file in /usr/share
-# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only
-# same for debug variant
-%files javadoc-zip
-%{files_javadoc_zip %{nil}}
-%endif
-
-%if %{include_debug_build}
-%files slowdebug
-%{files_jre -- %{debug_suffix_unquoted}}
-
-%files headless-slowdebug
-%{files_jre_headless -- %{debug_suffix_unquoted}}
-
-%files devel-slowdebug
-%{files_devel -- %{debug_suffix_unquoted}}
-
-%if %{include_staticlibs}
-%files static-libs-slowdebug
-%{files_static_libs -- %{debug_suffix_unquoted}}
-%endif
-
-%files jmods-slowdebug
-%{files_jmods -- %{debug_suffix_unquoted}}
-
-%files demo-slowdebug
-%{files_demo -- %{debug_suffix_unquoted}}
-
-%files src-slowdebug
-%{files_src -- %{debug_suffix_unquoted}}
-%endif
-
-%if %{include_fastdebug_build}
-%files fastdebug
-%{files_jre -- %{fastdebug_suffix_unquoted}}
-
-%files headless-fastdebug
-%{files_jre_headless -- %{fastdebug_suffix_unquoted}}
-
-%files devel-fastdebug
-%{files_devel -- %{fastdebug_suffix_unquoted}}
-
-%if %{include_staticlibs}
-%files static-libs-fastdebug
-%{files_static_libs -- %{fastdebug_suffix_unquoted}}
-%endif
-
-%files jmods-fastdebug
-%{files_jmods -- %{fastdebug_suffix_unquoted}}
-
-%files demo-fastdebug
-%{files_demo -- %{fastdebug_suffix_unquoted}}
-
-%files src-fastdebug
-%{files_src -- %{fastdebug_suffix_unquoted}}
-
-%endif
-
-%changelog
-* Wed Jul 19 2023 Andrew Hughes  - 1:17.0.8.0.7-2
-- Bump release number so we are newer than 8.6
-- Related: rhbz#2221106
-
-* Fri Jul 14 2023 Andrew Hughes  - 1:17.0.8.0.7-1
-- Update to jdk-17.0.8+7 (GA)
-- Update release notes to 17.0.8+7
-- Switch to GA mode for final release.
-- Sync the copy of the portable specfile with the latest update
-- Add note at top of spec file about rebuilding
-- * This tarball is embargoed until 2023-07-18 @ 1pm PT. *
-- Resolves: rhbz#2221106
-
-* Thu Jul 13 2023 Andrew Hughes  - 1:17.0.8.0.6-0.1.ea
-- Update to jdk-17.0.8+6 (EA)
-- Sync the copy of the portable specfile with the latest update
-- Resolves: rhbz#2217714
-
-* Wed Jul 12 2023 Andrew Hughes  - 1:17.0.8.0.1-0.1.ea
-- Update to jdk-17.0.8+1 (EA)
-- Update release notes to 17.0.8+1
-- Switch to EA mode
-- Drop local inclusion of JDK-8274864 & JDK-8305113 as they are included in 17.0.8+1
-- Bump bundled LCMS version to 2.15 as in jdk-17.0.8+1.
-- Bump bundled HarfBuzz version to 7.0.1 as in jdk-17.0.8+1
-- Use tapsets from the misc tarball
-- Introduce 'prelease' for the portable release versioning, to handle EA builds
-- Make sure root installation directory is created first
-- Use in-place substitution for all but the first of the tapset changes
-- Related: rhbz#2217714
-
-* Tue Jul 11 2023 Andrew Hughes  - 1:17.0.7.0.7-4
-- Introduce vm_variant global for consistency with future JDK builds
-- Related: rhbz#2196908
-
-* Mon May 15 2023 Jiri Vanek  - 1:17.0.7.0.7-4
-- Exclude classes_nocoops.jsa on i686 and arm32
-- Related: rhbz#2196908
-
-* Mon May 15 2023 Andrew Hughes  - 1:17.0.7.0.7-4
-- Following JDK-8005165, class data sharing can be enabled on all JIT architectures
-- Related: rhbz#2196908
-
-* Wed May 10 2023 Severin Gehwolf  - 1:17.0.7.0.7-4
-- Fix packaging of CDS archives
-- Resolves: rhbz#2196908
-
-* Wed Apr 26 2023 Andrew Hughes  - 1:17.0.7.0.7-3
-- Sync portable spec file with current version
-- Related: rhbz#2189330
-
-* Wed Apr 26 2023 Andrew Hughes  - 1:17.0.7.0.7-2
-- Update to jdk-17.0.7.0+7
-- Update release notes to 17.0.7.0+7
-- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113
-- Update generate_tarball.sh to add support for passing a boot JDK to the configure run
-- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
-- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
-- Update FIPS support against 17.0.7+6 and bring in latest changes:
-- * RH2134669: Add missing attributes when registering services in FIPS mode.
-- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
-- * RH1940064: Enable XML Signature provider in FIPS mode
-- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
-- Fix trailing '.' in tarball name
-- Use portablerelease in vendor version to avoid inclusion of dist tag
-- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. **
-- Resolves: rhbz#2185182
-- Resolves: rhbz#2186834
-- Resolves: rhbz#2186826
-- Resolves: rhbz#2186830
-
-* Wed Apr 26 2023 Andrew Hughes  - 1:17.0.6.0.10-6
-- Include the java-17-openjdk-portable.spec file with instructions on how to rebuild.
-- Related: rhbz#2189330
-
-* Tue Apr 25 2023 Andrew Hughes  - 1:17.0.6.0.10-5
-- Replace local copies of JDK portable binaries with build dependencies
-- Resolves: rhbz#2189330
-
-* Wed Feb 15 2023 Andrew Hughes  - 1:17.0.6.0.10-4
-- Replace build section with extraction of existing builds from portables
-- Rewrite ELF files so the source file path is correct and debugsources can be assembled
-- Resolves: rhbz#2150205
-
-* Fri Jan 20 2023 Andrew Hughes  - 1:17.0.6.0.10-3
-- Update to jdk-17.0.6.0+10
-- Update release notes to 17.0.6.0+10
-- Switch to GA mode for release
-- Resolves: rhbz#2160111
-
-* Fri Jan 13 2023 Andrew Hughes  - 1:17.0.6.0.9-0.4.ea
-- Update FIPS support to bring in latest changes
-- * OJ1357: Fix issue on FIPS with a SecurityManager in place
-- Related: rhbz#2117972
-
-* Fri Jan 13 2023 Stephan Bergmann  - 1:17.0.6.0.9-0.4.ea
-- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat
-- Related: rhbz#2150195
-
-* Wed Jan 04 2023 Andrew Hughes  - 1:17.0.6.0.9-0.3.ea
-- Update to jdk-17.0.6+9
-- Update release notes to 17.0.6+9
-- Drop local copy of JDK-8293834 now this is upstream
-- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
-- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
-- Resolves: rhbz#2150195
-
-* Sat Dec 03 2022 Andrew Hughes  - 1:17.0.6.0.1-0.3.ea
-- Update to jdk-17.0.6+1
-- Update release notes to 17.0.6+1
-- Switch to EA mode for 17.0.6 pre-release builds.
-- Re-enable EA upstream status check now it is being actively maintained.
-- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
-- Drop JDK-8275535 local patch now this has been accepted and backported upstream
-- Bump tzdata requirement to 2022e now the package is available in RHEL
-- Related: rhbz#2150195
-
-* Wed Nov 23 2022 Andrew Hughes  - 1:17.0.5.0.8-5
-- Update FIPS support to bring in latest changes
-- * Add nss.fips.cfg support to OpenJDK tree
-- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
-- * Remove forgotten dead code from RH2020290 and RH2104724
-- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
-- Resolves: rhbz#2117972
-
-* Wed Oct 26 2022 Andrew Hughes  - 1:17.0.5.0.8-2
-- Update to jdk-17.0.5+8 (GA)
-- Update release notes to 17.0.5+8 (GA)
-- Switch to GA mode for final release.
-- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
-- Update CLDR data with Europe/Kyiv (JDK-8293834)
-- Drop JDK-8292223 patch which we found to be unnecessary
-- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
-- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
-- Remove freetype sources along with zlib sources
-- Resolves: rhbz#2133695
-
-* Tue Oct 04 2022 Andrew Hughes  - 1:17.0.5.0.7-0.2.ea
-- Update to jdk-17.0.5+7
-- Update release notes to 17.0.5+7
-- Drop JDK-8288985 patch that is now upstream
-- Resolves: rhbz#2130617
-
-* Mon Oct 03 2022 Andrew Hughes  - 1:17.0.5.0.1-0.2.ea
-- Update to jdk-17.0.5+1
-- Update release notes to 17.0.5+1
-- Switch to EA mode for 17.0.5 pre-release builds.
-- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
-- Bump FreeType bundled version to 2.12.1 following JDK-8290334
-- Related: rhbz#2130617
-
-* Tue Aug 30 2022 Andrew Hughes  - 1:17.0.4.1.1-6
-- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider
-- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650
-- Resolves: rhbz#2006351
-
-* Tue Aug 30 2022 Andrew Hughes  - 1:17.0.4.1.1-5
-- Switch to static builds, reducing system dependencies and making build more portable
-- Resolves: rhbz#2121263
-
-* Mon Aug 29 2022 Stephan Bergmann  - 1:17.0.4.1.1-4
-- Fix flatpak builds (catering for their uncompressed manual pages)
-- Fix flatpak builds by exempting them from bootstrap
-- Resolves: rhbz#2102734
-
-* Mon Aug 29 2022 Andrew Hughes  - 1:17.0.4.1.1-3
-- Update FIPS support to bring in latest changes
-- * RH2104724: Avoid import/export of DH private keys
-- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
-- * Build the systemconf library on all platforms
-- * RH2048582: Support PKCS#12 keystores
-- * RH2020290: Support TLS 1.3 in FIPS mode
-- Resolves: rhbz#2104724
-- Resolves: rhbz#2092507
-- Resolves: rhbz#2048582
-- Resolves: rhbz#2020290
-
-* Sun Aug 21 2022 Andrew Hughes  - 1:17.0.4.1.1-2
-- Update to jdk-17.0.4.1+1
-- Update release notes to 17.0.4.1+1
-- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
-- Add test to ensure timezones can be translated
-- Resolves: rhbz#2119531
-
-* Fri Jul 22 2022 Andrew Hughes  - 1:17.0.4.0.8-3
-- Update to jdk-17.0.4.0+8
-- Update release notes to 17.0.4.0+8
-- Switch to GA mode for release
-- Resolves: rhbz#2106522
-
-* Wed Jul 20 2022 Andrew Hughes  - 1:17.0.4.0.7-0.2.ea
-- Revert the following changes until copy-java-configs has adapted to relative symlinks:
-- * Move cacerts replacement to install section and retain original of this and tzdb.dat
-- * Run tests on the installed image, rather than the build image
-- * Introduce variables to refer to the static library installation directories
-- * Use relative symlinks so they work within the image
-- * Run debug symbols check during build stage, before the install strips them
-- The move of turning on system security properties is retained so we don't ship with them off
-- Related: rhbz#2100674
-
-* Wed Jul 20 2022 Jiri Vanek  - 1:17.0.4.0.7-0.2.ea
-- retutrned absolute symlinks
-- relative symlinks are breaking cjc, and deeper investigations are necessary
--- why cjc intentionally skips relative symllinks
-- images have to be workarounded differently
-- Related: rhbz#2100674
-
-* Sat Jul 16 2022 Andrew Hughes  - 1:17.0.4.0.7-0.1.ea
-- Update to jdk-17.0.4.0+7
-- Update release notes to 17.0.4.0+7
-- Switch to EA mode for 17.0.4 pre-release builds.
-- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
-- Print release file during build, which should now include a correct SOURCE value from .src-rev
-- Update tarball script with IcedTea GitHub URL and .src-rev generation
-- Include script to generate bug list for release notes
-- Update tzdata requirement to 2022a to match JDK-8283350
-- Move EA designator check to prep so failures can be caught earlier
-- Make EA designator check non-fatal while upstream is not maintaining it
-- Explicitly require crypto-policies during build and runtime for system security properties
-- Make use of the vendor version string to store our version & release rather than an upstream release date
-- Include a test in the RPM to check the build has the correct vendor information.
-- Resolves: rhbz#2083316
-
-* Thu Jul 14 2022 Jayashree Huttanagoudar  - 1:17.0.4.0.1-0.2.ea
-- Fix issue where CheckVendor.java test erroneously passes when it should fail.
-- Add proper quoting so '&' is not treated as a special character by the shell.
-- Related: rhbz#2083316
-
-* Fri Jul 08 2022 Andrew Hughes  - 1:17.0.3.0.7-6
-- Fix whitespace in spec file
-- Related: rhbz#2100674
-
-* Fri Jul 08 2022 Andrew Hughes  - 1:17.0.3.0.7-6
-- Sequence spec file sections as they are run by rpmbuild (build, install then test)
-- Related: rhbz#2100674
-
-* Fri Jul 08 2022 Andrew Hughes  - 1:17.0.3.0.7-6
-- Turn on system security properties as part of the build's install section
-- Move cacerts replacement to install section and retain original of this and tzdb.dat
-- Run tests on the installed image, rather than the build image
-- Introduce variables to refer to the static library installation directories
-- Use relative symlinks so they work within the image
-- Run debug symbols check during build stage, before the install strips them
-- Related: rhbz#2100674
-
-* Thu Jun 30 2022 Francisco Ferrari Bihurriet  - 1:17.0.3.0.7-5
-- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
-- Resolves: rhbz#2007331
-
-* Tue Jun 28 2022 Andrew Hughes  - 1:17.0.3.0.7-4
-- Update FIPS support to bring in latest changes
-- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
-- * RH2090378: Revert to disabling system security properties and FIPS mode support together
-- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
-- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
-- Improve security properties test to check both enabled and disabled behaviour
-- Run security properties test with property debugging on
-- Resolves: rhbz#2099840
-- Resolves: rhbz#2100674
-
-* Tue Jun 28 2022 Andrew Hughes  - 1:17.0.3.0.7-3
-- Add rpminspect.yaml to turn off Java bytecode inspections
-- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
-- Resolves: rhbz#2101524
-
-* Sun Jun 12 2022 Andrew Hughes  - 1:17.0.3.0.7-2
-- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
-- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
-- RH2023467: Enable FIPS keys export
-- RH2094027: SunEC runtime permission for FIPS
-- Resolves: rhbz#2023467
-- Resolves: rhbz#2094027
-
-* Wed Apr 20 2022 Andrew Hughes  - 1:17.0.3.0.7-1
-- April 2022 security update to jdk 17.0.3+7
-- Update to jdk-17.0.3.0+7 release tarball
-- Update release notes to 17.0.3.0+6
-- Add missing README.md and generate_source_tarball.sh
-- Switch to GA mode for release
-- JDK-8283911 patch no longer needed now we're GA...
-- Resolves: rhbz#2073577
-
-* Wed Apr 06 2022 Andrew Hughes  - 1:17.0.3.0.5-0.1.ea
-- Update to jdk-17.0.3.0+5
-- Update release notes to 17.0.3.0+5
-- Resolves: rhbz#2050456
-
-* Tue Mar 29 2022 Andrew Hughes  - 1:17.0.3.0.1-0.1.ea
-- Update to jdk-17.0.3.0+1
-- Update release notes to 17.0.3.0+1
-- Switch to EA mode for 17.0.3 pre-release builds.
-- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
-- Related: rhbz#2050456
-
-* Mon Feb 28 2022 Andrew Hughes  - 1:17.0.2.0.8-15
-- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
-- Resolves: rhbz#2052070
-
-* Sun Feb 27 2022 Andrew Hughes  - 1:17.0.2.0.8-14
-- Introduce tests/tests.yml, based on the one in java-11-openjdk
-- Resolves: rhbz#2058493
-
-* Sun Feb 27 2022 Severin Gehwolf  - 1:17.0.2.0.8-13
-- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
-  secmod.db file as part of nss
-- Resolves: rhbz#2023536
-
-* Sun Feb 27 2022 Andrew Hughes  - 1:17.0.2.0.8-12
-- Detect NSS at runtime for FIPS detection
-- Turn off build-time NSS linking and go back to an explicit Requires on NSS
-- Resolves: rhbz#2051605
-
-* Fri Feb 25 2022 Andrew Hughes  - 1:17.0.2.0.8-11
-- Add JDK-8275535 patch to fix LDAP authentication issue.
-- Resolves: rhbz#2053256
-
-* Fri Feb 25 2022 Jiri Vanek  - 1:17.0.2.0.8-10
-- Storing and restoring alterntives during update manually
-- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
--- The move of alternatives creation to posttrans to fix:
--- Bug 1200302 - dnf reinstall breaks alternatives
--- Had caused the alternatives to be removed, and then created again,
--- instead of being added, and then removing the old, and thus persisting
--- the selection in family
--- Thus this fix, is storing the family of manually selected master, and if
--- stored, then it is restoring the family of the master
-- Resolves: rhbz#2008200
-
-* Fri Feb 25 2022 Jiri Vanek  - 1:17.0.2.0.8-9
-- Family extracted to globals
-- Resolves: rhbz#2008200
-
-* Fri Feb 25 2022 Jiri Vanek  - 1:17.0.2.0.8-8
-- alternatives creation moved to posttrans
-- Thus fixing the old reisntall issue:
-- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
-- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
-- Resolves: rhbz#2008200
-
-* Mon Feb 21 2022 Andrew Hughes  - 1:17.0.2.0.8-7
-- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
-- Resolves: rhbz#2051590
-
-* Fri Feb 18 2022 Andrew Hughes  - 1:17.0.2.0.8-6
-- Fix FIPS issues in native code and with initialisation of java.security.Security
-- Resolves: rhbz#2023378
-
-* Thu Feb 17 2022 Andrew Hughes  - 1:17.0.2.0.8-5
-- Restructure the build so a minimal initial build is then used for the final build (with docs)
-- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
-- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
-- Handle Fedora in distro conditionals that currently only pertain to RHEL.
-- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace
-- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
-- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
-- Need to support noarch for creating source RPMs for non-scratch builds.
-- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
-- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
-- Explicitly list JIT architectures rather than relying on those with slowdebug builds
-- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
-- Resolves: rhbz#2022822
-
-* Thu Feb 17 2022 Jiri Vanek  - 1:17.0.2.0.8-5
-- Replaced tabs by sets of spaces to make rpmlint happy
-- javadoc-zip gets its own provides next to plain javadoc ones
-- Resolves: rhbz#2022822
-
-* Tue Feb 08 2022 Jiri Vanek  - 1:17.0.2.0.8-4
-- Minor cosmetic improvements to make spec more comparable between variants
-- Related: rhbz#2022822
-
-* Thu Feb 03 2022 Andrew Hughes  - 1:17.0.2.0.8-3
-- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
-- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
-- Related: rhbz#2022822
-
-* Thu Feb 03 2022 Andrew Hughes  - 1:17.0.2.0.8-2
-- Extend LTS check to exclude EPEL.
-- Related: rhbz#2022822
-
-* Thu Feb 03 2022 Severin Gehwolf  - 1:17.0.2.0.8-2
-- Set LTS designator.
-- Related: rhbz#2022822
-
-* Wed Jan 12 2022 Andrew Hughes  - 1:17.0.2.0.8-1
-- January 2022 security update to jdk 17.0.2+8
-- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
-- Rename libsvml.so to libjsvml.so following JDK-8276025
-- Resolves: rhbz#2039366
-
-* Thu Oct 28 2021 Andrew Hughes  - 1:17.0.1.0.12-3
-- Sync desktop files with upstream IcedTea release 3.15.0 using new script
-- Related: rhbz#2013842
-
-* Tue Oct 26 2021 Andrew Hughes  - 1:17.0.1.0.12-2
-- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1
-- Resolves: rhbz#2013842
-
-* Wed Oct 20 2021 Petra Alice Mikova  - 1:17.0.1.0.12-2
-- October CPU update to jdk 17.0.1+12
-- Dropped commented-out source line
-- Resolves: rhbz#2013842
-
-* Sun Oct 10 2021 Andrew Hughes  - 1:17.0.0.0.35-6
-- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
-- Resolves: rhbz#1994661
-
-* Sun Oct 10 2021 Martin Balao  - 1:17.0.0.0.35-6
-- Add patch to allow plain key import.
-- Resolves: rhbz#1994661
-
-* Mon Sep 27 2021 Andrew Hughes  - 1:17.0.0.0.35-5
-- Update release notes to document the major changes between OpenJDK 11 & 17.
-- Resolves: rhbz#2003072
-
-* Thu Sep 16 2021 Andrew Hughes  - 1:17.0.0.0.35-3
-- Update to jdk-17+35, also known as jdk-17-ga.
-- Switch to GA mode.
-- Add JDK-8272332 fix so we actually link against HarfBuzz.
-- Resolves: rhbz#2003072
-- Resolves: rhbz#2004078
-
-* Mon Aug 30 2021 Andrew Hughes  - 1:17.0.0.0.33-0.5.ea
-- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
-- Resolves: rhbz#1996182
-
-* Sat Aug 28 2021 Andrew Hughes  - 1:17.0.0.0.33-0.4.ea
-- Fix unused function compiler warning found in systemconf.c
-- Related: rhbz#1995150
-
-* Sat Aug 28 2021 Martin Balao  - 1:17.0.0.0.33-0.4.ea
-- Add patch to login to the NSS software token when in FIPS mode.
-- Resolves: rhbz#1996182
-
-* Fri Aug 27 2021 Martin Balao  - 1:17.0.0.0.33-0.3.ea
-- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
-- Resolves: rhbz#1995150
-
-* Fri Aug 27 2021 Andrew Hughes  - 1:17.0.0.0.33-0.2.ea
-- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
-- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
-- Related: rhbz#1995150
-
-* Fri Aug 27 2021 Martin Balao  - 1:17.0.0.0.33-0.2.ea
-- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
-- Related: rhbz#1995150
-
-* Thu Aug 26 2021 Andrew Hughes  - 1:17.0.0.0.33-0.1.ea
-- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
-- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
-- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
-- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
-- Disable FIPS mode support unless com.redhat.fips is set to "true".
-- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
-- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
-- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
-- Related: rhbz#1995150
-
-* Thu Aug 26 2021 Martin Balao  - 1:17.0.0.0.33-0.1.ea
-- Support the FIPS mode crypto policy (RH1655466)
-- Use appropriate keystore types when in FIPS mode (RH1818909)
-- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
-- Related: rhbz#1995150
-
-* Thu Aug 26 2021 Andrew Hughes  - 1:17.0.0.0.33-0.0.ea
-- Update to jdk-17+33, including JDWP fix and July 2021 CPU
-- Resolves: rhbz#1959487
-
-* Thu Aug 26 2021 Andrew Hughes  - 1:17.0.0.0.26-0.5.ea
-- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
-- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
-- Resolves: rhbz#1959487
-
-* Wed Aug 25 2021 Petra Alice Mikova  - 1:17.0.0.0.26-0.4.ea
-- Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
-- Resolves: rhbz#1959487
-
-* Wed Aug 25 2021 Severin Gehwolf  - 1:17.0.0.0.26-0.3.ea
-- Re-enable TestSecurityProperties after inclusion of PR3695
-- Resolves: rhbz#1959487
-
-* Wed Aug 25 2021 Andrew Hughes  - 1:17.0.0.0.26-0.3.ea
-- Add PR3695 to allow the system crypto policy to be turned off
-- Resolves: rhbz#1959487
-
-* Wed Jul 14 2021 Andrew Hughes  - 1:17.0.0.0.26-0.2.ea
-- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
-- Resolves: rhbz#1959487
-
-* Wed Jul 14 2021 Severin Gehwolf  - 1:17.0.0.0.26-0.2.ea
-- Update buildjdkver to 17 so as to build with itself
-- Resolves: rhbz#1959487
-
-* Tue Jul 13 2021 Jiri Vanek  - 1:17.0.0.0.26-0.1.ea
-- Add gating support
-- Resolves: rhbz#1959487
-
-* Mon Jun 21 2021 Andrew Hughes  - 1:17.0.0.0.26-0.0.ea
-- Rename as java-17-openjdk and bootstrap using boot JDK in local sources
-- Exclude x86 as this is not supported by OpenJDK 17
-- Resolves: rhbz#1959487
-
-* Fri Jun 11 2021 Petra Alice Mikova  - 1:17.0.0.0.26-0.0.ea.rolling
-- update sources to jdk 17.0.0+26
-- set is_ga to 0, as this is early access build
-- change vendor_version_string
-- change path to the version-numbers.conf
-- removed rmid binary from files and from slaves
-- removed JAVAC_FLAGS=-g from make command, as it breaks the build since JDK-8258407
-- add lib/libsyslookup.so to files
-- renamed lib/security/blacklisted.certs to lib/security/blocked.certs
-- add lib/libsvml.so for intel
-- skip debuginfo check for libsyslookup.so on s390x
-
-* Thu Apr 29 2021 Jiri Vanek  -  1:16.0.1.0.9-2.rolling
-- adapted to debug handling  in newer cjc
-- The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution
-- Disable copy-jdk-configs for Flatpak builds
-
-* Sun Apr 25 2021 Petra Alice Mikova  - 1:16.0.1.0.9-1.rolling
-- update to 16.0.1+9 april cpu tag
-- dropped jdk8259949-allow_cf-protection_on_x86.patch
-
-* Thu Mar 11 2021 Andrew Hughes  - 1:16.0.0.0.36-2.rolling
-- Perform static library build on a separate source tree with bundled image libraries
-- Make static library build optional
-- Based on initial work by Severin Gehwolf
-
-* Tue Mar 09 2021 Jiri Vanek  - 1:16.0.0.0.36-1.rolling
-- fixed suggests of wrong pcsc-lite-devel%{?_isa} to correct pcsc-lite-libs%{?_isa}
-- bumped buildjdkver to build by itself - 16
-
-* Fri Feb 19 2021 Andrew Hughes  - 1:16.0.0.0.36-0.rolling
-- Update to jdk-16.0.0.0+36
-- Update tarball generation script to use git following OpenJDK's move to github
-- Update tarball generation script to use PR3823 which handles JDK-8235710 changes
-- Use upstream default for version-pre rather than setting it to "ea" or ""
-- Drop libsunec.so which is no longer generated, thanks to JDK-8235710
-- Drop unnecessary compiler flags, dating back to work on GCC 6 & 10
-- Adapt RH1750419 alt-java patch to still apply after some variable re-naming in the makefiles
-- Update filever to remove any trailing zeros, as in the OpenJDK build, and use for source filename
-- Use system harfbuzz now this is supported.
-- Pass SOURCE_DATE_EPOCH to build for reproducible builds
-
-* Fri Feb 19 2021 Stephan Bergmann  - 1:15.0.2.0.7-1.rolling
-- Hardcode /usr/sbin/alternatives for Flatpak builds
-
-* Tue Jan 26 2021 Fedora Release Engineering  - 1:15.0.2.0.7-0.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Fri Jan 22 2021 Andrew Hughes  - 1:15.0.2.0.7-0.rolling
-- Update to jdk-15.0.2.0+7
-- Add release notes for 15.0.1.0 & 15.0.2.0
-- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly.
-- Still use 15.0.x rather than 15.0.x.0 for file naming, as the trailing zero is omitted from tags.
-- Cleanup debug package descriptions and version number placement.
-- Remove unused patch files.
-
-* Tue Jan 19 2021 Andrew Hughes  - 1:15.0.1.9-10.rolling
-- Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV)
-
-* Tue Dec 22 2020 Jiri Vanek  - 1:15.0.1.9-9.rolling
-- fixed missing condition for fastdebug packages being counted as debug ones
-
-* Sat Dec 19 2020 Jiri Vanek  - 1:15.0.1.9-8.rolling
-- removed lib-style provides for fastdebug_suffix_unquoted
-
-* Sat Dec 19 2020 Jiri Vanek  - 1:15.0.1.9-6.rolling
-- many cosmetic changes taken from more maintained jdk11
-- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches
-  instead of various hardcoded ifarches
-- updated systemtap
-- added requires excludes for debug pkgs
-- removed redundant logic around jsa files
-- added runtime requires of lksctp-tools and libXcomposite%
-- added and used Source15 TestSecurityProperties.java, but is made always positive as jdk15 now does not honor system policies
-- s390x excluded form fastdebug build
-
-* Thu Dec 17 2020 Andrew Hughes  - 1:15.0.1.9-5.rolling
-- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
-- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly
-- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
-
-* Wed Dec 9 2020 Jiri Vanek  - 1:15.0.1.9-4.rolling
-- moved wrongly placed licenses to accompany other ones
-- this bad placement was killng parallel-installability and thus having bad impact to leapp if used
-
-* Tue Dec 01 2020 Jiri Vanek  - 1:15.0.1.9-3.rolling
-- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch
-- no longer copying of java->alt-java as it is created by  patch600
-
-* Mon Nov 23 2020 Jiri Vanek  - 1:15.0.1.9-2.rolling
-- Create a copy of java as alt-java with alternatives and man pages
-- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there...
-
-* Sun Oct 25 2020 Petra Alice Mikova  - 1:15.0.1.9-1.rolling
-- updated to October CPU 2020 sources
-
-* Thu Oct 22 2020 Severin Gehwolf  - 1:15.0.0.36-4.rolling
-- Fix directory ownership of -static-libs sub-package.
-
-* Fri Oct 09 2020 Jiri Vanek  - 1:15.0.0.36-3.rolling
-- Build static-libs-image and add resulting files via -static-libs sub-package.
-- Disable stripping of debug symbols for static libraries part of the -static-libs sub-package.
-- JDK-8245832 increases the set of static libraries, so try and include them all with a wildcard.
-- Update static-libs packaging to new layout
-
-* Mon Sep 21 2020 Petra Alice Mikova  - 1:15.0.0.36-2.rolling
-- Add support for fastdebug builds on 64 bit architectures
-
-* Tue Sep 15 2020 Severin Gehwolf  - 1:15.0.0.36-1.rolling
-- Remove EA designation
-- Re-generate sources with PR3803 patch
-
-* Mon Aug 31 2020 Petra Alice Mikova  - 1:15.0.0.36-0.1.ea.rolling
-- Update to jdk 15.0.0.36 tag
-- Modify rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
-- Update vendor version string to 20.9
-- jjs removed from packaging after JEP 372: Nashorn removal
-- rmic removed from packaging after JDK-8225319
-
-* Mon Jul 27 2020 Severin Gehwolf  - 1:14.0.2.12-2.rolling
-- Disable LTO so as to pass debuginfo check
-
-* Wed Jul 22 2020 Petra Alice Mikova  - 1:14.0.2.12-1.rolling
-- update to jdk 14.0.2.12 CPU version
-- remove upstreamed patch jdk8237879-make_4_3_build_fixes.patch
-- remove upstreamed patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h.patch
-- remove upstreamed patch jdk8243059-build_fails_when_with_vendor_contains_comma.patch
-
-* Thu Jul 09 2020 Andrew Hughes  - 1:14.0.1.7-4.rolling
-- Re-introduce java-openjdk-src & java-openjdk-demo for system_jdk builds.
-- Fix accidental renaming of java-openjdk-devel to java-devel-openjdk.
-
-* Thu May 14 2020 Petra Alice Mikova  -  1:14.0.1.7-3.rolling
-- introduce patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h to fix build issues in rawhide
-- rename and reorganize patch sections
-
-* Thu Apr 23 2020 Severin Gehwolf  - 1:14.0.1.7-2.rolling
-- Fix vendor version to 20.3 (from 19.9)
-
-* Fri Apr 17 2020 Petra Alice Mikova  - 1:14.0.1.7-1.rolling
-- April security update
-- uploaded new src tarball
-
-* Wed Apr 08 2020 Jiri Vanek  - 1:14.0.0.36-4.rolling
-- set vendor property and vendor urls
-- made urls to be preconfigured by os
-
-* Tue Mar 24 2020 Petra Alice Mikova  - 1:14.0.0.36-3.rolling
-- Remove s390x workaround flags for GCC 10
-- bump buildjdkver to 14
-- uploaded new src tarball
-
-* Mon Mar 23 2020 Petra Alice Mikova  - 1:14.0.0.36-2.rolling
-- removed a whitespace causing fail of postinstall script
-- removed backslashes at the end of alternatives command
-
-* Fri Mar 13 2020 Petra Alice Mikova  - 1:14.0.0.36-1.rolling
-- update to jdk 14+36 ga build
-- remove JDK-8224851 patch, as OpenJDK 14 already contains it
-- removed pack200 and unpack200 binaries, slaves, manpages and libunpack.so library
-- added listings for jpackage binary, manpages and added slave records to alternatives
-
-* Thu Mar 12 2020 Petra Alice Mikova  - 1:13.0.2.8-4.rolling
-- add patch for build issues with make 4.3
-
-* Thu Feb 27 2020 Severin Gehwolf  - 1:13.0.2.8-3.rolling
-- add workaround for issues with build with GCC10 on s390x (see RHBZ#1799531)
-- fix issues with build with GCC10: JDK-8224851, -fcommon switch
-
-* Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling
-- Add JDK-8224851 patch to resolve aarch64 issues
-
-* Tue Feb 04 2020 Petra Alice Mikova  - 1:13.0.2.8-2.rolling
-- fix Release, as it was broken by last rpmdev-bumpspec
-
-* Wed Jan 29 2020 Fedora Release Engineering  - 1:13.0.2.8-1.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Jan 17 2020 Petra Alice Mikova  - 1:13.0.2.8-1.rolling
-- removed patch jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
-- removed patch jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
-- updated sources to the 13.0.2+8 tag
-
-* Fri Oct 25 2019 Petra Alice Mikova  - 1:13.0.1.9-2.rolling
-- Fixed hardcoded major version in jdk13u to macro
-- added jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
-- added jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
-
-* Mon Oct 21 2019 Petra Alice Mikova  - 1:13.0.1.9-1.rolling
-- Updated to October 2019 CPU sources
-
-* Wed Oct 16 2019 Petra Alice Mikova  - 1:13.0.0.33-3.rolling
-- synced up generate tarball script with other OpenJDK packages
-- dropped pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch from the sources
-- regenerated sources with the updated script
-
-* Wed Oct 02 2019 Andrew Hughes  - 1:13.0.0.33-3.rolling
-- Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it.
-
-* Wed Oct 02 2019 Andrew John Hughes  -  1:13.0.0.33-3.rolling
-- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime.
-- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency
-- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency
-- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency
-
-* Wed Oct 02 2019 Andrew Hughes  - 1:13.0.0.33-3.rolling
-- Obsolete javadoc-slowdebug and javadoc-slowdebug-zip packages via javadoc and javadoc-zip respectively.
-
-* Tue Oct 01 2019 Severin Gehwolf  - 1:13.0.0.33-2.rolling
-- Don't produce javadoc/javadoc-zip sub packages for the
-  debug variant build.
-- Don't perform a bootcycle build for the debug variant build.
-
-* Mon Sep 30 2019 Severin Gehwolf  - 1:13.0.0.33-2.rolling
-- Fix vendor version as JDK 13 has been GA'ed September 2019: 19.3 => 19.9
-
-* Wed Aug 14 2019 Petra Alice Mikova  - 1:13.0.0.33-1.rolling
-- updated to 13+33 sources
-- added two manpages to file listings (jfr, jaotc)
-- set is_ga to 1 to match build from jdk.java.net
-
-* Fri Jul 26 2019 Severin Gehwolf  - 1:13.0.0.28-0.2.ea.rolling
-- Fix bootjdkver macro. It attempted to build with jdk 12, which is
-  no longer available in rawhide (it's 13 instead).
-- Fix Release as rpmdev-bumpspec doesn't do it correctly.
-
-* Thu Jul 25 2019 Fedora Release Engineering  - 1:13.0.0.28-0.1.ea.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Tue Jul 09 2019 Petra Alice Mikova  - 1:13.0.0.28-0.1.ea.rolling
-- updated to jdk 13
-- adapted pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch
-- adapted rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
-- fixed file listings
-- included https://src.fedoraproject.org/rpms/java-11-openjdk/pull-request/49:
-- Include 'ea' designator in Release when appropriate
-- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately
-
-* Tue May 21 2019 Petra Alice Mikova  - 1:12.0.1.12-2.rolling
-- fixed requires/provides for the non-system JDK case (backport of RHBZ#1702324)
-
-* Thu Apr 18 2019 Petra Mikova  - 1:12.0.1.12-1.rolling
-- updated sources to current CPU release
-
-* Thu Apr 04 2019 Petra Mikova  - 1:12.0.0.33-4.rolling
-- added slave for jfr binary in devel package
-
-* Thu Mar 21 2019 Petra Mikova  - 1:12.0.0.33-3.rolling
-- Replaced pcsc-lite-devel (which is in optional channel) with pcsc-lite-libs.
-- added rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch to make jdk work with pcsc
-- removed LTS string from LTS designator, because epel builds get identified as rhel and JDK 12 is not LTS
-- removed duplicated dependency on lksctp-tools
-
-* Wed Mar 20 2019 Peter Robinson  1:12.0.0.33-2.ea.1.rolling
-- Drop chkconfig dep, 1.7 shipped in f24
-
-* Thu Mar 07 2019 Petra Mikova  - 1:12.0.0.33-1.ea.1.rolling
-- bumped sources to jdk12+33
-
-* Mon Feb 11 2019 Severin Gehwolf  - 1:12.0.0.30-1.ea.1.rolling
-- Only build 'bootcycle-images docs' target and 'images docs' targets, respectively.
-
-* Fri Feb 01 2019 Fedora Release Engineering  - 1:12.0.0.25-0.ea.1.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Dec 21 2018 Jiri Vanek  - 1:12.0.0.25-0.ea.1.rolling
-- bumped sources to jdk12. Crypto list synced.
-- adapted patches to usptream (removed are upstreamed)
-- removed fixed upstreamed patch6, jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch:
-- renamed patch5, pr1983-rh1565658-..._sunec_provider_jdk11.patch to pr1983-rh1565658-..._sunec_provider_jdk12.patch
-- adapted patch5, pr1983-rh1565658 to jdk12 (libraries.m4 and /Lib-jdk.crypto.ec.gmk)
-- removed patch8, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
-- removed patch9, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
-- removed patch10, jdk8210647-rh1632174. Is rummored to be in upstream
-- removed patch11, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch
-- removed patch12, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0
-- removed patch584, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
-- removed patch585, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
-- set build jdk to jdk11; buildjdkver set to 11
-- todo, revisit _privatelibs and slaves, discuse patch10, more?
-- now building with --no-print-directory to workaround JDK8215213
-- renamed original of docs zip to jdk-major+build
-- check shenandaoh with -XX:+UnlockExperimentalVMOptions
-- libjli moved from lib/libjli to lib
-- added lib/jspawnhelper and bin/jfr and conf/sdp/sdp.conf.template
-- added explanation to the --no-print-directory
-- re-added lts_designator_zip macro
-- added patch6 for rh1673833-remove_removal_of_wformat_during_test_compilation.patch
-
-* Wed Dec 5 2018 Jiri Vanek  - 1:11.0.1.13-10.rolling
-- for non debug supackages, ghosted all masters and slaves (rhbz1649776)
-- for tech-preview packages, if-outed versionless provides. Aligned versions to be %%{epoch}:%%{version}-%%{release} instead of chaotic
-- Removed all slowdebug provides (rhbz1655938); for tech-preview packages also removed all internal provides
-
-* Tue Dec 04 2018 Severin Gehwolf  - 1:11.0.1.13-9
-- Added %%global _find_debuginfo_opts -g
-- Resolves: RHBZ#1520879 (Detailed NMT issue)
-
-* Fri Nov 30 2018 Jiri Vanek  - 1:11.0.1.13-8
-- added rolling suffix to release (before dist) to prevent conflict with java-11-openjdk which now have same major version
-
-* Mon Nov 12 2018 Jiri Vanek  - 1:11.0.1.13-6
-- fixed tck failures of arraycopy and process exec with shenandoah on
-- added patch585 rh1648995-shenandoah_array_copy_broken_by_not_always_copy_forward_for_disjoint_arrays.patch
-
-* Wed Nov 07 2018 Jiri Vanek  - 1:11.0.1.13-5
-- headless' suggests of cups, replaced by Requires of cups-libs
-
-* Thu Nov 01 2018 Jiri Vanek  - 1:11.0.1.13-3
-- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
-
-* Mon Oct 29 2018 Severin Gehwolf  - 1:11.0.1.13-3
-- Use upstream's version of Aarch64 intrinsics disable patch:
-  - Removed:
-    RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
-    RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
-  - Superceded by:
-    jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch
-
-* Thu Oct 18 2018 Severin Gehwolf  - 1:11.0.1.13-2
-- Use LTS designator in version output for RHEL.
-
-* Thu Oct 18 2018 Severin Gehwolf  - 1:11.0.1.13-1
-- Update to October 2018 CPU release, 11.0.1+13.
-
-* Wed Oct 17 2018 Severin Gehwolf  - 1:11.0.0.28-2
-- Use --with-vendor-version-string=18.9 so as to show original
-  GA date for the JDK.
-
-* Fri Sep 28 2018 Severin Gehwolf  - 1:11.0.0.28-1
-- Identify as GA version and no longer as early access (EA).
-- JDK 11 has been released for GA on 2018-09-25.
-
-* Fri Sep 28 2018 Severin Gehwolf  - 1:11.0.ea.28-9
-- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes
-  RHBZ-1624122.
-- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to
-  optimize compilation of fdlibm library.
-- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so
-  as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
-- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to
-  optimize compilation of libsaproc (extra c flags won't override
-  optimization).
-- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to
-  optimize compilation of libjsig.
-- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to
-  optimize compilation of vmStructs.cpp (part of libjvm.so).
-- Reinstate filtering of opt flags coming from redhat-rpm-config.
-
-* Thu Sep 27 2018 Jiri Vanek  - 1:11.0.ea.28-8
-- removed version less provides
-- javadocdir moved to arched dir as it is no longer noarch
-
-* Thu Sep 20 2018 Severin Gehwolf  - 1:11.0.ea.28-6
-- Add patch, RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch,
-  so as to disable log math intrinsic on aarch64. Work-around for
-  JDK-8210858
-
-* Thu Sep 13 2018 Severin Gehwolf  - 1:11.0.ea.28-5
-- Add patch, RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch,
-  so as to disable dsin/dcos math intrinsics on aarch64. Work-around for
-  JDK-8210461.
-
-* Wed Sep 12 2018 Severin Gehwolf  - 1:11.0.ea.22-6
-- Add patch, JDK-8210416-RHBZ-1624122-fdlibm-opt-fix.patch, so as to
-  optimize compilation of fdlibm library.
-- Add patch, JDK-8210425-RHBZ-1624122-sharedRuntimeTrig-opt-fix.patch, so
-  as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
-- Add patch, JDK-8210647-RHBZ-1624122-libsaproc-opt-fix.patch, so as to
-  optimize compilation of libsaproc (extra c flags won't override
-  optimization).
-- Add patch, JDK-8210703-RHBZ-1624122-vmStructs-opt-fix.patch, so as to
-  optimize compilation of vmStructs.cpp (part of libjvm.so).
-- No longer filter -O flags from C flags coming from
-  redhat-rpm-config.
-
-* Mon Sep 10 2018 Jiri Vanek  - 1:11.0.ea.28-4
-- link to jhsdb followed its file to ifarch jit_arches ifnarch s390x
-
-* Fri Sep 7 2018 Severin Gehwolf  - 1:11.0.ea.28-3
-- Enable ZGC on x86_64.
-
-* Tue Sep 4 2018 Jiri Vanek  - 1:11.0.ea.28-2
-- jfr/*jfc files listed for all arches
-- lib/classlist do not exists s390, ifarch-ed via jit_arches out
-
-* Fri Aug 31 2018 Severin Gehwolf  - 1:11.0.ea.28-1
-- Update to latest upstream build jdk11+28, the first release
-  candidate.
-
-* Wed Aug 29 2018 Severin Gehwolf  - 1:11.0.ea.22-8
-- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so
-  as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue.
-
-* Thu Aug 23 2018 Jiri Vanek  - 1:11.0.ea.22-6
-- dissabled accessibility, fixed provides for main package's debug variant
-
-* Mon Jul 30 2018 Jiri Vanek  - 1:11.0.ea.22-5
-- now buildrequires javapackages-filesystem as the  issue with macros should be fixed
-
-* Wed Jul 18 2018 Jiri Vanek  - 1:11.0.ea.22-2
-- changed to build by itself instead of by jdk10
-
-* Tue Jul 17 2018 Jiri Vanek  - 1:11.0.ea.22-1
-- added Recommends gtk3 for main package
-- changed BuildRequires from gtk2-devel to gtk3-devel (it can be more likely dropped)
-- added Suggests lksctp-tools, pcsc-lite-devel, cups for headless package
-- see RHBZ1598152
-- added trick to catch hs_err files (sgehwolf)
-- updated to shenandaoh-jdk-11+22
-
-* Sat Jul 07 2018 Jiri Vanek  - 1:11.0.ea.20-1
-- removed patch6 JDK-8205616-systemLcmsAndJpgFixFor-rev_f0aeede1b855.patch
-- improved a bit generate_source_tarball.sh to serve also for systemtap
-- thus deleted generate_tapsets.sh
-- simplified and cleared update_package.sh
-- moved to single source jdk - from shenandoah/jdk11
-- bumped to latest jdk11+20
-- adapted PR2126 to jdk11+20
-- adapted handling of systemtap sources to new style
-- (no (misleading) version inside (full version is in name), thus different sed on tapsets and different directory)
-- shortened summaries and descriptions to around 80 chars
-- Hunspell spell checked
-- license fixed to correct jdk11 (sgehwolf)
-- more correct handling of internal libraries (sgehwolf)
-- added lib/security/public_suffix_list.dat as +20 have added it (JDK-8201815)
-- added test for shenandaoh GC presence where expected
-- Removed workaround for broken aarch64 slowdebug build
-- Removed all defattrs
-- Removed no longer necessary cleanup of diz and  debuginfo files
-
-* Fri Jun 22 2018 Jiri Vanek  - 1:11.0.ea.19-1
-- updated sources to jdk-11+19
-- added patch6 systemLcmsAndJpgFixFor-f0aeede1b855.patch to fix regression of system libraries after f0aeede1b855 commit
-- adapted pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch to accommodate changes after f0aeede1b855 commit
-
-* Thu Jun 14 2018 Severin Gehwolf  - 1:11.0.ea.16-5
-- Revert rename: java-11-openjdk => java-openjdk.
-
-* Wed Jun 13 2018 Severin Gehwolf  - 1:11.0.ea.16-4
-- Add aarch64 to aot_arches.
-
-* Wed Jun 13 2018 Severin Gehwolf  - 1:11.0.ea.16-3
-- Rename to package java-11-openjdk.
-
-* Wed Jun 13 2018 Severin Gehwolf  - 1:11.0.ea.16-2
-- Disable Aarch64 slowdebug build (see JDK-8204331).
-- s390x doesn't have the SA even though it's a JIT arch.
-
-* Wed Jun 13 2018 Severin Gehwolf  - 1:11.0.ea.16-1
-- Initial version of JDK 11 ea based on tag jdk-11+16.
-- Removed patches no longer needed or upstream:
-  sorted-diff.patch (see JDK-8198844)
-  JDK-8201788-bootcycle-images-jobs.patch
-  JDK-8201509-s390-atomic_store.patch
-  JDK-8202262-libjsig.so-extra-link-flags.patch (never was an issue on 11)
-  JDK-8193802-npe-jar-getVersionMap.patch
-- Updated and renamed patches:
-  java-openjdk-s390-size_t.patch => JDK-8203030-s390-size_t.patch
-- Updated patches for JDK 11:
-  pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
-
-* Tue Jun 12 2018 Severin Gehwolf  - 1:10.0.1.10-9
-- Use proper private_libs expression for filtering requires/provides.
-
-* Fri Jun 08 2018 Severin Gehwolf  - 1:10.0.1.10-8
-- Bump release and rebuild for fixed gdb. See RHBZ#1589118.
-
-* Mon Jun 04 2018 Jiri Vanek  - 1:10.0.1.10-7
-- quoted sed expressions, changed possibly confusing # by @
-- added vendor(origin) into icons
-- removed last trace of relative symlinks
-- added BuildRequires of javapackages-tools to fix build failure after Requires change to javapackages-filesystem
-
-* Thu May 17 2018 Severin Gehwolf  - 1:10.0.1.10-5
-- Move to javapackages-filesystem for directory ownership.
-  Resolves RHBZ#1500288
-
-* Mon Apr 30 2018 Severin Gehwolf  - 1:10.0.1.10-4
-- Add JDK-8193802-npe-jar-getVersionMap.patch so as to fix
-  RHBZ#1557375.
-
-* Mon Apr 23 2018 Severin Gehwolf  - 1:10.0.1.10-3
-- Inject build flags properly. See RHBZ#1571359
-- Added patch JDK-8202262-libjsig.so-extra-link-flags.patch
-  since libjsig.so doesn't get linker flags injected properly.
-
-* Fri Apr 20 2018 Severin Gehwolf  - 1:10.0.1.10-2
-- Removed unneeded patches:
-  PStack-808293.patch
-  multiple-pkcs11-library-init.patch
-  ppc_stack_overflow_fix.patch
-- Added patches for s390 Zero builds:
-  JDK-8201495-s390-java-opts.patch
-  JDK-8201509-s390-atomic_store.patch
-- Renamed patches for clarity:
-  aarch64BuildFailure.patch => JDK-8200556-aarch64-slowdebug-crash.patch
-  systemCryptoPolicyPR3183.patch => pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-  bootcycle_jobs.patch => JDK-8201788-bootcycle-images-jobs.patch
-  system-nss-ec-rh1565658.patch => pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
-
-* Fri Apr 20 2018 Jiri Vanek  - 1:10.0.1.10-1
-- updated to security update 1
-- jexec unlinked from path
-- used java-openjdk as boot jdk
-- aligned provides/requires
-- renamed zip javadoc
-
-* Tue Apr 10 2018 Severin Gehwolf  - 1:10.0.0.46-12
-- Enable basic EC ciphers test in %%check.
-
-* Tue Apr 10 2018 Severin Gehwolf  - 1:10.0.0.46-11
-- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10.
-- Resolves RHBZ#1565658
-
-* Mon Apr 09 2018 Jiri Vanek  - 1:10.0.0.46-10
-- jexec linked to path
-
-* Fri Apr 06 2018 Jiri Vanek  - 1:10.0.0.46-9
-- subpackage(s) replaced by sub-package(s) and other cosmetic changes
-
-* Tue Apr 03 2018 Jiri Vanek  - 1:10.0.0.46-8
-- removed accessibility sub-packages
-- kept applied patch and properties files
-- debug sub-packages renamed to slowdebug
-
-* Fri Feb 23 2018 Jiri Vanek  - 1:10.0.0.46-1
-- initial load